#include "internal.h"
#include "exceptions.h"
-#include "saml/binding/ReplayCache.h"
+#include "saml1/core/Assertions.h"
#include "saml1/binding/SAML1POSTDecoder.h"
#include "saml2/metadata/Metadata.h"
#include "saml2/metadata/MetadataProvider.h"
#include <log4cpp/Category.hh>
#include <xercesc/util/Base64.hpp>
#include <xmltooling/util/NDC.h>
+#include <xmltooling/util/ReplayCache.h>
+#include <xmltooling/validation/ValidatorSuite.h>
using namespace opensaml::saml2md;
using namespace opensaml::saml1p;
Response* SAML1POSTDecoder::decode(
string& relayState,
const RoleDescriptor*& issuer,
- bool& issuerTrusted,
+ const XMLCh*& securityMech,
const HTTPRequest& httpRequest,
const MetadataProvider* metadataProvider,
const QName* role,
throw BindingException("Detected expired POST profile response.");
// Check replay.
- ReplayCache* replayCache = SAMLConfig::getConfig().getReplayCache();
+ ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache();
if (replayCache) {
auto_ptr_char id(response->getResponseID());
if (!replayCache->check("SAML1POST", id.get(), response->getIssueInstant()->getEpoch() + (2*XMLToolingConfig::getConfig().clock_skew_secs))) {
* applied.
*/
issuer = NULL;
- issuerTrusted = false;
+ securityMech = NULL;
log.debug("attempting to establish issuer and integrity of message...");
const vector<Assertion*>& assertions=const_cast<const Response*>(response)->getAssertions();
if (!assertions.empty()) {
pair<bool,int> minor = response->getMinorVersion();
issuer=provider->getRoleDescriptor(
*role,
- (minor.first && minor.second==0) ? SAMLConstants::SAML10_PROTOCOL_ENUM : SAMLConstants::SAML11_PROTOCOL_ENUM
+ (minor.first && minor.second==0) ? samlconstants::SAML10_PROTOCOL_ENUM : samlconstants::SAML11_PROTOCOL_ENUM
);
if (issuer) {
if (trustEngine && response->getSignature()) {
- issuerTrusted = trustEngine->validate(
- *(response->getSignature()), *issuer, metadataProvider->getKeyResolver()
- );
- if (!issuerTrusted) {
+ if (trustEngine->validate(*(response->getSignature()), *issuer, metadataProvider->getKeyResolver())) {
+ securityMech = samlconstants::SAML1P_NS;
+ }
+ else {
log.error("unable to verify signature on message with supplied trust engine");
throw BindingException("Message signature failed verification.");
}
}
else {
- log.warn("unable to verify integrity of the message, leaving untrusted");
+ log.warn("unable to authenticate the message, leaving untrusted");
}
}
else {
}
if (log.isDebugEnabled()) {
auto_ptr_char iname(assertions.front()->getIssuer());
- log.debug("message from (%s), integrity %sverified", iname.get(), issuerTrusted ? "" : "NOT ");
+ log.debug("message from (%s), integrity %sverified", iname.get(), securityMech ? "" : "NOT ");
}
}
else {
pair<bool,int> minor = response->getMinorVersion();
issuer=provider->getRoleDescriptor(
*role,
- (minor.first && minor.second==0) ? SAMLConstants::SAML10_PROTOCOL_ENUM : SAMLConstants::SAML11_PROTOCOL_ENUM
+ (minor.first && minor.second==0) ? samlconstants::SAML10_PROTOCOL_ENUM : samlconstants::SAML11_PROTOCOL_ENUM
);
}
if (issuer) annotateException(&ex,issuer); // throws it