2 * Copyright 2001-2009 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file shibsp/SessionCache.h
20 * Caches and manages user sessions.
23 #ifndef __shibsp_sessioncache_h__
24 #define __shibsp_sessioncache_h__
26 #include <shibsp/base.h>
29 #include <xmltooling/Lockable.h>
31 namespace xmltooling {
32 class XMLTOOL_API HTTPRequest;
33 class XMLTOOL_API HTTPResponse;
39 class SAML_API Assertion;
41 class SAML_API NameID;
48 class SHIBSP_API Application;
49 class SHIBSP_API Attribute;
52 * Encapsulates access to a user's security session.
54 * <p>The SessionCache does not itself require locking to manage
55 * concurrency, but access to each Session is generally exclusive
56 * or at least controlled, and the caller must unlock a Session
59 class SHIBSP_API Session : public virtual xmltooling::Lockable
61 MAKE_NONCOPYABLE(Session);
67 * Returns the session key.
69 * @return unique ID of session
71 virtual const char* getID() const=0;
74 * Returns the session's application ID.
76 * @return unique ID of application bound to session
78 virtual const char* getApplicationID() const=0;
81 * Returns the session expiration.
83 * @return the session's expiration time or 0 for none
85 virtual time_t getExpiration() const=0;
88 * Returns the last access time of the session.
90 * @return the session's last access time
92 virtual time_t getLastAccess() const=0;
95 * Returns the address of the client associated with the session.
97 * @return the client's network address
99 virtual const char* getClientAddress() const=0;
102 * Returns the entityID of the IdP that initiated the session.
104 * @return the IdP's entityID
106 virtual const char* getEntityID() const=0;
109 * Returns the protocol family used to initiate the session.
111 * @return the protocol constant that represents the general SSO protocol used
113 virtual const char* getProtocol() const=0;
116 * Returns the UTC timestamp on the authentication event at the IdP.
118 * @return the UTC authentication timestamp
120 virtual const char* getAuthnInstant() const=0;
124 * Returns the NameID associated with a session.
126 * <p>SAML 1.x identifiers will be promoted to the 2.0 type.
128 * @return a SAML 2.0 NameID associated with the session, if any
130 virtual const opensaml::saml2::NameID* getNameID() const=0;
134 * Returns the SessionIndex provided with the session.
136 * @return the SessionIndex from the original SSO assertion, if any
138 virtual const char* getSessionIndex() const=0;
141 * Returns a URI containing an AuthnContextClassRef provided with the session.
143 * <p>SAML 1.x AuthenticationMethods will be returned as class references.
145 * @return a URI identifying the authentication context class
147 virtual const char* getAuthnContextClassRef() const=0;
150 * Returns a URI containing an AuthnContextDeclRef provided with the session.
152 * @return a URI identifying the authentication context declaration
154 virtual const char* getAuthnContextDeclRef() const=0;
157 * Returns the resolved attributes associated with the session.
159 * @return an immutable array of attributes
161 virtual const std::vector<Attribute*>& getAttributes() const=0;
164 * Returns the resolved attributes associated with the session, indexed by ID
166 * @return an immutable map of attributes keyed by attribute ID
168 virtual const std::multimap<std::string,const Attribute*>& getIndexedAttributes() const=0;
171 * Returns the identifiers of the assertion(s) cached by the session.
173 * <p>The SSO assertion is guaranteed to be first in the set.
175 * @return an immutable array of AssertionID values
177 virtual const std::vector<const char*>& getAssertionIDs() const=0;
181 * Adds additional attributes to the session.
183 * @param attributes reference to an array of Attributes to cache (will be freed by cache)
185 virtual void addAttributes(const std::vector<Attribute*>& attributes)=0;
188 * Returns an assertion cached by the session.
190 * @param id identifier of the assertion to retrieve
191 * @return pointer to assertion, or NULL
193 virtual const opensaml::Assertion* getAssertion(const char* id) const=0;
196 * Stores an assertion in the session.
198 * @param assertion pointer to an assertion to cache (will be freed by cache)
200 virtual void addAssertion(opensaml::Assertion* assertion)=0;
205 * Creates and manages user sessions
207 * The cache abstracts a persistent (meaning across requests) cache of
208 * instances of the Session interface. Creation of new entries and entry
209 * lookup are confined to this interface to enable the implementation to
210 * remote and/or optimize calls by implementing custom versions of the
211 * Session interface as required.
213 class SHIBSP_API SessionCache
215 MAKE_NONCOPYABLE(SessionCache);
219 virtual ~SessionCache();
223 * Inserts a new session into the cache and binds the session to the outgoing
226 * <p>The SSO tokens and Attributes remain owned by the caller and are copied by the cache.
228 * @param application reference to Application that owns the Session
229 * @param httpRequest request that initiated session
230 * @param httpResponse current response to client
231 * @param expires expiration time of session
232 * @param issuer issuing metadata of assertion issuer, if known
233 * @param protocol protocol family used to initiate the session
234 * @param nameid principal identifier, normalized to SAML 2, if any
235 * @param authn_instant UTC timestamp of authentication at IdP, if known
236 * @param session_index index of session between principal and IdP, if any
237 * @param authncontext_class method/category of authentication event, if known
238 * @param authncontext_decl specifics of authentication event, if known
239 * @param tokens assertions to cache with session, if any
240 * @param attributes optional array of resolved Attributes to cache with session
243 const Application& application,
244 const xmltooling::HTTPRequest& httpRequest,
245 xmltooling::HTTPResponse& httpResponse,
247 const opensaml::saml2md::EntityDescriptor* issuer=NULL,
248 const XMLCh* protocol=NULL,
249 const opensaml::saml2::NameID* nameid=NULL,
250 const XMLCh* authn_instant=NULL,
251 const XMLCh* session_index=NULL,
252 const XMLCh* authncontext_class=NULL,
253 const XMLCh* authncontext_decl=NULL,
254 const std::vector<const opensaml::Assertion*>* tokens=NULL,
255 const std::vector<Attribute*>* attributes=NULL
259 * Determines whether the Session bound to a client request matches a set of input criteria.
261 * @param application reference to Application that owns the Session
262 * @param request request in which to locate Session
263 * @param issuer required source of session(s)
264 * @param nameid required name identifier
265 * @param indexes session indexes
266 * @return true iff the Session exists and matches the input criteria
268 virtual bool matches(
269 const Application& application,
270 const xmltooling::HTTPRequest& request,
271 const opensaml::saml2md::EntityDescriptor* issuer,
272 const opensaml::saml2::NameID& nameid,
273 const std::set<std::string>* indexes
277 * Executes a test of the cache's general health.
279 virtual void test()=0;
283 * Returns the ID of the session bound to the specified client request, if possible.
285 * @param application reference to Application that owns the Session
286 * @param request request from client containing session, or a reference to it
287 * @return ID of session, if any known, or an empty string
289 virtual std::string active(const Application& application, const xmltooling::HTTPRequest& request)=0;
292 * Locates an existing session bound to a request.
294 * <p>If the client address is supplied, then a check will be performed against
295 * the address recorded in the record.
297 * @param application reference to Application that owns the Session
298 * @param request request from client bound to session
299 * @param client_addr network address of client (if known)
300 * @param timeout inactivity timeout to enforce (0 for none, NULL to bypass check/update of last access)
301 * @return pointer to locked Session, or NULL
303 virtual Session* find(
304 const Application& application,
305 const xmltooling::HTTPRequest& request,
306 const char* client_addr=NULL,
311 * Locates an existing session bound to a request.
313 * <p>If the client address is supplied, then a check will be performed against
314 * the address recorded in the record.
316 * <p>If a bound session is found to have expired, be invalid, etc., and if the request
317 * can be used to "clear" the session from subsequent client requests, then it may be cleared.
319 * @param application reference to Application that owns the Session
320 * @param request request from client bound to session
321 * @param client_addr network address of client (if known)
322 * @param timeout inactivity timeout to enforce (0 for none, NULL to bypass check/update of last access)
323 * @return pointer to locked Session, or NULL
325 virtual Session* find(
326 const Application& application,
327 xmltooling::HTTPRequest& request,
328 const char* client_addr=NULL,
333 * Deletes an existing session bound to a request.
335 * @param application reference to Application that owns the Session
336 * @param request request from client containing session, or a reference to it
337 * @param response optional response to client enabling removal of session or reference
339 virtual void remove(const Application& application, const xmltooling::HTTPRequest& request, xmltooling::HTTPResponse* response=NULL)=0;
342 /** SessionCache implementation backed by a StorageService. */
343 #define STORAGESERVICE_SESSION_CACHE "StorageService"
346 * Registers SessionCache classes into the runtime.
348 void SHIBSP_API registerSessionCaches();
351 #endif /* __shibsp_sessioncache_h__ */