From: Scott Cantor Date: Fri, 17 Oct 2008 21:43:15 +0000 (+0000) Subject: Switch to 403 when access denied. X-Git-Tag: 2.2.0~149 X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=58558a8e1c79b7343fa7c0ec3137e0c2e1d206fc;p=shibboleth%2Fcpp-sp.git Switch to 403 when access denied. --- diff --git a/shibsp/handler/impl/AssertionLookup.cpp b/shibsp/handler/impl/AssertionLookup.cpp index 990d7d7..7c795db 100644 --- a/shibsp/handler/impl/AssertionLookup.cpp +++ b/shibsp/handler/impl/AssertionLookup.cpp @@ -1,6 +1,6 @@ /* * Copyright 2001-2007 Internet2 - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,7 +16,7 @@ /** * AssertionLookup.cpp - * + * * Handler for looking assertions in SessionCache */ @@ -112,10 +112,10 @@ pair AssertionLookup::run(SPRequest& request, bool isHandler) const if (m_acl.count(request.getRemoteAddr()) == 0) { m_log.error("request for assertion lookup blocked from invalid address (%s)", request.getRemoteAddr().c_str()); istringstream msg("Assertion Lookup Blocked"); - return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_UNAUTHORIZED)); + return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_FORBIDDEN)); } } - + try { if (conf.isEnabled(SPConfig::OutOfProcess)) { // When out of process, we run natively and directly process the message. @@ -125,7 +125,7 @@ pair AssertionLookup::run(SPRequest& request, bool isHandler) const // When not out of process, we remote all the message processing. DDF out,in = wrap(request); DDFJanitor jin(in), jout(out); - + out=request.getServiceProvider().getListenerService()->send(in); return unwrap(request, out); } @@ -147,7 +147,7 @@ void AssertionLookup::receive(DDF& in, ostream& out) m_log.error("couldn't find application (%s) for assertion lookup", aid ? aid : "(missing)"); throw ConfigurationException("Unable to locate application for assertion lookup, deleted?"); } - + // Unpack the request. auto_ptr req(getRequest(in)); //m_log.debug("found %d client certificates", req->getClientCertificates().size()); @@ -156,7 +156,7 @@ void AssertionLookup::receive(DDF& in, ostream& out) DDF ret(NULL); DDFJanitor jout(ret); auto_ptr resp(getResponse(ret)); - + // Since we're remoted, the result should either be a throw, a false/0 return, // which we just return as an empty structure, or a response/redirect, // which we capture in the facade and send back. diff --git a/shibsp/handler/impl/MetadataGenerator.cpp b/shibsp/handler/impl/MetadataGenerator.cpp index 13c9337..096f33a 100644 --- a/shibsp/handler/impl/MetadataGenerator.cpp +++ b/shibsp/handler/impl/MetadataGenerator.cpp @@ -148,7 +148,7 @@ pair MetadataGenerator::run(SPRequest& request, bool isHandler) const if (!m_acl.empty() && m_acl.count(request.getRemoteAddr()) == 0) { m_log.error("request for metadata blocked from invalid address (%s)", request.getRemoteAddr().c_str()); istringstream msg("Metadata Request Blocked"); - return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_UNAUTHORIZED)); + return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_FORBIDDEN)); } } diff --git a/shibsp/handler/impl/SessionHandler.cpp b/shibsp/handler/impl/SessionHandler.cpp index 789793c..5b60f52 100644 --- a/shibsp/handler/impl/SessionHandler.cpp +++ b/shibsp/handler/impl/SessionHandler.cpp @@ -1,6 +1,6 @@ /* * Copyright 2001-2007 Internet2 - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,7 +16,7 @@ /** * SessionHandler.cpp - * + * * Handler for dumping information about an active session. */ @@ -102,7 +102,7 @@ pair SessionHandler::run(SPRequest& request, bool isHandler) const if (!m_acl.empty() && m_acl.count(request.getRemoteAddr()) == 0) { m_log.error("session handler request blocked from invalid address (%s)", request.getRemoteAddr().c_str()); istringstream msg("Session Handler Blocked"); - return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_UNAUTHORIZED)); + return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_FORBIDDEN)); } stringstream s; @@ -186,7 +186,7 @@ pair SessionHandler::run(SPRequest& request, bool isHandler) const if (!m_values && !attributes.empty()) s << count << " value(s)" << endl; - + s << ""; request.setContentType("text/html; charset=UTF-8"); request.setResponseHeader("Expires","01-Jan-1997 12:00:00 GMT"); diff --git a/shibsp/handler/impl/StatusHandler.cpp b/shibsp/handler/impl/StatusHandler.cpp index 41e9f1f..f35b8c5 100644 --- a/shibsp/handler/impl/StatusHandler.cpp +++ b/shibsp/handler/impl/StatusHandler.cpp @@ -1,6 +1,6 @@ /* * Copyright 2001-2007 Internet2 - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,7 +16,7 @@ /** * StatusHandler.cpp - * + * * Handler for exposing information about the internals of the SP. */ @@ -215,7 +215,7 @@ namespace shibsp { { if (!m_parser) m_parser=new CGIParser(*this); - + pair bounds=m_parser->getParameters(name); return (bounds.first==bounds.second) ? NULL : bounds.first->second; } @@ -238,7 +238,7 @@ namespace shibsp { #ifndef XMLTOOLING_NO_XMLSEC std::vector& #else - std::vector& + std::vector& #endif getClientCertificates() const { return g_NoCerts; @@ -283,7 +283,7 @@ pair StatusHandler::run(SPRequest& request, bool isHandler) const if (!m_acl.empty() && m_acl.count(request.getRemoteAddr()) == 0) { m_log.error("status handler request blocked from invalid address (%s)", request.getRemoteAddr().c_str()); istringstream msg("Status Handler Blocked"); - return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_UNAUTHORIZED)); + return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_FORBIDDEN)); } } @@ -312,7 +312,7 @@ pair StatusHandler::run(SPRequest& request, bool isHandler) const msg << ""; return make_pair(true,request.sendResponse(msg)); } - + try { if (conf.isEnabled(SPConfig::OutOfProcess)) { // When out of process, we run natively and directly process the message. @@ -321,7 +321,7 @@ pair StatusHandler::run(SPRequest& request, bool isHandler) const else { // When not out of process, we remote all the message processing. DDF out,in = wrap(request); - DDFJanitor jin(in), jout(out); + DDFJanitor jin(in), jout(out); out=request.getServiceProvider().getListenerService()->send(in); return unwrap(request, out); } @@ -368,13 +368,13 @@ void StatusHandler::receive(DDF& in, ostream& out) m_log.error("couldn't find application (%s) for status request", aid ? aid : "(missing)"); throw ConfigurationException("Unable to locate application for status request, deleted?"); } - + // Wrap a response shim. DDF ret(NULL); DDFJanitor jout(ret); auto_ptr req(getRequest(in)); auto_ptr resp(getResponse(ret)); - + // Since we're remoted, the result should either be a throw, a false/0 return, // which we just return as an empty structure, or a response/redirect, // which we capture in the facade and send back.