Merged issuer/protocol extraction back into rules.

[shibboleth/cpp-opensaml.git] / saml / binding / SecurityPolicyRule.h

diff --git a/saml/binding/SecurityPolicyRule.h b/saml/binding/SecurityPolicyRule.h
index f547251..427f5cc 100644 (file)
--- a/saml/binding/SecurityPolicyRule.h
+++ b/saml/binding/SecurityPolicyRule.h
@@ -33,6 +33,7 @@ namespace opensaml {
         class SAML_API Issuer;
     };
     namespace saml2md {
+        class SAML_API MetadataProvider;
         class SAML_API RoleDescriptor;
     };
     
@@ -60,6 +61,7 @@ namespace opensaml {
          * @param metadataProvider  locked MetadataProvider instance to authenticate the message
          * @param role              identifies the role (generally IdP or SP) of the peer who issued the message 
          * @param trustEngine       TrustEngine to authenticate the message
+         * @param extractor         MessageExtractor to use in examining message
          * @return the identity of the message issuer, in two forms, or NULL
          * 
          * @throws BindingException thrown if the request/message do not meet the requirements of this rule
@@ -79,25 +81,41 @@ namespace opensaml {
     void SAML_API registerSecurityPolicyRules();
 
     /**
+     * SecurityPolicyRule for TLS client certificate authentication.
+     * 
+     * Requires that messages carry information about the issuer, and then
+     * evaluates the claimed certificates against the issuer's metadata.
+     */
+    #define CLIENTCERTAUTH_POLICY_RULE  "org.opensaml.binding.ClientCertAuthRule"
+
+    /**
      * SecurityPolicyRule for replay detection and freshness checking.
      * 
      * <p>A ReplayCache instance must be available from the runtime, unless
      * a "checkReplay" XML attribute is set to "0" or "false" when instantiating
-     * the policy.
+     * the policy rule.
      * 
      * <p>Messages must have been issued in the past, but no more than 60 seconds ago,
      * or up to a number of seconds set by an "expires" XML attribute when
-     * instantiating the policy.
+     * instantiating the policy rule.
      */
     #define MESSAGEFLOW_POLICY_RULE  "org.opensaml.binding.MessageFlowRule"
 
     /**
-     * SecurityPolicyRule for protocol message signing.
+     * SecurityPolicyRule for protocol message "blob" signing.
+     * 
+     * Allows the message issuer to be authenticated using a non-XML digital signature
+     * over the message body. The transport layer is not considered.
+     */
+    #define SIMPLESIGNING_POLICY_RULE  "org.opensaml.binding.SimpleSigningRule"
+
+    /**
+     * SecurityPolicyRule for protocol message XML signing.
      * 
-     * Allows the message issuer to be authenticated using an XML or binding-specific
-     * digital signature over the message. The transport layer is not considered.
+     * Allows the message issuer to be authenticated using an XML digital signature
+     * over the message. The transport layer is not considered.
      */
-    #define MESSAGESIGNING_POLICY_RULE  "org.opensaml.binding.MessageSigningRule"
+    #define XMLSIGNING_POLICY_RULE  "org.opensaml.binding.XMLSigningRule"
 };
 
 #endif /* __saml_secrule_h__ */