2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * SAML1BrowserSSORule.cpp
24 * SAML 1.x Browser SSO Profile SecurityPolicyRule
28 #include "exceptions.h"
29 #include "binding/SecurityPolicyRule.h"
30 #include "saml1/core/Assertions.h"
32 #include <xmltooling/logging.h>
34 using namespace opensaml::saml1;
35 using namespace xmltooling::logging;
36 using namespace xmltooling;
42 class SAML_DLLLOCAL BrowserSSORule : public opensaml::SecurityPolicyRule
46 virtual ~BrowserSSORule() {}
48 const char* getType() const {
49 return SAML1BROWSERSSO_POLICY_RULE;
52 bool evaluate(const XMLObject& message, const GenericRequest* request, opensaml::SecurityPolicy& policy) const;
55 opensaml::SecurityPolicyRule* SAML_DLLLOCAL BrowserSSORuleFactory(const DOMElement* const &)
57 return new BrowserSSORule();
60 class SAML_DLLLOCAL _checkMethod : public unary_function<const SubjectStatement*,void>,
61 public unary_function<const ConfirmationMethod*,bool>
64 void operator()(const SubjectStatement* s) const {
65 const Subject* sub = s->getSubject();
67 const SubjectConfirmation* sc = sub->getSubjectConfirmation();
69 const vector<ConfirmationMethod*>& methods = sc->getConfirmationMethods();
70 if (find_if(methods.begin(), methods.end(), _checkMethod())!=methods.end())
71 return; // methods checked out
74 throw SecurityPolicyException("Assertion contained a statement without a supported ConfirmationMethod.");
77 bool operator()(const ConfirmationMethod* cm) const {
78 const XMLCh* m = cm->getMethod();
79 return (XMLString::equals(m,SubjectConfirmation::BEARER) ||
80 XMLString::equals(m,SubjectConfirmation::ARTIFACT) ||
81 XMLString::equals(m,SubjectConfirmation::ARTIFACT01));
87 bool BrowserSSORule::evaluate(const XMLObject& message, const GenericRequest* request, opensaml::SecurityPolicy& policy) const
89 const Assertion* a=dynamic_cast<const Assertion*>(&message);
93 // Make sure the assertion is bounded.
94 const Conditions* conds = a->getConditions();
95 if (!conds || !conds->getNotBefore() || !conds->getNotOnOrAfter())
96 throw SecurityPolicyException("Browser SSO assertions MUST contain NotBefore/NotOnOrAfter attributes.");
98 // Each statement MUST have proper confirmation requirements.
99 const vector<AuthenticationStatement*>& authn = a->getAuthenticationStatements();
100 for_each(authn.begin(), authn.end(), _checkMethod());
101 const vector<AttributeStatement*>& attr = a->getAttributeStatements();
102 for_each(attr.begin(), attr.end(), _checkMethod());