void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
{
Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.ClientCertAuth");
- log.debug("evaluating client certificate authentication policy");
- if (!request) {
- log.debug("ignoring message, no protocol request available");
+ if (!request)
return;
- }
- else if (!policy.getIssuerMetadata()) {
+
+ if (!policy.getIssuerMetadata()) {
log.debug("ignoring message, no issuer metadata supplied");
return;
}
}
const std::vector<XSECCryptoX509*>& chain = request->getClientCertificates();
- if (chain.empty()) {
- log.debug("ignoring message, no client certificates in request");
+ if (chain.empty())
return;
- }
if (!x509trust->validate(chain.front(), chain, *(policy.getIssuerMetadata()), true,
policy.getMetadataProvider()->getKeyResolver())) {
time_t skew = XMLToolingConfig::getConfig().clock_skew_secs;
time_t issueInstant = policy.getIssueInstant();
if (issueInstant == 0) {
- log.debug("unknown message timestamp, assuming current time for replay checking");
issueInstant = now;
}
else {
if (issueInstant > now + skew) {
log.errorStream() << "rejected not-yet-valid message, timestamp (" << issueInstant <<
"), newest allowed (" << now + skew << ")" << CategoryStream::ENDLINE;
- throw BindingException("Message rejected, was issued in the future.");
+ throw SecurityPolicyException("Message rejected, was issued in the future.");
}
else if (issueInstant < now - skew - m_expires) {
log.errorStream() << "rejected expired message, timestamp (" << issueInstant <<
"), oldest allowed (" << (now - skew - m_expires) << ")" << CategoryStream::ENDLINE;
- throw BindingException("Message expired, was issued too long ago.");
+ throw SecurityPolicyException("Message expired, was issued too long ago.");
}
}
// Check replay.
if (m_checkReplay) {
+ const XMLCh* id = policy.getMessageID();
+ if (!id || !*id)
+ return;
+
ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache();
if (!replayCache) {
log.warn("no ReplayCache available, skipping requested replay check");
return;
}
- const XMLCh* id = policy.getMessageID();
- if (!id || !*id) {
- log.debug("unknown message ID, no replay check possible");
- return;
- }
+
auto_ptr_char temp(id);
if (!replayCache->check("MessageFlow", temp.get(), issueInstant + skew + m_expires)) {
log.error("replay detected of message ID (%s)", temp.get());
- throw BindingException("Rejecting replayed message ID ($1).", params(1,temp.get()));
+ throw SecurityPolicyException("Rejecting replayed message ID ($1).", params(1,temp.get()));
}
}
}
void SimpleSigningRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
{
Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.SimpleSigning");
- log.debug("evaluating simple signing policy");
if (!policy.getIssuerMetadata()) {
log.debug("ignoring message, no issuer metadata supplied");
}
const HTTPRequest* httpRequest = dynamic_cast<const HTTPRequest*>(request);
- if (!request || !httpRequest) {
- log.debug("ignoring message, no HTTP protocol request available");
+ if (!request || !httpRequest)
return;
- }
const char* signature = request->getParameter("Signature");
- if (!signature) {
- log.debug("ignoring unsigned message");
+ if (!signature)
return;
- }
const char* sigAlgorithm = request->getParameter("SigAlg");
if (!sigAlgorithm) {
void XMLSigningRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
{
Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.XMLSigning");
- log.debug("evaluating message signing policy");
if (!policy.getIssuerMetadata()) {
log.debug("ignoring message, no issuer metadata supplied");
}
const SignableObject* signable = dynamic_cast<const SignableObject*>(&message);
- if (!signable || !signable->getSignature()) {
- log.debug("ignoring unsigned or unrecognized message");
+ if (!signable || !signable->getSignature())
return;
- }
log.debug("validating signature profile");
try {
RelativePath=".\saml1\profile\AssertionValidator.cpp"\r
>\r
</File>\r
+ <File\r
+ RelativePath=".\saml1\profile\BrowserSSOProfileValidator.cpp"\r
+ >\r
+ </File>\r
</Filter>\r
</Filter>\r
<Filter\r
/>\r
</FileConfiguration>\r
</File>\r
- <File\r
- RelativePath=".\saml1\profile\BrowserSSOProfileValidator.cpp"\r
- >\r
- </File>\r
</Filter>\r
</Filter>\r
<Filter\r
if (!XMLString::equals(q.getNamespaceURI(), samlconstants::SAML1P_NS) &&
!XMLString::equals(q.getNamespaceURI(), samlconstants::SAML1_NS)) {
- log.debug("not a SAML 1.x protocol message or assertion");
return;
}
-
try {
const RootObject& samlRoot = dynamic_cast<const RootObject&>(message);
if (!XMLString::equals(q.getNamespaceURI(), samlconstants::SAML20P_NS)&&
!XMLString::equals(q.getNamespaceURI(), samlconstants::SAML20_NS)) {
- log.debug("not a SAML 2.0 protocol message or assertion");
return;
}