X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fsaml2%2Fbinding%2Fimpl%2FSAML2POSTDecoder.cpp;h=2258304c4f4e030116e750da605ebffa17d00686;hb=6f8122284c525366e6f823cbd651ec358932d818;hp=5f659a560f0ce4ef9f304a7fc119241aa1a1bf96;hpb=8271f43892b34006e798e990ed330dbc6d181822;p=shibboleth%2Fopensaml2.git

diff --git a/saml/saml2/binding/impl/SAML2POSTDecoder.cpp b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
index 5f659a5..2258304 100644
--- a/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
@@ -59,7 +59,7 @@ SAML2POSTDecoder::~SAML2POSTDecoder() {}
 XMLObject* SAML2POSTDecoder::decode(
     string& relayState,
     const RoleDescriptor*& issuer,
-    bool& issuerTrusted,
+    const XMLCh*& securityMech,
     const HTTPRequest& httpRequest,
     const MetadataProvider* metadataProvider,
     const QName* role,
@@ -162,7 +162,7 @@ XMLObject* SAML2POSTDecoder::decode(
             log.warn("replay cache was not provided, this is a serious security risk!");
         
         issuer = NULL;
-        issuerTrusted = false;
+        securityMech = false;
         log.debug("attempting to establish issuer and integrity of message...");
         
         // If we can't identify the issuer, we're done, since we can't lookup or verify anything.
@@ -183,14 +183,16 @@ XMLObject* SAML2POSTDecoder::decode(
             issuer=provider->getRoleDescriptor(*role, samlconstants::SAML20P_NS);
             if (issuer) {
                 if (trustEngine && signature) {
-                    issuerTrusted = trustEngine->validate(*signature, *issuer, metadataProvider->getKeyResolver());
-                    if (!issuerTrusted) {
+                    if (!trustEngine->validate(*signature, *issuer, metadataProvider->getKeyResolver())) {
                         log.error("unable to verify signature on message with supplied trust engine");
                         throw BindingException("Message signature failed verification.");
                     }
+                    else {
+                        securityMech = samlconstants::SAML20P_NS;
+                    }
                 }
                 else {
-                    log.warn("unable to verify integrity of the message, leaving untrusted");
+                    log.warn("unable to authenticate the message, leaving untrusted");
                 }
             }
             else {
@@ -198,7 +200,7 @@ XMLObject* SAML2POSTDecoder::decode(
             }
             if (log.isDebugEnabled()) {
                 auto_ptr_char iname(provider->getEntityID());
-                log.debug("message from (%s), integrity %sverified", iname.get(), issuerTrusted ? "" : "NOT ");
+                log.debug("message from (%s), integrity %sverified", iname.get(), securityMech ? "" : "NOT ");
             }
         }
         else {