/*
- * Copyright 2001-2006 Internet2
+ * Copyright 2001-2007 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* @param metadataProvider locked MetadataProvider instance
* @param role identifies the role (generally IdP or SP) of the policy peer
* @param trustEngine TrustEngine to authenticate policy peer
+ * @param validate true iff XML parsing should be done with validation
*/
SecurityPolicy(
const saml2md::MetadataProvider* metadataProvider=NULL,
const xmltooling::QName* role=NULL,
- const xmltooling::TrustEngine* trustEngine=NULL
- ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL),
- m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) {
+ const xmltooling::TrustEngine* trustEngine=NULL,
+ bool validate=true
+ ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0),
+ m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL),
+ m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) {
if (role)
m_role = new xmltooling::QName(*role);
}
* @param metadataProvider locked MetadataProvider instance
* @param role identifies the role (generally IdP or SP) of the policy peer
* @param trustEngine TrustEngine to authenticate policy peer
+ * @param validate true iff XML parsing should be done with validation
*/
SecurityPolicy(
const std::vector<const SecurityPolicyRule*>& rules,
const saml2md::MetadataProvider* metadataProvider=NULL,
const xmltooling::QName* role=NULL,
- const xmltooling::TrustEngine* trustEngine=NULL
- ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL),
- m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) {
+ const xmltooling::TrustEngine* trustEngine=NULL,
+ bool validate=true
+ ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0),
+ m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL),
+ m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) {
if (role)
m_role = new xmltooling::QName(*role);
}
}
/**
+ * Returns XML message validation setting.
+ *
+ * @return validation flag
+ */
+ bool getValidating() const {
+ return m_validate;
+ }
+
+ /**
* Adds a SecurityPolicyRule to the policy. The lifetime of the policy rule
* must be at least as long as the policy object.
*
}
/**
+ * Controls schema validation of incoming XML messages.
+ * This is separate from other forms of programmatic validation of objects,
+ * but can detect a much wider range of syntax errors.
+ *
+ * @param validate validation setting
+ */
+ void setValidating(bool validate=true) {
+ m_validate = validate;
+ }
+
+ /**
* Evaluates the policy against the given request and message,
* possibly populating message information in the policy object.
*
* @param message the incoming message
* @param request the protocol request
- *
- * @throws BindingException thrown if the request/message do not meet the requirements of this policy
+ *
+ * @throws BindingException raised if the message/request is invalid according to the supplied rules
*/
void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request=NULL);
}
/**
+ * Returns the security status as determined by the registered policies.
+ *
+ * @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated
+ */
+ bool isSecure() const {
+ return m_secure;
+ }
+
+ /**
* Sets the message element/type as determined by the registered policies.
*
* @param messageQName message element/type
/**
* Sets the issuer of the message as determined by the registered policies.
- * The policy object takes ownership of the Issuer object.
*
* @param issuer issuer of the message
*/
- void setIssuer(saml2::Issuer* issuer);
+ void setIssuer(const saml2::Issuer* issuer);
+
+ /**
+ * Sets the issuer of the message as determined by the registered policies.
+ *
+ * @param issuer issuer of the message
+ */
+ void setIssuer(const XMLCh* issuer);
/**
* Sets the metadata for the role the issuer is operating in.
* @param issuerRole metadata for the role the issuer is operating in
*/
void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole);
+
+ /**
+ * Sets the security status as determined by the registered policies.
+ *
+ * @param secure indicates whether the issuer/message has been authenticated
+ */
+ void setSecure(bool secure) {
+ m_secure = secure;
+ }
/** Allows override of rules for comparing saml2:Issuer information. */
class SAML_API IssuerMatchingPolicy {
* @return true iff the operands match
*/
virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+
+ /**
+ * Returns true iff the two operands "match". Applications can override this method to
+ * support non-standard issuer matching for complex policies.
+ *
+ * <p>The default implementation does a basic comparison of the XML content, treating
+ * an unsupplied Format as an "entityID".
+ *
+ * @param issuer1 the first Issuer to match
+ * @param issuer2 the second Issuer to match
+ * @return true iff the operands match
+ */
+ virtual bool issuerMatches(const saml2::Issuer* issuer1, const XMLCh* issuer2) const;
};
/**
time_t m_issueInstant;
saml2::Issuer* m_issuer;
const saml2md::RoleDescriptor* m_issuerRole;
+ bool m_secure;
// components governing policy rules
IssuerMatchingPolicy* m_matchingPolicy;
const saml2md::MetadataProvider* m_metadata;
xmltooling::QName* m_role;
const xmltooling::TrustEngine* m_trust;
+ bool m_validate;
};
};