From 003e73203da5cdf8c3d001a75a56b9e45ef6465b Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Wed, 24 Sep 2008 17:03:15 +0000 Subject: [PATCH] https://issues.shibboleth.net/jira/browse/SSPCPP-132 --- saml/binding/SecurityPolicy.h | 124 ++++++++++++----------- saml/binding/impl/SecurityPolicy.cpp | 35 ++++--- saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp | 27 ++--- saml/saml1/binding/impl/SAML1MessageDecoder.cpp | 10 +- saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp | 29 +++--- saml/saml2/binding/impl/SAML2MessageDecoder.cpp | 14 +-- saml/saml2/metadata/MetadataProvider.h | 6 ++ 7 files changed, 138 insertions(+), 107 deletions(-) diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h index fed55f7..7f879ec 100644 --- a/saml/binding/SecurityPolicy.h +++ b/saml/binding/SecurityPolicy.h @@ -1,6 +1,6 @@ /* * Copyright 2001-2007 Internet2 - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,18 +16,17 @@ /** * @file saml/binding/SecurityPolicy.h - * + * * Overall policy used to verify the security of an incoming message. */ #ifndef __saml_secpol_h__ #define __saml_secpol_h__ -#include +#include #include #include -#include #include #include @@ -41,22 +40,18 @@ namespace opensaml { namespace saml2 { class SAML_API Issuer; }; - namespace saml2md { - class SAML_API MetadataProvider; - class SAML_API RoleDescriptor; - }; - + class SAML_API SecurityPolicyRule; - + /** * A policy used to verify the security of an incoming message. - * + * *

Its security mechanisms may be used to examine the transport layer * (e.g client certificates and HTTP basic auth passwords) or to check the * payload of a request to ensure it meets certain criteria (e.g. valid * digital signature, freshness, replay). - * - *

Policy objects can be reused, but are not thread-safe. + * + *

Policy objects can be reused, but are not thread-safe. */ class SAML_API SecurityPolicy { @@ -64,9 +59,9 @@ namespace opensaml { public: /** * Constructor for policy. - * + * * @param metadataProvider locked MetadataProvider instance - * @param role identifies the role (generally IdP or SP) of the policy peer + * @param role identifies the role (generally IdP or SP) of the policy peer * @param trustEngine TrustEngine to authenticate policy peer * @param validate true iff XML parsing should be done with validation */ @@ -75,7 +70,7 @@ namespace opensaml { const xmltooling::QName* role=NULL, const xmltooling::TrustEngine* trustEngine=NULL, bool validate=true - ) : m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_authenticated(false), + ) : m_metadataCriteria(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_authenticated(false), m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate), m_entityOnly(true) { if (role) m_role = new xmltooling::QName(*role); @@ -85,7 +80,7 @@ namespace opensaml { /** * Returns the locked MetadataProvider supplied to the policy. - * + * * @return the supplied MetadataProvider or NULL */ const saml2md::MetadataProvider* getMetadataProvider() const { @@ -93,8 +88,16 @@ namespace opensaml { } /** + * Returns a reference to a MetadataProvider::Criteria instance suitable for use with the + * installed MetadataProvider. + * + * @return reference to a MetadataProvider::Criteria instance + */ + virtual saml2md::MetadataProvider::Criteria& getMetadataProviderCriteria() const; + + /** * Returns the peer role element/type supplied to the policy. - * + * * @return the peer role element/type, or an empty QName */ const xmltooling::QName* getRole() const { @@ -103,7 +106,7 @@ namespace opensaml { /** * Returns the TrustEngine supplied to the policy. - * + * * @return the supplied TrustEngine or NULL */ const xmltooling::TrustEngine* getTrustEngine() const { @@ -112,16 +115,16 @@ namespace opensaml { /** * Returns XML message validation setting. - * + * * @return validation flag */ bool getValidating() const { return m_validate; } - + /** * Returns flag controlling non-entity issuer support. - * + * * @return flag controlling non-entity issuer support */ bool requireEntityIssuer() const { @@ -132,7 +135,7 @@ namespace opensaml { * Gets a mutable array of installed policy rules. * *

If adding rules, their lifetime must be at least as long as the policy object. - * + * * @return mutable array of rules */ std::vector& getRules() { @@ -141,7 +144,7 @@ namespace opensaml { /** * Sets a locked MetadataProvider for the policy. - * + * * @param metadata a locked MetadataProvider or NULL */ void setMetadataProvider(const saml2md::MetadataProvider* metadata) { @@ -150,7 +153,7 @@ namespace opensaml { /** * Sets a peer role element/type for to the policy. - * + * * @param role the peer role element/type or NULL */ void setRole(const xmltooling::QName* role) { @@ -160,7 +163,7 @@ namespace opensaml { /** * Sets a TrustEngine for the policy. - * + * * @param trust a TrustEngine or NULL */ void setTrustEngine(const xmltooling::TrustEngine* trust) { @@ -170,8 +173,8 @@ namespace opensaml { /** * Controls schema validation of incoming XML messages. * This is separate from other forms of programmatic validation of objects, - * but can detect a much wider range of syntax errors. - * + * but can detect a much wider range of syntax errors. + * * @param validate validation setting */ void setValidating(bool validate=true) { @@ -180,17 +183,17 @@ namespace opensaml { /** * Sets flag controlling non-entity issuer support. - * - * @param entityOnly require that Issuer be in entity format + * + * @param entityOnly require that Issuer be in entity format */ void requireEntityIssuer(bool entityOnly=true) { m_entityOnly = entityOnly; } - + /** * Evaluates the policy against the given request and message, * possibly populating message information in the policy object. - * + * * @param message the incoming message * @param request the protocol request * @@ -209,10 +212,10 @@ namespace opensaml { * @param messageOnly true iff security and issuer state should be left in place */ void reset(bool messageOnly=false); - + /** * Returns the message identifier as determined by the registered policies. - * + * * @return message identifier as determined by the registered policies */ const XMLCh* getMessageID() const { @@ -221,7 +224,7 @@ namespace opensaml { /** * Returns the message timestamp as determined by the registered policies. - * + * * @return message timestamp as determined by the registered policies */ time_t getIssueInstant() const { @@ -230,7 +233,7 @@ namespace opensaml { /** * Gets the issuer of the message as determined by the registered policies. - * + * * @return issuer of the message as determined by the registered policies */ const saml2::Issuer* getIssuer() const { @@ -239,7 +242,7 @@ namespace opensaml { /** * Gets the metadata for the role the issuer is operating in. - * + * * @return metadata for the role the issuer is operating in */ const saml2md::RoleDescriptor* getIssuerMetadata() const { @@ -248,8 +251,8 @@ namespace opensaml { /** * Returns the authentication status of the message as determined by the registered policies. - * - * @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated + * + * @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated */ bool isAuthenticated() const { return m_authenticated; @@ -257,7 +260,7 @@ namespace opensaml { /** * Sets the message identifier as determined by the registered policies. - * + * * @param id message identifier */ void setMessageID(const XMLCh* id) { @@ -267,7 +270,7 @@ namespace opensaml { /** * Sets the message timestamp as determined by the registered policies. - * + * * @param issueInstant message timestamp */ void setIssueInstant(time_t issueInstant) { @@ -276,48 +279,48 @@ namespace opensaml { /** * Sets the issuer of the message as determined by the registered policies. - * + * * @param issuer issuer of the message */ void setIssuer(const saml2::Issuer* issuer); /** * Sets the issuer of the message as determined by the registered policies. - * + * * @param issuer issuer of the message */ void setIssuer(const XMLCh* issuer); - + /** * Sets the metadata for the role the issuer is operating in. - * + * * @param issuerRole metadata for the role the issuer is operating in */ void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole); /** * Sets the authentication status of the message as determined by the registered policies. - * + * * @param auth indicates whether the issuer/message has been authenticated */ void setAuthenticated(bool auth) { m_authenticated = auth; } - + /** Allows override of rules for comparing saml2:Issuer information. */ class SAML_API IssuerMatchingPolicy { MAKE_NONCOPYABLE(IssuerMatchingPolicy); public: IssuerMatchingPolicy() {} virtual ~IssuerMatchingPolicy() {} - + /** * Returns true iff the two operands "match". Applications can override this method to - * support non-standard issuer matching for complex policies. - * + * support non-standard issuer matching for complex policies. + * *

The default implementation does a basic comparison of the XML content, treating * an unsupplied Format as an "entityID". - * + * * @param issuer1 the first Issuer to match * @param issuer2 the second Issuer to match * @return true iff the operands match @@ -326,11 +329,11 @@ namespace opensaml { /** * Returns true iff the two operands "match". Applications can override this method to - * support non-standard issuer matching for complex policies. - * + * support non-standard issuer matching for complex policies. + * *

The default implementation does a basic comparison of the XML content, treating * an unsupplied Format as an "entityID". - * + * * @param issuer1 the first Issuer to match * @param issuer2 the second Issuer to match * @return true iff the operands match @@ -340,7 +343,7 @@ namespace opensaml { /** * Returns the IssuerMatchingPolicy in effect. - * + * * @return the effective IssuerMatchingPolicy */ const IssuerMatchingPolicy& getIssuerMatchingPolicy() const { @@ -350,9 +353,9 @@ namespace opensaml { /** * Sets the IssuerMatchingPolicy in effect. Setting no policy will * cause the simple, default approach to be used. - * + * *

The matching object will be freed by the SecurityPolicy. - * + * * @param matchingPolicy the IssuerMatchingPolicy to use */ void setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy) { @@ -364,14 +367,17 @@ namespace opensaml { /** A shared matching object that just supports the default matching rules. */ static IssuerMatchingPolicy m_defaultMatching; + /** Manufactured MetadataProvider::Criteria instance. */ + mutable saml2md::MetadataProvider::Criteria* m_metadataCriteria; + private: - // information extracted from message + // information extracted from message XMLCh* m_messageID; time_t m_issueInstant; saml2::Issuer* m_issuer; const saml2md::RoleDescriptor* m_issuerRole; bool m_authenticated; - + // components governing policy rules IssuerMatchingPolicy* m_matchingPolicy; std::vector m_rules; diff --git a/saml/binding/impl/SecurityPolicy.cpp b/saml/binding/impl/SecurityPolicy.cpp index 371410e..02812a4 100644 --- a/saml/binding/impl/SecurityPolicy.cpp +++ b/saml/binding/impl/SecurityPolicy.cpp @@ -1,6 +1,6 @@ /* * Copyright 2001-2007 Internet2 - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,8 +16,8 @@ /** * SecurityPolicy.cpp - * - * Overall policy used to verify the security of an incoming message. + * + * Overall policy used to verify the security of an incoming message. */ #include "internal.h" @@ -61,6 +61,8 @@ void SecurityPolicy::reset(bool messageOnly) XMLString::release(&m_messageID); m_messageID=NULL; m_issueInstant=0; + delete m_metadataCriteria; + m_metadataCriteria=NULL; if (!messageOnly) { delete m_issuer; m_issuer=NULL; @@ -69,6 +71,13 @@ void SecurityPolicy::reset(bool messageOnly) } } +MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const +{ + if (!m_metadataCriteria) + m_metadataCriteria=new MetadataProvider::Criteria(); + return *m_metadataCriteria; +} + void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request) { for (vector::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i) @@ -79,7 +88,7 @@ void SecurityPolicy::setIssuer(const Issuer* issuer) { if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer)) throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results."); - + if (!m_issuer) { if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY)) throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy."); @@ -92,7 +101,7 @@ void SecurityPolicy::setIssuer(const XMLCh* issuer) { if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer)) throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results."); - + if (!m_issuer && issuer && *issuer) { m_issuerRole = NULL; m_issuer = IssuerBuilder::buildIssuer(); @@ -112,17 +121,17 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, // NULL matches anything for the purposes of this interface. if (!issuer1 || !issuer2) return true; - + const XMLCh* op1=issuer1->getName(); const XMLCh* op2=issuer2->getName(); if (!op1 || !op2 || !XMLString::equals(op1,op2)) return false; - + op1=issuer1->getFormat(); op2=issuer2->getFormat(); if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY)) return false; - + op1=issuer1->getNameQualifier(); op2=issuer2->getNameQualifier(); if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull)) @@ -132,7 +141,7 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, op2=issuer2->getSPNameQualifier(); if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull)) return false; - + return true; } @@ -141,15 +150,15 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, // NULL matches anything for the purposes of this interface. if (!issuer1 || !issuer2 || !*issuer2) return true; - + const XMLCh* op1=issuer1->getName(); if (!op1 || !XMLString::equals(op1,issuer2)) return false; - + op1=issuer1->getFormat(); if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY)) return false; - + op1=issuer1->getNameQualifier(); if (op1 && *op1) return false; @@ -157,6 +166,6 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, op1=issuer1->getSPNameQualifier(); if (op1 && *op1) return false; - + return true; } diff --git a/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp b/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp index e24dda1..4c56f2e 100644 --- a/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp +++ b/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp @@ -1,6 +1,6 @@ /* * Copyright 2001-2007 Internet2 - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,7 +16,7 @@ /** * SAML1ArtifactDecoder.cpp - * + * * SAML 1.x Artifact binding/profile message decoder */ @@ -41,19 +41,19 @@ using namespace xmltooling; using namespace std; namespace opensaml { - namespace saml1p { + namespace saml1p { class SAML_DLLLOCAL SAML1ArtifactDecoder : public SAML1MessageDecoder { public: SAML1ArtifactDecoder() {} virtual ~SAML1ArtifactDecoder() {} - + xmltooling::XMLObject* decode( std::string& relayState, const GenericRequest& genericRequest, SecurityPolicy& policy ) const; - }; + }; MessageDecoder* SAML_DLLLOCAL SAML1ArtifactDecoderFactory(const pair& p) { @@ -93,7 +93,7 @@ XMLObject* SAML1ArtifactDecoder::decode( for (vector::const_iterator raw=SAMLart.begin(); raw!=SAMLart.end(); ++raw) { try { log.debug("processing encoded artifact (%s)", *raw); - + // Check replay. ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache(); if (replayCache) { @@ -117,9 +117,12 @@ XMLObject* SAML1ArtifactDecoder::decode( throw; } } - + log.debug("attempting to determine source of artifact(s)..."); - MetadataProvider::Criteria mc(artifacts.front(), policy.getRole(), samlconstants::SAML11_PROTOCOL_ENUM); + MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria(); + mc.artifact = artifacts.front(); + mc.role = policy.getRole(); + mc.protocol = samlconstants::SAML11_PROTOCOL_ENUM; mc.protocol2 = samlconstants::SAML10_PROTOCOL_ENUM; pair provider=policy.getMetadataProvider()->getEntityDescriptor(mc); if (!provider.first) { @@ -130,7 +133,7 @@ XMLObject* SAML1ArtifactDecoder::decode( for_each(artifacts.begin(), artifacts.end(), xmltooling::cleanup()); throw BindingException("Metadata lookup failed, unable to determine artifact issuer"); } - + if (log.isDebugEnabled()) { auto_ptr_char issuer(provider.first->getEntityID()); log.debug("artifact issued by (%s)", issuer.get()); @@ -144,15 +147,15 @@ XMLObject* SAML1ArtifactDecoder::decode( // Set Issuer for the policy. policy.setIssuer(provider.first->getEntityID()); policy.setIssuerMetadata(provider.second); - + try { log.debug("calling ArtifactResolver..."); auto_ptr response( m_artifactResolver->resolve(artifacts, dynamic_cast(*provider.second), policy) ); - + // The policy should be enforced against the Response by the resolve step. - + for_each(artifacts.begin(), artifacts.end(), xmltooling::cleanup()); return response.release(); } diff --git a/saml/saml1/binding/impl/SAML1MessageDecoder.cpp b/saml/saml1/binding/impl/SAML1MessageDecoder.cpp index 8fe02a1..b0079ac 100644 --- a/saml/saml1/binding/impl/SAML1MessageDecoder.cpp +++ b/saml/saml1/binding/impl/SAML1MessageDecoder.cpp @@ -1,6 +1,6 @@ /* * Copyright 2001-2007 Internet2 - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,7 +16,7 @@ /** * SAML1MessageDecoder.cpp - * + * * Base class for SAML 1.x MessageDecoders. */ @@ -93,8 +93,10 @@ void SAML1MessageDecoder::extractMessageDetails( if (policy.getMetadataProvider() && policy.getRole()) { log.debug("searching metadata for response issuer..."); - - MetadataProvider::Criteria mc(issuer, policy.getRole(), protocol); + MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria(); + mc.entityID_unicode = issuer; + mc.role = policy.getRole(); + mc.protocol = protocol; pair entity = policy.getMetadataProvider()->getEntityDescriptor(mc); if (!entity.first) { diff --git a/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp b/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp index 47fc608..081787f 100644 --- a/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp +++ b/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp @@ -1,6 +1,6 @@ /* * Copyright 2001-2007 Internet2 - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,7 +16,7 @@ /** * SAML2ArtifactDecoder.cpp - * + * * SAML 2.0 Artifact binding message decoder */ @@ -42,19 +42,19 @@ using namespace xmltooling; using namespace std; namespace opensaml { - namespace saml2p { + namespace saml2p { class SAML_DLLLOCAL SAML2ArtifactDecoder : public SAML2MessageDecoder { public: SAML2ArtifactDecoder() {} virtual ~SAML2ArtifactDecoder() {} - + xmltooling::XMLObject* decode( std::string& relayState, const GenericRequest& genericRequest, SecurityPolicy& policy ) const; - }; + }; MessageDecoder* SAML_DLLLOCAL SAML2ArtifactDecoderFactory(const pair& p) { @@ -92,7 +92,7 @@ XMLObject* SAML2ArtifactDecoder::decode( SAMLArtifact* artifact=NULL; try { log.debug("processing encoded artifact (%s)", SAMLart); - + // Check replay. ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache(); if (replayCache) { @@ -110,16 +110,19 @@ XMLObject* SAML2ArtifactDecoder::decode( log.error("error parsing artifact (%s)", SAMLart); throw; } - + // Check the type. auto_ptr artifact2(dynamic_cast(artifact)); if (!artifact2.get()) { throw BindingException("Artifact binding requires SAML 2.0 artifact."); delete artifact; } - + log.debug("attempting to determine source of artifact..."); - MetadataProvider::Criteria mc(artifact, policy.getRole(), samlconstants::SAML20P_NS); + MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria(); + mc.artifact = artifact; + mc.role = policy.getRole(); + mc.protocol = samlconstants::SAML20P_NS; pair provider=policy.getMetadataProvider()->getEntityDescriptor(mc); if (!provider.first) { log.error( @@ -128,7 +131,7 @@ XMLObject* SAML2ArtifactDecoder::decode( ); throw BindingException("Metadata lookup failed, unable to determine artifact issuer."); } - + if (log.isDebugEnabled()) { auto_ptr_char issuer(provider.first->getEntityID()); log.debug("lookup succeeded, artifact issued by (%s)", issuer.get()); @@ -141,12 +144,12 @@ XMLObject* SAML2ArtifactDecoder::decode( // Set issuer into policy. policy.setIssuer(provider.first->getEntityID()); policy.setIssuerMetadata(provider.second); - + log.debug("calling ArtifactResolver..."); auto_ptr response( m_artifactResolver->resolve(*(artifact2.get()), dynamic_cast(*provider.second), policy) ); - + // The policy should be enforced against the ArtifactResponse by the resolve step. // Reset only the message state. policy.reset(true); @@ -160,6 +163,6 @@ XMLObject* SAML2ArtifactDecoder::decode( // Return the payload only. response.release(); - payload->detach(); + payload->detach(); return payload; } diff --git a/saml/saml2/binding/impl/SAML2MessageDecoder.cpp b/saml/saml2/binding/impl/SAML2MessageDecoder.cpp index 97a38ac..9e24de4 100644 --- a/saml/saml2/binding/impl/SAML2MessageDecoder.cpp +++ b/saml/saml2/binding/impl/SAML2MessageDecoder.cpp @@ -1,6 +1,6 @@ /* * Copyright 2001-2007 Internet2 - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,7 +16,7 @@ /** * SAML2MessageDecoder.cpp - * + * * Base class for SAML 2.0 MessageDecoders. */ @@ -60,7 +60,7 @@ void SAML2MessageDecoder::extractMessageDetails( policy.setIssuer(issuer); } else if (XMLString::equals(q.getLocalPart(), Response::LOCAL_NAME)) { - // No issuer in the message, so we have to try the Response approach. + // No issuer in the message, so we have to try the Response approach. const vector& assertions = dynamic_cast(samlRoot).getAssertions(); if (!assertions.empty()) { issuer = assertions.front()->getIssuer(); @@ -89,10 +89,12 @@ void SAML2MessageDecoder::extractMessageDetails( log.warn("non-system entity issuer, skipping metadata lookup"); return; } - - log.debug("searching metadata for message issuer..."); - MetadataProvider::Criteria mc(issuer->getName(), policy.getRole(), protocol); + log.debug("searching metadata for message issuer..."); + MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria(); + mc.entityID_unicode = issuer->getName(); + mc.role = policy.getRole(); + mc.protocol = protocol; pair entity = policy.getMetadataProvider()->getEntityDescriptor(mc); if (!entity.first) { auto_ptr_char temp(issuer->getName()); diff --git a/saml/saml2/metadata/MetadataProvider.h b/saml/saml2/metadata/MetadataProvider.h index 834e8ae..beced6e 100644 --- a/saml/saml2/metadata/MetadataProvider.h +++ b/saml/saml2/metadata/MetadataProvider.h @@ -157,6 +157,12 @@ namespace opensaml { */ struct SAML_API Criteria { /** + * Default constructor. + */ + Criteria() : entityID_unicode(NULL), entityID_ascii(NULL), artifact(NULL), role(NULL), protocol(NULL), protocol2(NULL), validOnly(true) { + } + + /** * Constructor. * * @param id entityID to lookup -- 2.1.4