projects
/
shibboleth
/
cpp-sp.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
0478c8a
)
Default the handlerURL property.
author
Scott Cantor
<cantor.2@osu.edu>
Wed, 18 Aug 2010 18:01:41 +0000
(18:01 +0000)
committer
Scott Cantor
<cantor.2@osu.edu>
Wed, 18 Aug 2010 18:01:41 +0000
(18:01 +0000)
configs/example-shibboleth2.xml
patch
|
blob
|
history
configs/shibboleth2.xml
patch
|
blob
|
history
configs/win-shibboleth2.xml
patch
|
blob
|
history
schemas/shibboleth-2.0-native-sp-config.xsd
patch
|
blob
|
history
shibsp/AbstractSPRequest.cpp
patch
|
blob
|
history
shibsp/impl/XMLServiceProvider.cpp
patch
|
blob
|
history
diff --git
a/configs/example-shibboleth2.xml
b/configs/example-shibboleth2.xml
index
33df42c
..
69f2821
100644
(file)
--- a/
configs/example-shibboleth2.xml
+++ b/
configs/example-shibboleth2.xml
@@
-98,9
+98,9
@@
<!--
\r
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
\r
You MUST supply an effectively unique handlerURL value for each of your applications.
\r
<!--
\r
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
\r
You MUST supply an effectively unique handlerURL value for each of your applications.
\r
- The value
can be a relative path, a URL with no hostname (https:///path) or a full URL.
\r
- The system can compute a relative value based on the virtual host. Using handlerSSL="true"
\r
-
will force
the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
\r
+ The value
defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
\r
+ a relative value based on the virtual host. Using handlerSSL="true", the default, will force
\r
+ the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
\r
in that case. Note that while we default checkAddress to "false", this has a negative
\r
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
\r
-->
\r
in that case. Note that while we default checkAddress to "false", this has a negative
\r
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
\r
-->
\r
diff --git
a/configs/shibboleth2.xml
b/configs/shibboleth2.xml
index
4815342
..
f33e05b
100644
(file)
--- a/
configs/shibboleth2.xml
+++ b/
configs/shibboleth2.xml
@@
-26,14
+26,13
@@
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
- The value
can be a relative path, a URL with no hostname (https:///path) or a full URL.
- The system can compute a relative value based on the virtual host. Using handlerSSL="true"
-
will force
the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+ The value
defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+ a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+ the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
- <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem"
- handlerURL="/Shibboleth.sso" handlerSSL="false">
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
diff --git
a/configs/win-shibboleth2.xml
b/configs/win-shibboleth2.xml
index
f3f583c
..
23e9fcb
100644
(file)
--- a/
configs/win-shibboleth2.xml
+++ b/
configs/win-shibboleth2.xml
@@
-69,14
+69,13
@@
<!--
\r
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
\r
You MUST supply an effectively unique handlerURL value for each of your applications.
\r
<!--
\r
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
\r
You MUST supply an effectively unique handlerURL value for each of your applications.
\r
- The value
can be a relative path, a URL with no hostname (https:///path) or a full URL.
\r
- The system can compute a relative value based on the virtual host. Using handlerSSL="true"
\r
-
will force
the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
\r
+ The value
defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
\r
+ a relative value based on the virtual host. Using handlerSSL="true", the default, will force
\r
+ the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
\r
in that case. Note that while we default checkAddress to "false", this has a negative
\r
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
\r
-->
\r
in that case. Note that while we default checkAddress to "false", this has a negative
\r
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
\r
-->
\r
- <Sessions lifetime="28800" timeout="3600" checkAddress="false"
\r
- handlerURL="/Shibboleth.sso" handlerSSL="false">
\r
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
\r
\r
<!--
\r
Configures SSO for a default IdP. To allow for >1 IdP, remove
\r
\r
<!--
\r
Configures SSO for a default IdP. To allow for >1 IdP, remove
\r
diff --git
a/schemas/shibboleth-2.0-native-sp-config.xsd
b/schemas/shibboleth-2.0-native-sp-config.xsd
index
027a9a2
..
b49f37b
100644
(file)
--- a/
schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/
schemas/shibboleth-2.0-native-sp-config.xsd
@@
-486,7
+486,7
@@
<element ref="conf:Handler"/>
</choice>
</sequence>
<element ref="conf:Handler"/>
</choice>
</sequence>
- <attribute name="handlerURL" type="anyURI"
use="required"
/>
+ <attribute name="handlerURL" type="anyURI"/>
<attribute name="handlerSSL" type="boolean"/>
<attribute name="exportLocation" type="conf:string"/>
<attribute name="exportACL" type="conf:listOfStrings"/>
<attribute name="handlerSSL" type="boolean"/>
<attribute name="exportLocation" type="conf:string"/>
<attribute name="exportACL" type="conf:listOfStrings"/>
diff --git
a/shibsp/AbstractSPRequest.cpp
b/shibsp/AbstractSPRequest.cpp
index
eb1ced4
..
b6c5e80
100644
(file)
--- a/
shibsp/AbstractSPRequest.cpp
+++ b/
shibsp/AbstractSPRequest.cpp
@@
-263,12
+263,15
@@
const char* AbstractSPRequest::getHandlerURL(const char* resource) const
handler=p2.second;
}
handler=p2.second;
}
- // Should never happen...
- if (!handler || (*handler!='/' && strncmp(handler,"http:",5) && strncmp(handler,"https:",6)))
+ if (!handler) {
+ handler = "/Shibboleth.sso";
+ }
+ else if (*handler!='/' && strncmp(handler,"http:",5) && strncmp(handler,"https:",6)) {
throw ConfigurationException(
"Invalid handlerURL property ($1) in <Sessions> element for Application ($2)",
params(2, handler ? handler : "null", m_app->getId())
);
throw ConfigurationException(
"Invalid handlerURL property ($1) in <Sessions> element for Application ($2)",
params(2, handler ? handler : "null", m_app->getId())
);
+ }
// The "handlerURL" property can be in one of three formats:
//
// The "handlerURL" property can be in one of three formats:
//
diff --git
a/shibsp/impl/XMLServiceProvider.cpp
b/shibsp/impl/XMLServiceProvider.cpp
index
d859dab
..
69c55cc
100644
(file)
--- a/
shibsp/impl/XMLServiceProvider.cpp
+++ b/
shibsp/impl/XMLServiceProvider.cpp
@@
-780,9
+780,12
@@
void XMLApplication::doHandlers(const ProtocolProvider* pp, const DOMElement* e,
m_handlers.push_back(handler);
// Insert into location map. If it contains the handlerURL, we skip past that part.
m_handlers.push_back(handler);
// Insert into location map. If it contains the handlerURL, we skip past that part.
- const char* pch = strstr(location.second, sessions->getString("handlerURL").second);
+ const char* hurl = sessions->getString("handlerURL").second;
+ if (!hurl)
+ hurl = "/Shibboleth.sso";
+ const char* pch = strstr(location.second, hurl);
if (pch)
if (pch)
- location.second = pch + strlen(
sessions->getString("handlerURL").second
);
+ location.second = pch + strlen(
hurl
);
if (*location.second == '/')
m_handlerMap[location.second]=handler;
else
if (*location.second == '/')
m_handlerMap[location.second]=handler;
else