SAML2RedirectDecoder::SAML2RedirectDecoder(const DOMElement* e) {}
-SAML2RedirectDecoder::~SAML2RedirectDecoder() {}
-
XMLObject* SAML2RedirectDecoder::decode(
string& relayState,
const GenericRequest& genericRequest,
throw BindingException("Unable to decode base64 in Redirect binding message.");
// Now we have to inflate it.
- stringstream str;
- if (inflate((char*)decoded, x, str)==0) {
+ stringstream s;
+ if (inflate((char*)decoded, x, s)==0) {
XMLString::release(&decoded);
throw BindingException("Unable to inflate Redirect binding message.");
}
-
+ if (log.isDebugEnabled())
+ log.debug("decoded SAML message:\n%s", s.str().c_str());
XMLString::release(&decoded);
// Parse and bind the document into an XMLObject.
DOMDocument* doc = (m_validate ? XMLToolingConfig::getConfig().getValidatingParser()
- : XMLToolingConfig::getConfig().getParser()).parse(str);
+ : XMLToolingConfig::getConfig().getParser()).parse(s);
XercesJanitor<DOMDocument> janitor(doc);
auto_ptr<XMLObject> xmlObject(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true));
janitor.release();
- saml2::RootObject* root = dynamic_cast<saml2::RootObject*>(xmlObject.get());
- if (!root)
- throw BindingException("XML content for SAML 2.0 HTTP-POST Decoder must be a SAML 2.0 protocol message.");
+ saml2::RootObject* root = NULL;
+ StatusResponseType* response = NULL;
+ RequestAbstractType* request = dynamic_cast<RequestAbstractType*>(xmlObject.get());
+ if (!request) {
+ response = dynamic_cast<StatusResponseType*>(xmlObject.get());
+ if (!response)
+ throw BindingException("XML content for SAML 2.0 HTTP-POST Decoder must be a SAML 2.0 protocol message.");
+ root = static_cast<saml2::RootObject*>(response);
+ }
+ else {
+ root = static_cast<saml2::RootObject*>(request);
+ }
+
try {
if (!m_validate)
SchemaValidators.validate(xmlObject.get());
+ // Check destination URL.
+ auto_ptr_char dest(request ? request->getDestination() : response->getDestination());
+ const char* dest2 = httpRequest->getRequestURL();
+ if ((root->getSignature() || httpRequest->getParameter("Signature")) && !dest.get() || !*(dest.get())) {
+ log.error("signed SAML message missing Destination attribute");
+ throw BindingException("Signed SAML message missing Destination attribute identifying intended destination.");
+ }
+ else if (dest.get() && (!dest2 || !*dest2 || strcmp(dest.get(),dest2))) {
+ log.error("Redirect targeted at (%s), but delivered to (%s)", dest.get(), dest2 ? dest2 : "none");
+ throw BindingException("SAML message delivered with Redirect to incorrect server URL.");
+ }
+
// Run through the policy.
- policy.evaluate(genericRequest, *root);
+ policy.evaluate(*root, &genericRequest);
}
catch (XMLToolingException& ex) {
// This is just to maximize the likelihood of attaching a source to the message for support purposes.
annotateException(&ex,provider); // throws it
}
- xmlObject.release();
- return root;
+ return xmlObject.release();
}