X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fsaml2%2Fprofile%2Fimpl%2FBrowserSSOProfile20Validator.cpp;fp=saml%2Fsaml2%2Fprofile%2Fimpl%2FBrowserSSOProfile20Validator.cpp;h=5a73d503c200a99aac497eff61ee49dde50d2090;hp=0000000000000000000000000000000000000000;hb=69a716dedfd9e239bcc9206a7b8dc137b43f5f89;hpb=df39928338a40f7a2980406e9737893289673611 diff --git a/saml/saml2/profile/impl/BrowserSSOProfile20Validator.cpp b/saml/saml2/profile/impl/BrowserSSOProfile20Validator.cpp new file mode 100644 index 0000000..5a73d50 --- /dev/null +++ b/saml/saml2/profile/impl/BrowserSSOProfile20Validator.cpp @@ -0,0 +1,91 @@ +/* + * Copyright 2001-2007 Internet2 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * BrowserSSOProfile20Validator.cpp + * + * SAML 2.0 Browser SSO Profile Assertion Validator + */ + +#include "internal.h" +#include "saml2/core/Assertions.h" +#include "saml2/profile/BrowserSSOProfileValidator.h" + +#include +#include + +using namespace opensaml::saml2; +using namespace xmltooling::logging; +using namespace xmltooling; +using namespace std; + +void BrowserSSOProfileValidator::validateAssertion(const Assertion& assertion) const +{ +#ifdef _DEBUG + xmltooling::NDC ndc("validate"); +#endif + Category& log = Category::getInstance(SAML_LOGCAT".AssertionValidator"); + + // The assertion MUST have proper confirmation requirements. + const char* msg=NULL; + const Subject* subject = assertion.getSubject(); + if (subject) { + const vector& confs = subject->getSubjectConfirmations(); + for (vector::const_iterator sc = confs.begin(); sc!=confs.end(); ++sc) { + if (XMLString::equals((*sc)->getMethod(), SubjectConfirmation::BEARER)) { + const SubjectConfirmationDataType* data = dynamic_cast((*sc)->getSubjectConfirmationData()); + + if (m_destination.get()) { + if (!XMLString::equals(m_destination.get(), data ? data->getRecipient() : NULL)) { + msg = "bearer confirmation failed with recipient mismatch"; + continue; + } + } + + if (m_requestID.get()) { + if (!XMLString::equals(m_requestID.get(), data ? data->getInResponseTo() : NULL)) { + msg = "bearer confirmation failed with request correlation mismatch"; + continue; + } + } + + if (m_ts) { + if (!data || !data->getNotOnOrAfter()) { + msg = "bearer confirmation missing NotOnOrAfter attribute"; + continue; + } + else if (data->getNotOnOrAfterEpoch() <= m_ts - XMLToolingConfig::getConfig().clock_skew_secs) { + msg = "bearer confirmation has expired"; + continue; + } + } + + // Save off client address. + if (data) { + auto_ptr_char ip(data->getAddress()); + if (ip.get()) + m_address = ip.get(); + } + + // Pass up for additional checking. + return AssertionValidator::validateAssertion(assertion); + } + } + } + + log.error(msg); + throw ValidationException("Unable to locate satisfiable bearer SubjectConfirmation in assertion."); +}