/**
* Sets the issuer of the message as determined by the registered policies.
- * The policy object takes ownership of the Issuer object.
*
* @param issuer issuer of the message
*/
- void setIssuer(saml2::Issuer* issuer);
+ void setIssuer(const saml2::Issuer* issuer);
+
+ /**
+ * Sets the issuer of the message as determined by the registered policies.
+ *
+ * @param issuer issuer of the message
+ */
+ void setIssuer(const XMLCh* issuer);
/**
* Sets the metadata for the role the issuer is operating in.
* @return true iff the operands match
*/
virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+
+ /**
+ * Returns true iff the two operands "match". Applications can override this method to
+ * support non-standard issuer matching for complex policies.
+ *
+ * <p>The default implementation does a basic comparison of the XML content, treating
+ * an unsupplied Format as an "entityID".
+ *
+ * @param issuer1 the first Issuer to match
+ * @param issuer2 the second Issuer to match
+ * @return true iff the operands match
+ */
+ virtual bool issuerMatches(const saml2::Issuer* issuer1, const XMLCh* issuer2) const;
};
/**
// Set issuer based on peer identity.
EntityDescriptor* parent = dynamic_cast<EntityDescriptor*>(m_peer->getParent());
if (parent) {
- Issuer* issuer = IssuerBuilder::buildIssuer();
- issuer->setName(parent->getEntityID());
- m_policy.setIssuer(issuer);
+ m_policy.setIssuer(parent->getEntityID());
m_policy.setIssuerMetadata(m_peer);
m_policy.setSecure(true);
}
(*i)->evaluate(message,request,*this);
}
-void SecurityPolicy::setIssuer(saml2::Issuer* issuer)
+void SecurityPolicy::setIssuer(const Issuer* issuer)
{
- if (!getIssuerMatchingPolicy().issuerMatches(issuer, m_issuer))
+ if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
- delete m_issuer;
- m_issuer=issuer;
+ if (!m_issuer) {
+ m_issuerRole = NULL;
+ m_issuer=issuer->cloneIssuer();
+ }
+}
+
+void SecurityPolicy::setIssuer(const XMLCh* issuer)
+{
+ if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
+ throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
+
+ if (!m_issuer && issuer && *issuer) {
+ m_issuerRole = NULL;
+ m_issuer = IssuerBuilder::buildIssuer();
+ m_issuer->setName(issuer);
+ }
}
void SecurityPolicy::setIssuerMetadata(const RoleDescriptor* issuerRole)
return true;
}
+
+bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const XMLCh* issuer2) const
+{
+ // NULL matches anything for the purposes of this interface.
+ if (!issuer1 || !issuer2 || !*issuer2)
+ return true;
+
+ const XMLCh* op1=issuer1->getName();
+ if (!op1 || !XMLString::equals(op1,issuer2))
+ return false;
+
+ op1=issuer1->getFormat();
+ if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY))
+ return false;
+
+ op1=issuer1->getNameQualifier();
+ if (op1 && *op1)
+ return false;
+
+ op1=issuer1->getSPNameQualifier();
+ if (op1 && *op1)
+ return false;
+
+ return true;
+}
a = assertions.front();
}
- if (a && a->getIssuer()) {
- if (!policy.getIssuer() || policy.getIssuer()->getFormat() ||
- !XMLString::equals(policy.getIssuer()->getName(), a->getIssuer())) {
- // We either have a conflict, or a first-time set of Issuer.
- auto_ptr<saml2::Issuer> issuer(saml2::IssuerBuilder::buildIssuer());
- issuer->setName(a->getIssuer());
- policy.setIssuer(issuer.get());
- issuer.release(); // owned by policy now
- }
+ if (a) {
+ policy.setIssuer(a->getIssuer());
pair<bool,int> minor = a->getMinorVersion();
protocol = (minor.first && minor.second==0) ?
samlconstants::SAML10_PROTOCOL_ENUM : samlconstants::SAML11_PROTOCOL_ENUM;
}
if (log.isDebugEnabled()) {
- auto_ptr_char iname(policy.getIssuer()->getName());
+ auto_ptr_char iname(a->getIssuer());
log.debug("message from (%s)", iname.get());
}
if (policy.getMetadataProvider() && policy.getRole()) {
log.debug("searching metadata for message issuer...");
- const EntityDescriptor* entity = policy.getMetadataProvider()->getEntityDescriptor(policy.getIssuer()->getName());
+ const EntityDescriptor* entity = policy.getMetadataProvider()->getEntityDescriptor(a->getIssuer());
if (!entity) {
- auto_ptr_char temp(policy.getIssuer()->getName());
+ auto_ptr_char temp(a->getIssuer());
log.warn("no metadata found, can't establish identity of issuer (%s)", temp.get());
return;
}
policy.setIssueInstant(samlRoot.getIssueInstantEpoch());
log.debug("extracting issuer from message");
- Issuer* issuer = samlRoot.getIssuer();
- if (issuer && issuer->getName()) {
- auto_ptr<Issuer> copy(issuer->cloneIssuer());
- policy.setIssuer(copy.get());
- copy.release();
+ const Issuer* issuer = samlRoot.getIssuer();
+ if (issuer) {
+ policy.setIssuer(issuer);
}
else if (XMLString::equals(q.getLocalPart(), Response::LOCAL_NAME)) {
// No issuer in the message, so we have to try the Response approach.
const vector<saml2::Assertion*>& assertions = dynamic_cast<const Response&>(samlRoot).getAssertions();
if (!assertions.empty()) {
issuer = assertions.front()->getIssuer();
- if (issuer && issuer->getName()) {
- auto_ptr<Issuer> copy(issuer->cloneIssuer());
- policy.setIssuer(copy.get());
- copy.release();
- }
+ if (issuer)
+ policy.setIssuer(issuer);
}
}
- if (!policy.getIssuer()) {
+ if (!issuer) {
log.warn("issuer identity not extracted");
return;
}
if (log.isDebugEnabled()) {
- auto_ptr_char iname(policy.getIssuer()->getName());
+ auto_ptr_char iname(issuer->getName());
log.debug("message from (%s)", iname.get());
}
}
if (policy.getMetadataProvider() && policy.getRole()) {
- if (policy.getIssuer()->getFormat() && !XMLString::equals(policy.getIssuer()->getFormat(), saml2::NameIDType::ENTITY)) {
+ if (issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY)) {
log.warn("non-system entity issuer, skipping metadata lookup");
return;
}
log.debug("searching metadata for message issuer...");
- const EntityDescriptor* entity = policy.getMetadataProvider()->getEntityDescriptor(policy.getIssuer()->getName());
+ const EntityDescriptor* entity = policy.getMetadataProvider()->getEntityDescriptor(issuer->getName());
if (!entity) {
- auto_ptr_char temp(policy.getIssuer()->getName());
+ auto_ptr_char temp(issuer->getName());
log.warn("no metadata found, can't establish identity of issuer (%s)", temp.get());
return;
}