/**
* Constructor for policy.
*
+ * @param metadataProvider locked MetadataProvider instance
+ * @param role identifies the role (generally IdP or SP) of the policy peer
+ * @param trustEngine TrustEngine to authenticate policy peer
+ */
+ SecurityPolicy(
+ const saml2md::MetadataProvider* metadataProvider=NULL,
+ const xmltooling::QName* role=NULL,
+ const TrustEngine* trustEngine=NULL
+ ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_metadata(metadataProvider),
+ m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
+ }
+
+ /**
+ * Constructor for policy using existing rules.
+ *
* @param rules reference to array of policy rules to use
* @param metadataProvider locked MetadataProvider instance
* @param role identifies the role (generally IdP or SP) of the policy peer
const saml2md::MetadataProvider* metadataProvider=NULL,
const xmltooling::QName* role=NULL,
const TrustEngine* trustEngine=NULL
- ) : m_issuer(NULL), m_issuerRole(NULL), m_rules(rules), m_metadata(metadataProvider),
+ ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider),
m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
}
+
virtual ~SecurityPolicy();
/**
}
/**
+ * Sets a locked MetadataProvider for the policy.
+ *
+ * @param metadata a locked MetadataProvider or NULL
+ */
+ void setMetadataProvider(const saml2md::MetadataProvider* metadata) {
+ m_metadata = metadata;
+ }
+
+ /**
+ * Sets a peer role element/type for to the policy.
+ *
+ * @param role the peer role element/type or NULL
+ */
+ void setRole(const xmltooling::QName* role) {
+ m_role = (role ? *role : xmltooling::QName());
+ }
+
+ /**
+ * Sets a TrustEngine for the policy.
+ *
+ * @param trust a TrustEngine or NULL
+ */
+ void setTrustEngine(const TrustEngine* trust) {
+ m_trust = trust;
+ }
+
+ /**
* Evaluates the rule against the given request and message,
* possibly populating issuer information in the policy object.
*
* @param issuerRole metadata for the role the issuer is operating in
*/
void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole);
+
+ /** Allows override of rules for comparing saml2:Issuer information. */
+ class SAML_API IssuerMatchingPolicy {
+ MAKE_NONCOPYABLE(IssuerMatchingPolicy);
+ public:
+ IssuerMatchingPolicy() {}
+ virtual ~IssuerMatchingPolicy() {}
+
+ /**
+ * Returns true iff the two operands "match". Applications can override this method to
+ * support non-standard issuer matching for complex policies.
+ *
+ * <p>The default implementation does a basic comparison of the XML content, treating
+ * an unsupplied Format as an "entityID".
+ *
+ * @param issuer1 the first Issuer to match
+ * @param issuer2 the second Issuer to match
+ * @return true iff the operands match
+ */
+ virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+ };
- protected:
/**
- * Returns true iff the two operands "match". Applications can override this method to
- * support non-standard issuer matching for complex policies.
+ * Returns the IssuerMatchingPolicy in effect.
*
- * <p>The default implementation does a basic comparison of the XML content, treating
- * an unsupplied Format as "entityID".
+ * @return the effective IssuerMatchingPolicy
+ */
+ const IssuerMatchingPolicy* getIssuerMatchingPolicy() const {
+ return m_matchingPolicy ? m_matchingPolicy : &m_defaultMatching;
+ }
+
+ /**
+ * Sets the IssuerMatchingPolicy in effect. Setting no policy will
+ * cause the simple, default approach to be used.
*
- * @param issuer1 the first Issuer to match
- * @param issuer2 the second Issuer to match
- * @return true iff the operands match
+ * <p>The matching object will be freed by the SecurityPolicy.
+ *
+ * @param matchingPolicy the IssuerMatchingPolicy to use
*/
- virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+ void getIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy) {
+ delete m_matchingPolicy;
+ m_matchingPolicy = matchingPolicy;
+ }
+
+ protected:
+ /** A shared matching object that just supports the default matching rules. */
+ static IssuerMatchingPolicy m_defaultMatching;
private:
saml2::Issuer* m_issuer;
const saml2md::RoleDescriptor* m_issuerRole;
+ IssuerMatchingPolicy* m_matchingPolicy;
std::vector<const SecurityPolicyRule*> m_rules;
const saml2md::MetadataProvider* m_metadata;
xmltooling::QName m_role;