Add flag to block non-entity issuers.

diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h
index 5f696a9..fed55f7 100644 (file)
--- a/saml/binding/SecurityPolicy.h
+++ b/saml/binding/SecurityPolicy.h
@@ -76,7 +76,7 @@ namespace opensaml {
             const xmltooling::TrustEngine* trustEngine=NULL,
             bool validate=true
             ) : m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_authenticated(false),
-                m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) {
+                m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate), m_entityOnly(true) {
             if (role)
                 m_role = new xmltooling::QName(*role);
         }
@@ -117,7 +117,16 @@ namespace opensaml {
          */
         bool getValidating() const {
             return m_validate;
-        } 
+        }
+        
+        /**
+         * Returns flag controlling non-entity issuer support.
+         * 
+         * @return flag controlling non-entity issuer support
+         */
+        bool requireEntityIssuer() const {
+            return m_entityOnly;
+        }
 
         /**
          * Gets a mutable array of installed policy rules.
@@ -168,6 +177,15 @@ namespace opensaml {
         void setValidating(bool validate=true) {
             m_validate = validate;
         }
+
+        /**
+         * Sets flag controlling non-entity issuer support.
+         * 
+         * @param entityOnly require that Issuer be in entity format 
+         */
+        void requireEntityIssuer(bool entityOnly=true) {
+            m_entityOnly = entityOnly;
+        }
         
         /**
          * Evaluates the policy against the given request and message,
@@ -361,6 +379,7 @@ namespace opensaml {
         xmltooling::QName* m_role;
         const xmltooling::TrustEngine* m_trust;
         bool m_validate;
+        bool m_entityOnly;
     };
 
 };

diff --git a/saml/binding/impl/SecurityPolicy.cpp b/saml/binding/impl/SecurityPolicy.cpp
index 2bae01d..371410e 100644 (file)
--- a/saml/binding/impl/SecurityPolicy.cpp
+++ b/saml/binding/impl/SecurityPolicy.cpp
@@ -78,9 +78,11 @@ void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* re
 void SecurityPolicy::setIssuer(const Issuer* issuer)
 {
     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
-        throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
+        throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
     
     if (!m_issuer) {
+        if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
+            throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
         m_issuerRole = NULL;
         m_issuer=issuer->cloneIssuer();
     }
@@ -89,7 +91,7 @@ void SecurityPolicy::setIssuer(const Issuer* issuer)
 void SecurityPolicy::setIssuer(const XMLCh* issuer)
 {
     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
-        throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
+        throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
     
     if (!m_issuer && issuer && *issuer) {
         m_issuerRole = NULL;