{81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6}
EndProjectSection
EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "posttest", "posttest\posttest.vcproj", "{16E70C47-789E-43D5-AFDF-964D386C3CB5}"
- ProjectSection(WebsiteProperties) = preProject
- Debug.AspNetCompiler.Debug = "True"
- Release.AspNetCompiler.Debug = "False"
- EndProjectSection
- ProjectSection(ProjectDependencies) = postProject
- {E6CAB6C8-1D73-4410-970A-52BF9EC57810} = {E6CAB6C8-1D73-4410-970A-52BF9EC57810}
- {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6}
- {84890110-2190-4AAE-9BDC-58F90DF71E4F} = {84890110-2190-4AAE-9BDC-58F90DF71E4F}
- EndProjectSection
-EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shar", "shar\shar.vcproj", "{F13141B5-6C87-40BB-8D4E-5CC56EBB4C59}"
ProjectSection(WebsiteProperties) = preProject
Debug.AspNetCompiler.Debug = "True"
{81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6}
EndProjectSection
EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shib", "shib\shib.vcproj", "{E6CAB6C8-1D73-4410-970A-52BF9EC57810}"
- ProjectSection(WebsiteProperties) = preProject
- Debug.AspNetCompiler.Debug = "True"
- Release.AspNetCompiler.Debug = "False"
- EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shibtarget", "shib-target\shibtarget.vcproj", "{84890110-2190-4AAE-9BDC-58F90DF71E4F}"
- ProjectSection(WebsiteProperties) = preProject
- Debug.AspNetCompiler.Debug = "True"
- Release.AspNetCompiler.Debug = "False"
- EndProjectSection
- ProjectSection(ProjectDependencies) = postProject
- {E6CAB6C8-1D73-4410-970A-52BF9EC57810} = {E6CAB6C8-1D73-4410-970A-52BF9EC57810}
- {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6}
- EndProjectSection
-EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shibtest", "shibtest\shibtest.vcproj", "{67AF22A3-C26E-40BE-B0CA-2ABEE5123763}"
ProjectSection(WebsiteProperties) = preProject
Debug.AspNetCompiler.Debug = "True"
Release.AspNetCompiler.Debug = "False"
EndProjectSection
ProjectSection(ProjectDependencies) = postProject
- {84890110-2190-4AAE-9BDC-58F90DF71E4F} = {84890110-2190-4AAE-9BDC-58F90DF71E4F}
- {E6CAB6C8-1D73-4410-970A-52BF9EC57810} = {E6CAB6C8-1D73-4410-970A-52BF9EC57810}
{81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6}
EndProjectSection
EndProject
Release.AspNetCompiler.Debug = "False"
EndProjectSection
EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testclient", "shar\testclient.vcproj", "{B3F1E899-86F9-4D3A-8026-B57D1A5B90B1}"
- ProjectSection(WebsiteProperties) = preProject
- Debug.AspNetCompiler.Debug = "True"
- Release.AspNetCompiler.Debug = "False"
- EndProjectSection
- ProjectSection(ProjectDependencies) = postProject
- {E6CAB6C8-1D73-4410-970A-52BF9EC57810} = {E6CAB6C8-1D73-4410-970A-52BF9EC57810}
- {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6}
- {84890110-2190-4AAE-9BDC-58F90DF71E4F} = {84890110-2190-4AAE-9BDC-58F90DF71E4F}
- EndProjectSection
-EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mod_shib22", "apache\mod_shib22.vcproj", "{B44C0852-83B8-4FB2-A86E-097C9C8256D0}"
ProjectSection(WebsiteProperties) = preProject
Debug.AspNetCompiler.Debug = "True"
{1396D80A-8672-4224-9B02-95F3F4207CDB}.Debug|Win32.Build.0 = Debug|Win32
{1396D80A-8672-4224-9B02-95F3F4207CDB}.Release|Win32.ActiveCfg = Release|Win32
{1396D80A-8672-4224-9B02-95F3F4207CDB}.Release|Win32.Build.0 = Release|Win32
- {16E70C47-789E-43D5-AFDF-964D386C3CB5}.Debug|Win32.ActiveCfg = Debug|Win32
- {16E70C47-789E-43D5-AFDF-964D386C3CB5}.Debug|Win32.Build.0 = Debug|Win32
- {16E70C47-789E-43D5-AFDF-964D386C3CB5}.Release|Win32.ActiveCfg = Release|Win32
- {16E70C47-789E-43D5-AFDF-964D386C3CB5}.Release|Win32.Build.0 = Release|Win32
{F13141B5-6C87-40BB-8D4E-5CC56EBB4C59}.Debug|Win32.ActiveCfg = Debug|Win32
{F13141B5-6C87-40BB-8D4E-5CC56EBB4C59}.Debug|Win32.Build.0 = Debug|Win32
{F13141B5-6C87-40BB-8D4E-5CC56EBB4C59}.Release|Win32.ActiveCfg = Release|Win32
{F13141B5-6C87-40BB-8D4E-5CC56EBB4C59}.Release|Win32.Build.0 = Release|Win32
- {E6CAB6C8-1D73-4410-970A-52BF9EC57810}.Debug|Win32.ActiveCfg = Debug|Win32
- {E6CAB6C8-1D73-4410-970A-52BF9EC57810}.Debug|Win32.Build.0 = Debug|Win32
- {E6CAB6C8-1D73-4410-970A-52BF9EC57810}.Release|Win32.ActiveCfg = Release|Win32
- {E6CAB6C8-1D73-4410-970A-52BF9EC57810}.Release|Win32.Build.0 = Release|Win32
- {84890110-2190-4AAE-9BDC-58F90DF71E4F}.Debug|Win32.ActiveCfg = Debug|Win32
- {84890110-2190-4AAE-9BDC-58F90DF71E4F}.Debug|Win32.Build.0 = Debug|Win32
- {84890110-2190-4AAE-9BDC-58F90DF71E4F}.Release|Win32.ActiveCfg = Release|Win32
- {84890110-2190-4AAE-9BDC-58F90DF71E4F}.Release|Win32.Build.0 = Release|Win32
{67AF22A3-C26E-40BE-B0CA-2ABEE5123763}.Debug|Win32.ActiveCfg = Debug|Win32
{67AF22A3-C26E-40BE-B0CA-2ABEE5123763}.Debug|Win32.Build.0 = Debug|Win32
{67AF22A3-C26E-40BE-B0CA-2ABEE5123763}.Release|Win32.ActiveCfg = Release|Win32
{4D02F36E-D2CD-4FD1-AC50-2941E27BB3FB}.Debug|Win32.Build.0 = Debug|Win32
{4D02F36E-D2CD-4FD1-AC50-2941E27BB3FB}.Release|Win32.ActiveCfg = Release|Win32
{4D02F36E-D2CD-4FD1-AC50-2941E27BB3FB}.Release|Win32.Build.0 = Release|Win32
- {B3F1E899-86F9-4D3A-8026-B57D1A5B90B1}.Debug|Win32.ActiveCfg = Debug|Win32
- {B3F1E899-86F9-4D3A-8026-B57D1A5B90B1}.Debug|Win32.Build.0 = Debug|Win32
- {B3F1E899-86F9-4D3A-8026-B57D1A5B90B1}.Release|Win32.ActiveCfg = Release|Win32
- {B3F1E899-86F9-4D3A-8026-B57D1A5B90B1}.Release|Win32.Build.0 = Release|Win32
{B44C0852-83B8-4FB2-A86E-097C9C8256D0}.Debug|Win32.ActiveCfg = Debug|Win32
{B44C0852-83B8-4FB2-A86E-097C9C8256D0}.Debug|Win32.Build.0 = Debug|Win32
{B44C0852-83B8-4FB2-A86E-097C9C8256D0}.Release|Win32.ActiveCfg = Release|Win32
{87C25D4E-8D19-4513-B0BA-BC668BC2DEE3} = {26BA8F84-6E42-41FA-9B13-5D3F4B5B2050}
{D341DCD8-7DCD-43A2-8559-C07DAB838711} = {96AE4FC9-45EF-4C18-9F3B-EDA439E26E4C}
{666A63A7-983F-4C19-8411-207F24305197} = {96AE4FC9-45EF-4C18-9F3B-EDA439E26E4C}
- {67AF22A3-C26E-40BE-B0CA-2ABEE5123763} = {FED80230-119E-4B2F-9F53-D2660A5F022B}
{4D02F36E-D2CD-4FD1-AC50-2941E27BB3FB} = {FED80230-119E-4B2F-9F53-D2660A5F022B}
- {B3F1E899-86F9-4D3A-8026-B57D1A5B90B1} = {FED80230-119E-4B2F-9F53-D2660A5F022B}
- {16E70C47-789E-43D5-AFDF-964D386C3CB5} = {FED80230-119E-4B2F-9F53-D2660A5F022B}
+ {67AF22A3-C26E-40BE-B0CA-2ABEE5123763} = {FED80230-119E-4B2F-9F53-D2660A5F022B}
EndGlobalSection
EndGlobal
string g_unsetHeaderValue;
static const char* g_UserDataKey = "_shib_check_user_";
static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h);
+ static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e);
}
/* Apache 2.2.x headers must be accumulated and set in the output filter.
g_Config=&SPConfig::getConfig();
g_Config->setFeatures(
- SPConfig::Caching |
SPConfig::Listener |
SPConfig::Metadata |
SPConfig::RequestMapping |
DOMElement* dummy = dummydoc->createElementNS(NULL,path);
auto_ptr_XMLCh src(g_szSHIBConfig);
dummy->setAttributeNS(NULL,path,src.get());
+ dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE);
g_Config->setServiceProvider(g_Config->ServiceProviderManager.newPlugin(XML_SERVICE_PROVIDER,dummy));
g_Config->getServiceProvider()->init();
-<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
+<SPConfig xmlns="urn:mace:shibboleth:sp:config:2.0"
+ xmlns:conf="urn:mace:shibboleth:sp:config:2.0"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 @-PKGXMLDIR-@/shibboleth-targetconfig-1.0.xsd"
+ xsi:schemaLocation="urn:mace:shibboleth:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-spconfig-2.0.xsd"
logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">
- <!-- These extensions are "universal", loaded by all Shibboleth-aware processes. -->
+ <!--
<Extensions>
- <Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
+ <Library path="@-LIBEXECDIR-@/adfs.so" fatal="true"/>
</Extensions>
+ -->
<!-- The OutOfProcess section pertains to components that rely on a single long-lived process. -->
<OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
<!--
<Extensions>
- <Library path="@-LIBEXECDIR-@/shib-mysql-ccache.so" fatal="false"/>
+ <Library path="@-LIBEXECDIR-@/odbc-store.so" fatal="true"/>
</Extensions>
-->
<!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
+ <StorageService type="Memory" id="memory" cleanupInterval="900"/>
+
<!--
- See deploy guide for details, but:
- cacheTimeout - how long before expired sessions are purged from the cache
- AATimeout - how long to wait for an AA to respond
- AAConnectTimeout - how long to wait while connecting to an AA
- defaultLifetime - if attributes come back without guidance, how long should they last?
- strictValidity - if we have expired attrs, and can't get new ones, keep using them?
- propagateErrors - suppress errors while getting attrs or let user see them?
- retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
- writeThrough - tells database-backed caches that multiple web servers are sharing the database
- Only one session cache can be defined.
- -->
- <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
- defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"/>
- <!--
- <ODBCSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
- defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"
- odbcTimeout="7200" storeAttributes="true" writeThrough="true">
+ <StorageService type="ODBC" id="db" cleanupInterval="900">
<ConnectionString>
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
</ConnectionString>
- </ODBCSessionCache>
- -->
-
- <!-- Default replay cache is in-memory. -->
- <!--
- <ODBCReplayCache/>
+ </StorageService>
-->
+
+ <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
+ <ReplayCache StorageService="memory"/>
+
</OutOfProcess>
<!-- The InProcess section pertains to components that support transient process pools like most web servers. -->
<!--
To customize behavior, map hostnames and path components to applicationId and other settings.
The following provider types are available with the delivered code:
- type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider"
+ type="Native"
- Web-server-specific plugin that allows native commands (like Apache's
ShibRequireSession) to override or supplement the XML syntax. The Apache
version also supplies an htaccess authz plugin for all content.
- type="edu.internet2.middleware.shibboleth.sp.provider.XMLRequestMapProvider"
+ type="XML"
- portable plugin that does not support the older Apache-specific commands and works
the same on all web platforms, this plugin does NOT support htaccess files
for authz unless you also place an <htaccess/> element somewhere in the map
By default, the "native" plugin (the first one above) is used, since it matches older
behavior on both Apache and IIS.
-->
- <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
+ <RequestMapper type="Native">
<RequestMap applicationId="default">
<!--
This requires a session for documents in /secure on the containing host with http and
</Path>
</Host>
</RequestMap>
- </RequestMapProvider>
+ </RequestMapper>
<Implementation>
<ISAPI normalizeRequest="true">
points into to this section.
-->
<Applications id="default" providerId="https://sp.example.org/shibboleth"
- homeURL="https://sp.example.org/index.html"
- xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+ homeURL="https://sp.example.org/index.html">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
<!-- Indicates what credentials to use when communicating -->
<CredentialUse TLS="defcreds" Signing="defcreds"/>
- <!-- Use designators to request specific attributes or none to ask for all -->
- <!--
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- -->
-
- <!-- AAP can be inline or in a separate file -->
- <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
-
- <!-- Operational config consists of metadata and trust providers. Can be external or inline. -->
-
- <!-- Dummy metadata for private testing, delete for production deployments. -->
- <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
- uri="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
-
- <!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
- <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
-
- <!--
- You can customize behavior of specific applications here. The default elements inside the
- outer <Applications> element generally have to be overridden in an all or nothing fashion.
- That is, if you supply a <Sessions> or <Errors> override, you MUST include all attributes
- you want to apply, as they will not be inherited. Similarly, if you specify an element such as
- <MetadataProvider>, it is not additive with the defaults, but replaces them.
-
- Note that each application must have a handlerURL that maps uniquely to it and no other
- application in the <RequestMap>. Otherwise no sessions will reach the application.
- If each application lives on its own vhost, then a single handler at "/Shibboleth.sso"
- is sufficient, since the hostname will distinguish the application.
-
- The example below shows a special application that requires use of SSL when establishing
- sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
- behavior except that it requests only EPPN from the origin instead of asking for all attributes.
- Note that it will inherit all of the handler endpoints defined for the default application
- but will append them to the handlerURL defined here.
- -->
- <!--
- <Application id="foo-admin">
- <Sessions lifetime="7200" timeout="3600" checkAddress="true"
- handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
- cookieProps="; path=/secure/admin; secure"/>
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- </Application>
- -->
+ <!-- When adding multiple metadata sources, uncomment the chained provider around them. -->
+ <!-- <MetadataProvider type="Chaining"> -->
+ <!-- Dummy metadata for private testing, delete for production deployments. -->
+ <MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
+ <!-- </MetadataProvider> -->
+
+ <!-- Chain the two built-in trust engines together. -->
+ <TrustEngine type="Chaining">
+ <TrustEngine type="ExplicitKey"/>
+ <TrustEngine type="PKIX"/>
+ </TrustEngine>
</Applications>
<!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
- <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
- <Credentials>
- <FileResolver Id="defcreds">
- <Key>
- <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
- </Key>
- <Certificate>
- <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
- </Certificate>
- </FileResolver>
- </Credentials>
- </CredentialsProvider>
-
- <!-- Specialized attribute handling for cases with complex syntax. -->
- <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
- type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>
+ <Credentials>
+ <CredentialResolver id="defcreds">
+ <Key>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
+ </Key>
+ <Certificate>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
+ </Certificate>
+ </CredentialResolver>
+ </Credentials>
+
+ <!-- Each policy defines a set of rules to use to secure SAML (and other) messages. -->
+ <SecurityPolicies default="full">
+ <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and TLS. -->
+ <Policy id="full">
+ <Rule type="SAML1Message"/>
+ <Rule type="SAML2Message"/>
+ <Rule type="MessageFlow" checkReplay="true" expires="60"/>
+ <Rule type="ClientCertAuth" errorFatal="true"/>
+ <Rule type="XMLSigning" errorFatal="true"/>
+ <Rule type="SimpleSigning" errorFatal="true"/>
+ </Policy>
+ </SecurityPolicies>
</SPConfig>
// globals
namespace {
static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h);
+ static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e);
static const XMLCh name[] = UNICODE_LITERAL_4(n,a,m,e);
static const XMLCh port[] = UNICODE_LITERAL_4(p,o,r,t);
static const XMLCh sslport[] = UNICODE_LITERAL_7(s,s,l,p,o,r,t);
g_Config=&SPConfig::getConfig();
g_Config->setFeatures(
SPConfig::Listener |
- SPConfig::Caching |
SPConfig::Metadata |
SPConfig::RequestMapping |
SPConfig::InProcess |
DOMElement* dummy = dummydoc->createElementNS(NULL,path);
auto_ptr_XMLCh src(config);
dummy->setAttributeNS(NULL,path,src.get());
+ dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE);
g_Config->setServiceProvider(g_Config->ServiceProviderManager.newPlugin(XML_SERVICE_PROVIDER,dummy));
g_Config->getServiceProvider()->init();
string g_ServerScheme;
string g_unsetHeaderValue;
- static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h);
+ static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h);
+ static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e);
}
PluginManager<RequestMapper,const DOMElement*>::Factory SunRequestMapFactory;
g_Config=&SPConfig::getConfig();
g_Config->setFeatures(
SPConfig::Listener |
- SPConfig::Caching |
SPConfig::Metadata |
SPConfig::RequestMapping |
SPConfig::InProcess |
DOMElement* dummy = dummydoc->createElementNS(NULL,path);
auto_ptr_XMLCh src(config);
dummy->setAttributeNS(NULL,path,src.get());
+ dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE);
g_Config->setServiceProvider(g_Config->ServiceProviderManager.newPlugin(XML_SERVICE_PROVIDER,dummy));
g_Config->getServiceProvider()->init();
pkgxml_DATA = \
catalog.xml \
shibboleth-metadata-1.0.xsd \
- shibboleth-targetconfig-1.0.xsd \
shibboleth-spconfig-2.0.xsd \
shibboleth.xsd \
- shibboleth-trust-1.0.xsd \
metadata_v12_to_v11.xsl \
metadata_v12_to_v13.xsl \
metadata_v13_to_v12.xsl \
CLEANFILES = catalog.xml
-EXTRA_DIST =
- catalog.xml.in \
- shibboleth-metadata-1.0.xsd \
- shibboleth-targetconfig-1.0.xsd \
- shibboleth-spconfig-2.0.xsd
+EXTRA_DIST = catalog.xml.in
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
<uri name="urn:mace:shibboleth:metadata:1.0" uri="@-PKGXMLDIR-@/shibboleth-metadata-1.0.xsd"/>
- <uri name="urn:mace:shibboleth:target:config:1.0" uri="@-PKGXMLDIR-@/shibboleth-targetconfig-1.0.xsd"/>
<uri name="urn:mace:shibboleth:sp:config:2.0" uri="@-PKGXMLDIR-@/shibboleth-spconfig-2.0.xsd"/>
</catalog>
</documentation>\r
</annotation>\r
\r
+ <simpleType name="string">
+ <restriction base="string">
+ <minLength value="1"/>\r
+ </restriction>
+ </simpleType>\r
+\r
+ <simpleType name="listOfStrings">\r
+ <list itemType="conf:string"/>\r
+ </simpleType>\r
+ \r
<complexType name="PluggableType">\r
<sequence>\r
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>\r
</sequence>\r
- <attribute name="type" type="string" use="required"/>\r
+ <attribute name="type" type="conf:string" use="required"/>\r
<anyAttribute namespace="##any" processContents="lax"/>\r
</complexType>\r
\r
- <element name="ShibbolethTargetConfig" type="conf:SPConfigType"/> <!-- deprecated -->\r
- <element name="ShibbolethSPConfig" type="conf:SPConfigType"/>\r
- <element name="SPConfig" type="conf:SPConfigType"/>\r
- <complexType name="SPConfigType">\r
- <annotation>\r
- <documentation>Root of configuration</documentation>\r
- </annotation>\r
- <sequence>\r
- <element ref="conf:Extensions" minOccurs="0"/>\r
- <choice minOccurs="0">\r
- <element name="OutOfProcess" type="conf:OutOfProcessType"/>\r
- <element name="Global" type="conf:OutOfProcessType"/> <!-- deprecated -->\r
- </choice>\r
- <choice minOccurs="0">\r
- <element name="InProcess" type="conf:InProcessType"/>\r
- <element name="Local" type="conf:InProcessType"/> <!-- deprecated -->\r
- </choice>\r
- <element ref="conf:Applications"/>\r
- <choice minOccurs="0">\r
- <element name="CredentialsProvider" type="conf:PluggableType"/> <!-- deprecated -->\r
- <element ref="conf:Credentials"/>\r
- </choice>\r
- </sequence>\r
- <attribute name="logger" type="anyURI" use="optional"/>\r
- <attribute name="clockSkew" type="unsignedInt" use="optional"/>\r
- <anyAttribute namespace="##other" processContents="lax"/>\r
- </complexType>\r
+ <element name="SPConfig">\r
+ <complexType>
+ <annotation>
+ <documentation>Root of configuration</documentation>
+ </annotation>
+ <sequence>
+ <element ref="conf:Extensions" minOccurs="0"/>
+ <element ref="conf:OutOfProcess"/>
+ <element ref="conf:InProcess"/>
+ <element ref="conf:Applications"/>
+ <element ref="conf:Credentials" minOccurs="0"/>
+ <element ref="conf:SecurityPolicies"/>
+ </sequence>
+ <attribute name="logger" type="anyURI" use="optional"/>
+ <attribute name="clockSkew" type="unsignedInt" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>\r
+ </element>\r
\r
<element name="Extensions">\r
<annotation>\r
<sequence>\r
<element name="Library" minOccurs="0" maxOccurs="unbounded">\r
<complexType>\r
- <sequence>\r
- <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>\r
- </sequence>\r
- <attribute name="path" type="anyURI" use="required"/>\r
- <attribute name="fatal" type="boolean" use="optional"/>\r
- <anyAttribute namespace="##any" processContents="lax"/>\r
+ <complexContent>\r
+ <restriction base="conf:PluggableType">\r
+ <sequence>\r
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>\r
+ </sequence>\r
+ <attribute name="path" type="anyURI" use="required"/>\r
+ <attribute name="fatal" type="boolean" use="optional"/>\r
+ </restriction>\r
+ </complexContent>\r
</complexType>\r
</element>\r
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>\r
</complexType>\r
</element>\r
\r
- <element name="SessionCache">\r
+ <element name="StorageService">\r
+ <annotation>\r
+ <documentation>References StorageService plugins</documentation>\r
+ </annotation>\r
<complexType>\r
<complexContent>\r
<restriction base="conf:PluggableType">\r
<sequence>\r
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>\r
</sequence>\r
+ <attribute name="id" type="conf:string" use="required"/>\r
<attribute name="cleanupInterval" type="unsignedInt" use="optional" default="900"/>\r
+ <anyAttribute namespace="##any" processContents="lax"/>\r
+ </restriction>\r
+ </complexContent>\r
+ </complexType>\r
+ </element>\r
+\r
+ <element name="SessionCache">\r
+ <annotation>\r
+ <documentation>References SessionCache plugins</documentation>\r
+ </annotation>\r
+ <complexType>\r
+ <complexContent>\r
+ <restriction base="conf:PluggableType">\r
+ <sequence>\r
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>\r
+ </sequence>\r
<attribute name="cacheTimeout" type="unsignedInt" use="optional" default="28800"/>\r
+ <anyAttribute namespace="##any" processContents="lax"/>\r
</restriction>\r
</complexContent>\r
</complexType>\r
</element>\r
\r
- <element name="ReplayCache" type="conf:PluggableType"/>\r
+ <element name="ReplayCache">
+ <annotation>\r
+ <documentation>Ties ReplayCache to custom StorageService</documentation>\r
+ </annotation>\r
+ <complexType>
+ <sequence/>\r
+ <attribute name="StorageService" type="conf:string" use="required"/>
+ </complexType>
+ </element>\r
\r
- <complexType name="OutOfProcessType">\r
+ <element name="OutOfProcess">\r
<annotation>\r
<documentation>Container for shibd out-of-process configuration</documentation>\r
</annotation>\r
- <sequence>\r
- <element ref="conf:Extensions" minOccurs="0"/>\r
- <choice>\r
- <element name="UnixListener">\r
- <complexType>\r
- <attribute name="address" type="string" use="required"/>\r
- </complexType>\r
- </element>\r
- <element name="TCPListener">\r
- <complexType>\r
- <attribute name="address" type="string" use="required"/>\r
- <attribute name="port" type="unsignedInt" use="required"/>\r
- <attribute name="acl" use="optional" default="127.0.0.1">\r
- <simpleType>\r
- <list itemType="string"/>\r
- </simpleType>\r
- </attribute>\r
- </complexType>\r
- </element>\r
- <element name="Listener" type="conf:PluggableType"/>\r
- </choice>\r
- <element ref="conf:SessionCache" minOccurs="0"/>\r
- <element ref="conf:ReplayCache" minOccurs="0"/>\r
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>\r
- </sequence>\r
- <attribute name="logger" type="anyURI" use="optional"/>\r
- <anyAttribute namespace="##other" processContents="lax"/>\r
- </complexType>\r
+ <complexType>\r
+ <sequence>
+ <element ref="conf:Extensions" minOccurs="0"/>
+ <choice>
+ <element name="UnixListener">
+ <complexType>
+ <attribute name="address" type="conf:string" use="required"/>
+ </complexType>
+ </element>
+ <element name="TCPListener">
+ <complexType>
+ <attribute name="address" type="conf:string" use="required"/>
+ <attribute name="port" type="unsignedInt" use="required"/>
+ <attribute name="acl" type="conf:listOfStrings" use="optional" default="127.0.0.1"/>
+ </complexType>
+ </element>
+ <element name="Listener" type="conf:PluggableType"/>
+ </choice>
+ <element ref="conf:StorageService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="conf:SessionCache" minOccurs="0"/>
+ <element ref="conf:ReplayCache" minOccurs="0"/>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="logger" type="anyURI" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>\r
+ </complexType>\r
+ </element>\r
\r
- <complexType name="InProcessType">\r
+ <element name="InProcess">\r
<annotation>\r
<documentation>\r
Container for configuration of locally integrated or platform-specific\r
features (e.g. web server filters)\r
</documentation>\r
</annotation>\r
- <sequence>\r
- <element ref="conf:Extensions" minOccurs="0"/>\r
- <element ref="conf:SessionCache" minOccurs="0"/>\r
- <element ref="conf:ReplayCache" minOccurs="0"/>\r
- <element name="RequestMapProvider" type="conf:PluggableType" minOccurs="0"/>\r
- <element name="Implementation" minOccurs="0">\r
- <complexType>\r
- <sequence>\r
- <element ref="conf:ISAPI" minOccurs="0"/>\r
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>\r
- </sequence>\r
- </complexType>\r
- </element>\r
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>\r
- </sequence>\r
- <attribute name="logger" type="anyURI" use="optional"/>\r
- <attribute name="localRelayState" type="boolean" use="optional" default="false"/>\r
- <anyAttribute namespace="##other" processContents="lax"/>\r
- </complexType>\r
+ <complexType>\r
+ <sequence>
+ <element ref="conf:Extensions" minOccurs="0"/>
+ <element name="RequestMapper" type="conf:PluggableType"/>
+ <element name="Implementation" minOccurs="0">
+ <complexType>
+ <sequence>
+ <element ref="conf:ISAPI" minOccurs="0"/>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ </element>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="logger" type="anyURI" use="optional"/>
+ <attribute name="localRelayState" type="boolean" use="optional" default="false"/>
+ <anyAttribute namespace="##other" processContents="lax"/>\r
+ </complexType>\r
+ </element>\r
\r
<element name="ISAPI">\r
<complexType>\r
<element name="Alias" type="string" minOccurs="0" maxOccurs="unbounded"/>\r
</sequence>\r
<attribute name="id" type="unsignedInt" use="required"/>\r
- <attribute name="name" type="string" use="required"/>\r
+ <attribute name="name" type="conf:string" use="required"/>\r
<attribute name="port" type="unsignedInt" use="optional"/>\r
<attribute name="sslport" type="unsignedInt" use="optional"/>\r
- <attribute name="scheme" type="string" use="optional"/>\r
+ <attribute name="scheme" type="conf:string" use="optional"/>\r
</complexType>\r
</element>\r
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>\r
<complexType>\r
<simpleContent>\r
<extension base="conf:listOfStrings">\r
- <attribute name="require" type="string" use="required"/>\r
+ <attribute name="require" type="conf:string" use="required"/>\r
</extension>\r
</simpleContent>\r
</complexType>\r
</element>\r
- <simpleType name="listOfStrings">\r
- <list itemType="string"/>\r
- </simpleType>\r
\r
<attributeGroup name="ContentSettings">\r
- <attribute name="authType" type="string" use="optional"/>\r
+ <attribute name="authType" type="conf:string" use="optional"/>\r
<attribute name="requireSession" type="boolean" use="optional"/>\r
- <attribute name="requireSessionWith" type="string" use="optional"/>\r
+ <attribute name="requireSessionWith" type="conf:string" use="optional"/>\r
<attribute name="exportAssertion" type="boolean" use="optional"/>\r
<attribute name="redirectToSSL" type="unsignedInt" use="optional"/>\r
<anyAttribute namespace="##other" processContents="lax"/>\r
</choice>\r
<element ref="conf:Host" minOccurs="0" maxOccurs="unbounded"/>\r
</sequence>\r
- <attribute name="applicationId" type="string" fixed="default"/>\r
+ <attribute name="applicationId" type="conf:string" fixed="default"/>\r
<attributeGroup ref="conf:ContentSettings"/>\r
</complexType>\r
</element>\r
</sequence>\r
<attribute name="scheme" use="optional">\r
<simpleType>\r
- <restriction base="string">\r
+ <restriction base="conf:string">\r
<enumeration value="http"/>\r
<enumeration value="https"/>\r
<enumeration value="ftp"/>\r
</restriction>\r
</simpleType>\r
</attribute>\r
- <attribute name="name" type="string" use="required"/>\r
+ <attribute name="name" type="conf:string" use="required"/>\r
<attribute name="port" type="unsignedInt" use="optional"/>\r
- <attribute name="applicationId" type="string" use="optional"/>\r
+ <attribute name="applicationId" type="conf:string" use="optional"/>\r
<attributeGroup ref="conf:ContentSettings"/>\r
</complexType>\r
</element>\r
</choice>\r
<element ref="conf:Path" minOccurs="0" maxOccurs="unbounded"/>\r
</sequence>\r
- <attribute name="name" type="string" use="required"/>\r
- <attribute name="applicationId" type="string" use="optional"/>\r
+ <attribute name="name" type="conf:string" use="required"/>\r
+ <attribute name="applicationId" type="conf:string" use="optional"/>\r
<attributeGroup ref="conf:ContentSettings"/>\r
</complexType>\r
</element>\r
<element ref="conf:Sessions"/>\r
<element ref="conf:Errors"/>\r
<element ref="conf:CredentialUse" minOccurs="0"/>\r
- <choice minOccurs="0" maxOccurs="unbounded">\r
- <element ref="saml:Attribute"/>\r
- <element ref="saml:Audience"/>\r
- <element name="MetadataProvider" type="conf:PluggableType"/>\r
- <element name="TrustProvider" type="conf:PluggableType"/>\r
- </choice>\r
+ <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+ <element name="MetadataProvider" type="conf:PluggableType"/>
+ <element name="TrustEngine" type="conf:PluggableType"/>\r
<element ref="conf:Application" minOccurs="0" maxOccurs="unbounded"/>\r
</sequence>\r
- <attribute name="id" type="string" fixed="default"/>\r
+ <attribute name="id" type="conf:string" fixed="default"/>\r
<attribute name="providerId" type="anyURI" use="required"/>\r
<attribute name="homeURL" type="anyURI" use="optional"/>\r
<anyAttribute namespace="##other" processContents="lax"/>\r
<element ref="conf:Sessions" minOccurs="0"/>\r
<element ref="conf:Errors" minOccurs="0"/>\r
<element ref="conf:CredentialUse" minOccurs="0"/>\r
- <choice minOccurs="0" maxOccurs="unbounded">\r
- <element ref="saml:Attribute"/>\r
- <element ref="saml:Audience"/>\r
- <element name="MetadataProvider" type="conf:PluggableType"/>\r
- <element name="TrustProvider" type="conf:PluggableType"/>\r
- </choice>\r
+ <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>\r
+ <element name="MetadataProvider" type="conf:PluggableType" minOccurs="0"/>\r
+ <element name="TrustEngine" type="conf:PluggableType" minOccurs="0"/>\r
</sequence>\r
- <attribute name="id" type="string" use="required"/>\r
+ <attribute name="id" type="conf:string" use="required"/>\r
<attribute name="providerId" type="anyURI" use="optional"/>\r
<attribute name="homeURL" type="anyURI" use="optional"/>\r
<anyAttribute namespace="##other" processContents="lax"/>\r
</choice>\r
<attribute name="handlerURL" type="anyURI" use="optional"/>\r
<attribute name="handlerSSL" type="boolean" use="optional" default="true"/>\r
- <attribute name="cookieName" type="string" use="optional"/>\r
- <attribute name="cookieProps" type="string" use="optional"/>\r
+ <attribute name="cookieName" type="conf:string" use="optional"/>\r
+ <attribute name="cookieProps" type="conf:string" use="optional"/>\r
<attribute name="idpHistory" type="boolean" use="optional" default="true"/>\r
<attribute name="idpHistoryDays" type="unsignedInt" use="optional"/>\r
<attribute name="lifetime" type="unsignedInt" use="optional"/>\r
<attribute name="timeout" type="unsignedInt" use="optional"/>\r
<attribute name="checkAddress" type="boolean" use="optional"/>\r
<attribute name="consistentAddress" type="boolean" use="optional" default="true"/>\r
+ <attribute name="validate" type="boolean" use="optional"/>\r
<anyAttribute namespace="##other" processContents="lax"/>\r
</complexType>\r
</element>\r
<attribute name="wayfBinding" type="anyURI" use="optional"/>\r
<attribute name="checkCDC" type="anyURI" use="optional"/>\r
<attribute name="isDefault" type="boolean" use="optional"/>\r
- <attribute name="id" type="string" use="optional"/>\r
+ <attribute name="id" type="conf:string" use="optional"/>\r
<anyAttribute namespace="##any" processContents="lax"/>\r
</complexType>\r
</element>\r
<attribute name="rm" type="anyURI" use="optional"/>\r
<attribute name="access" type="anyURI" use="optional"/>\r
<attribute name="ssl" type="anyURI" use="optional"/>\r
- <attribute name="supportContact" type="string" use="optional"/>\r
+ <attribute name="supportContact" type="conf:string" use="optional"/>\r
<attribute name="logoLocation" type="anyURI" use="optional"/>\r
<attribute name="styleSheet" type="anyURI" use="optional"/>\r
<anyAttribute namespace="##any" processContents="lax"/>\r
</element>\r
\r
<attributeGroup name="CredentialUseGroup">\r
- <attribute name="TLS" type="string" use="optional"/>\r
- <attribute name="Signing" type="string" use="optional"/>\r
+ <attribute name="TLS" type="conf:string" use="optional"/>\r
+ <attribute name="Signing" type="conf:string" use="optional"/>\r
<attribute name="signRequest" type="boolean" use="optional" default="false"/>\r
<attribute name="signatureAlg" type="anyURI" use="optional"/>\r
<attribute name="signedAssertions" type="boolean" use="optional" default="false"/>\r
<attribute name="authType" use="optional">\r
<simpleType>\r
- <restriction base="string">\r
+ <restriction base="conf:string">\r
<enumeration value="basic"/>\r
<enumeration value="digest"/>\r
<enumeration value="ntlm"/>\r
<sequence>\r
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>\r
</sequence>\r
- <attribute name="Name" type="string" use="required"/>\r
+ <attribute name="Name" type="conf:string" use="required"/>\r
<attributeGroup ref="conf:CredentialUseGroup"/>\r
<anyAttribute namespace="##other" processContents="lax"/>\r
</complexType>\r
<complexType>\r
<sequence>\r
<element name="CredentialResolver" minOccurs="1" maxOccurs="unbounded">
+ <annotation>\r
+ <documentation>References CredentialResolver plugins</documentation>\r
+ </annotation>\r
<complexType>
<complexContent>
<restriction base="conf:PluggableType">
<sequence>
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
- <attribute name="Id" type="string" use="required"/>
+ <attribute name="id" type="conf:string" use="required"/>\r
+ <anyAttribute namespace="##any" processContents="lax"/>
</restriction>
</complexContent>
</complexType>
</complexType>
</element>\r
\r
+ <element name="SecurityPolicies">
+ <annotation>\r
+ <documentation>Container for specifying sets of policy rules to apply to incoming messages</documentation>\r
+ </annotation>\r
+ <complexType>\r
+ <sequence>\r
+ <element name="Policy" minOccurs="1" maxOccurs="unbounded">\r
+ <annotation>\r
+ <documentation>Specifies a set of SecurityPolicyRule plugins</documentation>\r
+ </annotation>\r
+ <complexType>\r
+ <sequence>
+ <element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="id" type="conf:string" use="required"/>\r
+ </complexType>\r
+ </element>\r
+ </sequence>\r
+ <attribute name="default" type="conf:string" use="required"/>\r
+ </complexType>\r
+ </element>\r
+ \r
</schema>\r
-\r
+++ /dev/null
-<?xml version="1.0" encoding="US-ASCII"?>
-<schema targetNamespace="urn:mace:shibboleth:target:config:1.0"
- xmlns="http://www.w3.org/2001/XMLSchema"
- xmlns:conf="urn:mace:shibboleth:target:config:1.0"
- xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
- elementFormDefault="qualified"
- attributeFormDefault="unqualified"
- blockDefault="substitution"
- version="2.0">
-
- <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="cs-sstc-schema-assertion-1.1.xsd"/>
- <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
-
- <annotation>
- <documentation>
- 1.0 schema for XML-based configuration of Shibboleth target libraries and modules.
- First appearing in Shibboleth 1.2 release.
- </documentation>
- </annotation>
-
- <complexType name="PluggableType">
- <sequence>
- <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="type" type="string" use="required"/>
- <attribute name="uri" type="anyURI" use="optional"/>
- <anyAttribute namespace="##any" processContents="lax"/>
- </complexType>
-
- <element name="ShibbolethTargetConfig" type="conf:SPConfigType"/>
- <element name="SPConfig" type="conf:SPConfigType"/>
- <complexType name="SPConfigType">
- <annotation>
- <documentation>Root element of configuration file</documentation>
- </annotation>
- <sequence>
- <element ref="conf:Extensions" minOccurs="0"/>
- <choice minOccurs="0">
- <element name="OutOfProcess" type="conf:OutOfProcessType"/>
- <element name="Global" type="conf:OutOfProcessType"/>
- <element name="SHAR" type="conf:OutOfProcessType"/>
- </choice>
- <choice minOccurs="0">
- <element name="InProcess" type="conf:InProcessType"/>
- <element name="Local" type="conf:InProcessType"/>
- <element name="SHIRE" type="conf:InProcessType"/>
- </choice>
- <element ref="conf:Applications"/>
- <element name="CredentialsProvider" type="conf:PluggableType" minOccurs="0" maxOccurs="unbounded"/>
- <element ref="conf:AttributeFactory" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="logger" type="anyURI" use="optional"/>
- <attribute name="clockSkew" type="unsignedInt" use="optional"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
-
- <element name="Extensions">
- <annotation>
- <documentation>Container for extension libraries and custom configuration</documentation>
- </annotation>
- <complexType>
- <sequence>
- <element name="Library" minOccurs="0" maxOccurs="unbounded">
- <complexType>
- <sequence>
- <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="path" type="anyURI" use="required"/>
- <attribute name="fatal" type="boolean" use="optional"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- </complexType>
- </element>
-
- <attributeGroup name="SessionCacheProperties">
- <attribute name="cleanupInterval" type="unsignedInt" use="optional" default="300"/>
- <attribute name="cacheTimeout" type="unsignedInt" use="optional" default="28800"/>
- <attribute name="AAConnectTimeout" type="unsignedInt" use="optional" default="15"/>
- <attribute name="AATimeout" type="unsignedInt" use="optional" default="30"/>
- <attribute name="defaultLifetime" type="unsignedInt" use="optional" default="1800"/>
- <attribute name="retryInterval" type="unsignedInt" use="optional" default="300"/>
- <attribute name="strictValidity" type="boolean" use="optional" default="true"/>
- <attribute name="propagateErrors" type="boolean" use="optional" default="false"/>
- </attributeGroup>
-
- <element name="MemorySessionCache">
- <complexType>
- <attributeGroup ref="conf:SessionCacheProperties"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
- <element name="MySQLSessionCache">
- <complexType>
- <sequence>
- <element name="Argument" type="string" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attributeGroup ref="conf:SessionCacheProperties"/>
- <attribute name="mysqlTimeout" type="unsignedInt" use="optional" default="14400"/>
- <attribute name="storeAttributes" type="boolean" use="optional" default="false"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
- <element name="SessionCache">
- <complexType>
- <complexContent>
- <extension base="conf:PluggableType">
- <attributeGroup ref="conf:SessionCacheProperties"/>
- </extension>
- </complexContent>
- </complexType>
- </element>
-
- <complexType name="OutOfProcessType">
- <annotation>
- <documentation>Container for global (server independent) configuration</documentation>
- </annotation>
- <sequence>
- <element ref="conf:Extensions" minOccurs="0"/>
- <choice>
- <element name="UnixListener">
- <complexType>
- <attribute name="address" type="string" use="required"/>
- </complexType>
- </element>
- <element name="TCPListener">
- <complexType>
- <attribute name="address" type="string" use="required"/>
- <attribute name="port" type="unsignedInt" use="required"/>
- <attribute name="acl" use="optional" default="127.0.0.1">
- <simpleType>
- <list itemType="string"/>
- </simpleType>
- </attribute>
- </complexType>
- </element>
- <element name="MemoryListener" type="conf:PluggableType"/>
- <element name="Listener" type="conf:PluggableType"/>
- </choice>
- <choice>
- <element ref="conf:MemorySessionCache"/>
- <element ref="conf:MySQLSessionCache"/>
- <element ref="conf:SessionCache"/>
- </choice>
- <choice minOccurs="0">
- <element name="MySQLReplayCache">
- <complexType>
- <sequence>
- <element name="Argument" type="string" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
- <element name="ReplayCache" type="conf:PluggableType"/>
- </choice>
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="logger" type="anyURI" use="optional"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
-
- <complexType name="InProcessType">
- <annotation>
- <documentation>
- Container for configuration of locally integrated or platform-specific
- features (e.g. web server filters)
- </documentation>
- </annotation>
- <sequence>
- <element ref="conf:Extensions" minOccurs="0"/>
- <choice minOccurs="0">
- <element ref="conf:MemorySessionCache"/>
- <element ref="conf:SessionCache"/>
- </choice>
- <element name="RequestMapProvider" type="conf:PluggableType" minOccurs="0"/>
- <element name="Implementation" minOccurs="0">
- <complexType>
- <choice maxOccurs="unbounded">
- <element ref="conf:ISAPI"/>
- <any namespace="##other" processContents="lax"/>
- </choice>
- </complexType>
- </element>
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="logger" type="anyURI" use="optional"/>
- <attribute name="localRelayState" type="boolean" use="optional" default="false"/>
- <attribute name="unsetHeaderValue" type="string" use="optional"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
-
- <element name="ISAPI">
- <complexType>
- <sequence>
- <element name="Site" maxOccurs="unbounded">
- <complexType>
- <sequence>
- <element name="Alias" type="string" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="id" type="unsignedInt" use="required"/>
- <attribute name="name" type="string" use="required"/>
- <attribute name="port" type="unsignedInt" use="optional"/>
- <attribute name="sslport" type="unsignedInt" use="optional"/>
- <attribute name="scheme" type="string" use="optional"/>
- </complexType>
- </element>
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="normalizeRequest" type="boolean" use="optional"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
- <element name="NSAPI" type="anyType"/>
- <element name="Java" type="anyType"/>
-
- <element name="AccessControl" type="conf:UniOperatorType">
- <annotation>
- <documentation>
- A simple example access policy language extension that supersedes Apache .htaccess
- </documentation>
- </annotation>
- </element>
- <element name="OR" type="conf:MultiOperatorType"/>
- <element name="AND" type="conf:MultiOperatorType"/>
- <element name="NOT" type="conf:UniOperatorType"/>
- <complexType name="UniOperatorType">
- <choice>
- <element ref="conf:AND"/>
- <element ref="conf:OR"/>
- <element ref="conf:NOT"/>
- <element ref="conf:Rule"/>
- </choice>
- </complexType>
- <complexType name="MultiOperatorType">
- <choice minOccurs="2" maxOccurs="unbounded">
- <element ref="conf:AND"/>
- <element ref="conf:OR"/>
- <element ref="conf:NOT"/>
- <element ref="conf:Rule"/>
- </choice>
- </complexType>
- <element name="Rule">
- <complexType>
- <simpleContent>
- <extension base="conf:listOfStrings">
- <attribute name="require" type="string" use="required"/>
- </extension>
- </simpleContent>
- </complexType>
- </element>
- <simpleType name="listOfStrings">
- <list itemType="string"/>
- </simpleType>
-
- <attributeGroup name="ContentSettings">
- <attribute name="authType" type="string" use="optional"/>
- <attribute name="requireSession" type="boolean" use="optional"/>
- <attribute name="requireSessionWith" type="string" use="optional"/>
- <attribute name="exportAssertion" type="boolean" use="optional"/>
- <attribute name="redirectToSSL" type="unsignedInt" use="optional"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </attributeGroup>
- <element name="AccessControlProvider" type="conf:PluggableType"/>
- <element name="htaccess" type="conf:PluggableType"/>
-
- <element name="RequestMap">
- <annotation>
- <documentation>
- Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
- </documentation>
- </annotation>
- <complexType>
- <sequence>
- <choice minOccurs="0">
- <element ref="conf:htaccess"/>
- <element ref="conf:AccessControl"/>
- <element ref="conf:AccessControlProvider"/>
- </choice>
- <element ref="conf:Host" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="applicationId" type="string" fixed="default"/>
- <attributeGroup ref="conf:ContentSettings"/>
- </complexType>
- </element>
-
- <element name="Host">
- <complexType>
- <sequence>
- <choice minOccurs="0">
- <element ref="conf:htaccess"/>
- <element ref="conf:AccessControl"/>
- <element ref="conf:AccessControlProvider"/>
- </choice>
- <element ref="conf:Path" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="scheme" use="optional">
- <simpleType>
- <restriction base="string">
- <enumeration value="http"/>
- <enumeration value="https"/>
- <enumeration value="ftp"/>
- <enumeration value="ldap"/>
- <enumeration value="ldaps"/>
- </restriction>
- </simpleType>
- </attribute>
- <attribute name="name" type="string" use="required"/>
- <attribute name="port" type="unsignedInt" use="optional"/>
- <attribute name="applicationId" type="string" use="optional"/>
- <attributeGroup ref="conf:ContentSettings"/>
- </complexType>
- </element>
-
- <element name="Path">
- <complexType>
- <sequence>
- <choice minOccurs="0">
- <element ref="conf:htaccess"/>
- <element ref="conf:AccessControl"/>
- <element ref="conf:AccessControlProvider"/>
- </choice>
- <element ref="conf:Path" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="name" type="string" use="required"/>
- <attribute name="applicationId" type="string" use="optional"/>
- <attributeGroup ref="conf:ContentSettings"/>
- </complexType>
- </element>
-
- <element name="Applications">
- <annotation>
- <documentation>Container for global target settings and application-specific overrides</documentation>
- </annotation>
- <complexType>
- <sequence>
- <element ref="conf:Sessions"/>
- <element ref="conf:Errors"/>
- <element ref="conf:CredentialUse" minOccurs="0"/>
- <choice minOccurs="0" maxOccurs="unbounded">
- <element ref="saml:AttributeDesignator"/>
- <element ref="saml:Audience"/>
- <element name="AAPProvider" type="conf:PluggableType"/>
- <element name="MetadataProvider" type="conf:PluggableType"/>
- <element name="TrustProvider" type="conf:PluggableType"/>
- </choice>
- <element ref="conf:Application" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="id" type="string" fixed="default"/>
- <attribute name="providerId" type="anyURI" use="required"/>
- <attribute name="homeURL" type="anyURI" use="optional"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
-
- <element name="Application">
- <annotation>
- <documentation>Container for application-specific overrides</documentation>
- </annotation>
- <complexType>
- <sequence>
- <element ref="conf:Sessions" minOccurs="0"/>
- <element ref="conf:Errors" minOccurs="0"/>
- <element ref="conf:CredentialUse" minOccurs="0"/>
- <choice minOccurs="0" maxOccurs="unbounded">
- <element ref="saml:AttributeDesignator"/>
- <element ref="saml:Audience"/>
- <element name="AAPProvider" type="conf:PluggableType"/>
- <!-- deprecated --> <element name="FederationProvider" type="conf:PluggableType"/>
- <element name="MetadataProvider" type="conf:PluggableType"/>
- <element name="TrustProvider" type="conf:PluggableType"/>
- </choice>
- </sequence>
- <attribute name="id" type="string" use="required"/>
- <attribute name="providerId" type="anyURI" use="optional"/>
- <attribute name="homeURL" type="anyURI" use="optional"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
-
- <element name="KeyInfoResolver" type="conf:PluggableType">
- <annotation>
- <documentation>
- Custom plug-in that resolves ds:KeyInfo elements into public keys, used in
- TrustProvider elements.
- </documentation>
- </annotation>
- </element>
-
- <element name="Sessions">
- <annotation>
- <documentation>Container for specifying app session establishment and policy</documentation>
- </annotation>
- <complexType>
- <choice minOccurs="0" maxOccurs="unbounded">
- <element ref="conf:SessionInitiator"/>
- <element ref="md:AssertionConsumerService"/>
- <element ref="md:SingleLogoutService"/>
- <element ref="conf:DiagnosticService"/>
- <element name="ExtensionService" type="conf:PluggableType"/>
- </choice>
- <!-- deprecated --> <attribute name="wayfURL" type="anyURI" use="optional"/>
- <!-- deprecated --> <attribute name="shireURL" type="anyURI" use="optional"/>
- <!-- deprecated --> <attribute name="shireSSL" type="boolean" use="optional"/>
- <attribute name="handlerURL" type="anyURI" use="optional"/>
- <attribute name="handlerSSL" type="boolean" use="optional" default="true"/>
- <attribute name="cookieName" type="string" use="optional"/>
- <attribute name="cookieProps" type="string" use="optional"/>
- <attribute name="idpHistory" type="boolean" use="optional" default="true"/>
- <attribute name="idpHistoryDays" type="unsignedInt" use="optional"/>
- <attribute name="lifetime" type="unsignedInt" use="optional"/>
- <attribute name="timeout" type="unsignedInt" use="optional"/>
- <attribute name="checkAddress" type="boolean" use="optional"/>
- <attribute name="consistentAddress" type="boolean" use="optional" default="true"/>
- <attribute name="checkReplay" type="boolean" use="optional" default="true"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
- <element name="SessionInitiator">
- <annotation>
- <documentation>Used to specify WAYF/Discovery services (external or internal)</documentation>
- </annotation>
- <complexType>
- <sequence>
- <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="Location" type="anyURI" use="required"/>
- <attribute name="Binding" type="anyURI" use="required"/>
- <attribute name="wayfURL" type="anyURI" use="optional"/>
- <attribute name="wayfBinding" type="anyURI" use="optional"/>
- <attribute name="checkCDC" type="anyURI" use="optional"/>
- <attribute name="isDefault" type="boolean" use="optional"/>
- <attribute name="id" type="string" use="optional"/>
- <anyAttribute namespace="##any" processContents="lax"/>
- </complexType>
- </element>
- <element name="DiagnosticService">
- <annotation>
- <documentation>Used to specify internal diagnostic capabilities</documentation>
- </annotation>
- <complexType>
- <sequence>
- <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="Location" type="anyURI" use="required"/>
- <attribute name="Binding" type="anyURI" use="required"/>
- <attribute name="echo" type="boolean" use="optional"/>
- <attribute name="log" type="boolean" use="optional"/>
- <attribute name="config" type="boolean" use="optional"/>
- <attribute name="acl" use="optional">
- <simpleType>
- <list itemType="string"/>
- </simpleType>
- </attribute>
- <anyAttribute namespace="##any" processContents="lax"/>
- </complexType>
- </element>
-
- <element name="Errors">
- <annotation>
- <documentation>Container for error templates and associated details</documentation>
- </annotation>
- <complexType>
- <sequence>
- <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <!-- deprecated --> <attribute name="shire" type="anyURI" use="optional"/>
- <attribute name="session" type="anyURI" use="optional"/>
- <attribute name="metadata" type="anyURI" use="optional"/>
- <attribute name="rm" type="anyURI" use="required"/>
- <attribute name="access" type="anyURI" use="optional"/>
- <attribute name="ssl" type="anyURI" use="optional"/>
- <attribute name="supportContact" type="string" use="optional"/>
- <attribute name="logoLocation" type="anyURI" use="optional"/>
- <attribute name="styleSheet" type="anyURI" use="optional"/>
- <anyAttribute namespace="##any" processContents="lax"/>
- </complexType>
- </element>
-
- <attributeGroup name="CredentialUseGroup">
- <attribute name="TLS" type="string" use="optional"/>
- <attribute name="Signing" type="string" use="optional"/>
- <attribute name="signRequest" type="boolean" use="optional" default="false"/>
- <attribute name="signatureAlg" type="anyURI" use="optional"/>
- <attribute name="digestAlg" type="anyURI" use="optional"/>
- <attribute name="signedResponse" type="boolean" use="optional" default="false"/>
- <attribute name="signedAssertions" type="boolean" use="optional" default="false"/>
- <attribute name="authType" use="optional">
- <simpleType>
- <restriction base="string">
- <enumeration value="basic"/>
- <enumeration value="digest"/>
- <enumeration value="ntlm"/>
- <enumeration value="gss"/>
- </restriction>
- </simpleType>
- </attribute>
- <attribute name="authUsername" use="optional"/>
- <attribute name="authPassword" use="optional"/>
- </attributeGroup>
-
- <element name="CredentialUse">
- <annotation>
- <documentation>Container for specifying credentials to use</documentation>
- </annotation>
- <complexType>
- <sequence>
- <element name="RelyingParty" minOccurs="0" maxOccurs="unbounded">
- <complexType>
- <sequence>
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="Name" type="string" use="required"/>
- <attributeGroup ref="conf:CredentialUseGroup"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attributeGroup ref="conf:CredentialUseGroup"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
-
- <element name="AttributeFactory">
- <annotation>
- <documentation>Specifies a plugin that implements a specialized SAML attribute</documentation>
- </annotation>
- <complexType>
- <sequence>
- <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="type" type="string" use="required"/>
- <attribute name="AttributeName" type="string" use="required"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
-
-</schema>
-
+++ /dev/null
-<schema targetNamespace="urn:mace:shibboleth:trust:1.0"
- xmlns="http://www.w3.org/2001/XMLSchema"
- xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
- xmlns:trust="urn:mace:shibboleth:trust:1.0"
- elementFormDefault="unqualified"
- attributeFormDefault="unqualified"
- version="1.0">
-
- <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
-
- <annotation>
- <documentation>
- Trust metadata binds keys or authority lists to system entities.
- The metadata consumer is responsible for associating the names of system entities
- to the application context in an appropriate way.
- </documentation>
- </annotation>
-
- <element name="Trust">
- <annotation>
- <documentation>
- An optionally signed collection of trust binding elements.
- ds:KeyInfo is by definition a binding of a key to a specific entity,
- which may be specified in various ways such as KeyName or X509SubjectName.
- </documentation>
- </annotation>
- <complexType>
- <sequence>
- <choice maxOccurs="unbounded">
- <element ref="ds:KeyInfo"/>
- <element ref="trust:KeyAuthority"/>
- </choice>
- <element ref="ds:Signature" minOccurs="0"/>
- </sequence>
- <attribute name="lastChanged" type="dateTime" use="optional"/>
- <attribute name="validUntil" type="dateTime" use="optional"/>
- <attribute name="cacheDuration" type="duration" use="optional"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
-
- <element name="KeyAuthority" type="trust:KeyAuthorityType"/>
- <complexType name="KeyAuthorityType">
- <annotation>
- <documentation>
- Binds keying authorities to one or more named system entities.
- Omitting ds:KeyName will apply the authorities to all transactions, unless
- another specific match applies. This is risky, so use wisely, in conjunction
- with constraints on acceptable messages using other forms of metadata or policy.
- </documentation>
- </annotation>
- <sequence>
- <element ref="ds:KeyName" minOccurs="0" maxOccurs="unbounded"/>
- <element ref="ds:KeyInfo"/>
- </sequence>
- <attribute name="VerifyDepth" type="unsignedByte" use="optional"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
-
-</schema>
try {
fprintf(stderr, "loading configuration file: %s\n", shar_config);
static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h);
+ static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e);
DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument();
XercesJanitor<DOMDocument> docjanitor(dummydoc);
DOMElement* dummy = dummydoc->createElementNS(NULL,path);
auto_ptr_XMLCh src(shar_config);
dummy->setAttributeNS(NULL,path,src.get());
+ dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE);
conf.setServiceProvider(conf.ServiceProviderManager.newPlugin(XML_SERVICE_PROVIDER,dummy));
conf.getServiceProvider()->init();
try {
fprintf(stderr, "loading configuration file: %s\n", shar_config);
static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h);
+ static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e);
DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument();
XercesJanitor<DOMDocument> docjanitor(dummydoc);
DOMElement* dummy = dummydoc->createElementNS(NULL,path);
auto_ptr_XMLCh src(shar_config);
dummy->setAttributeNS(NULL,path,src.get());
+ dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE);
conf.setServiceProvider(conf.ServiceProviderManager.newPlugin(XML_SERVICE_PROVIDER,dummy));
conf.getServiceProvider()->init();
#define __shibsp_sp_h__
#include <shibsp/util/PropertySet.h>
+#include <saml/binding/SecurityPolicyRule.h>
#include <xmltooling/signature/CredentialResolver.h>
#include <xmltooling/util/StorageService.h>
namespace shibsp {
class SHIBSP_API Application;
+ class SHIBSP_API Handler;
class SHIBSP_API ListenerService;
class SHIBSP_API RequestMapper;
class SHIBSP_API SessionCache;
* <p>A ServiceProvider exposes configuration and infrastructure services required
* by the SP implementation, allowing a flexible configuration format.
*/
- class SHIBSP_API ServiceProvider : public virtual xmltooling::Lockable, public virtual PropertySet
+ class SHIBSP_API ServiceProvider : public virtual xmltooling::Lockable, public virtual PropertySet
{
MAKE_NONCOPYABLE(ServiceProvider);
protected:
virtual xmlsignature::CredentialResolver* getCredentialResolver(const char* id) const=0;
/**
+ * Returns the security policy rules in effect for a Handler instance.
+ *
+ * @param handler identifies the Handler for which to return the policy rules
+ * @return array of policy rules
+ */
+ virtual std::vector<const opensaml::SecurityPolicyRule*>& getPolicyRules(const Handler& handler) const=0;
+
+ /**
* Returns a RequestMapper instance.
*
* @param required true iff an exception should be thrown if no RequestMapper is available
*/
virtual RequestMapper* getRequestMapper(bool required=true) const=0;
- //virtual ISessionCache* getSessionCache() const=0;
-
/**
* Returns an Application instance matching the specified ID.
*
rerun_timer = XMLString::parseInt(tag);\r
\r
if (rerun_timer <= 0)\r
- rerun_timer = 300; // rerun every 5 minutes\r
+ rerun_timer = 900; // rerun every 5 minutes\r
\r
mutex->lock();\r
\r
\r
short Override::acceptNode(const DOMNode* node) const\r
{\r
- if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB1SPCONFIG_NS))\r
+ if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS))\r
return FILTER_ACCEPT;\r
const XMLCh* name=node->getLocalName();\r
if (XMLString::equals(name,Host) ||\r
\r
if (*n) {\r
// Create a placeholder Path element for the first path segment and replant under it.\r
- DOMElement* newpath=path->getOwnerDocument()->createElementNS(shibspconstants::SHIB1SPCONFIG_NS,Path);\r
+ DOMElement* newpath=path->getOwnerDocument()->createElementNS(shibspconstants::SHIB2SPCONFIG_NS,Path);\r
newpath->setAttributeNS(NULL,name,namebuf);\r
path->setAttributeNS(NULL,name,n);\r
path->getParentNode()->replaceChild(newpath,path);\r
#include <xmltooling/util/ReplayCache.h>\r
\r
using namespace shibsp;\r
-using namespace opensaml::saml1;\r
+using namespace opensaml::saml2;\r
using namespace opensaml::saml2md;\r
using namespace opensaml;\r
using namespace xmltooling;\r
using namespace std;\r
using xmlsignature::CredentialResolver;\r
\r
-namespace shibsp {\r
+namespace {\r
\r
#if defined (_MSC_VER)\r
#pragma warning( push )\r
\r
// maps binding strings to supporting consumer service(s)\r
#ifdef HAVE_GOOD_STL\r
- typedef map<xmltooling::xstring,vector<const Handler*> > ACSBindingMap;\r
+ typedef map<xstring,vector<const Handler*> > ACSBindingMap;\r
#else\r
typedef map<string,vector<const Handler*> > ACSBindingMap;\r
#endif\r
\r
DOMPropertySet* m_credDefault;\r
#ifdef HAVE_GOOD_STL\r
- map<xmltooling::xstring,PropertySet*> m_credMap;\r
+ map<xstring,PropertySet*> m_credMap;\r
#else\r
map<const XMLCh*,PropertySet*> m_credMap;\r
#endif\r
RequestMapper* m_requestMapper;\r
map<string,Application*> m_appmap;\r
map<string,CredentialResolver*> m_credResolverMap;\r
+ map< string,vector<const SecurityPolicyRule*> > m_policyMap;\r
+ string m_policyDefault;\r
\r
// Provides filter to exclude special config elements.\r
short acceptNode(const DOMNode* node) const;\r
{\r
public:\r
XMLConfig(const DOMElement* e)\r
- : ReloadableXMLFile(e), m_impl(NULL), m_listener(NULL), m_sessionCache(NULL) {\r
+ : ReloadableXMLFile(e), m_impl(NULL), m_listener(NULL), m_sessionCache(NULL), m_tranLog(NULL) {\r
}\r
\r
void init() {\r
pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const {return m_impl->getXMLString(name,ns);}\r
pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const {return m_impl->getUnsignedInt(name,ns);}\r
pair<bool,int> getInt(const char* name, const char* ns=NULL) const {return m_impl->getInt(name,ns);}\r
- const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:target:config:1.0") const {return m_impl->getPropertySet(name,ns);}\r
+ const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:sp:config:2.0") const {return m_impl->getPropertySet(name,ns);}\r
const DOMElement* getElement() const {return m_impl->getElement();}\r
\r
// ServiceProvider\r
return NULL;\r
}\r
\r
+ vector<const SecurityPolicyRule*>& getPolicyRules(const Handler& handler) const {\r
+ pair<bool,const char*> pid = handler.getString("policyId", "urn:mace:shibboleth:sp:config:2.0");\r
+ if (!pid.first)\r
+ pid.second = m_impl->m_policyDefault.c_str();\r
+ if (m_impl->m_policyMap.count(pid.second))\r
+ return m_impl->m_policyMap[pid.second];\r
+ throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,pid.second));\r
+ }\r
+\r
protected:\r
pair<bool,DOMElement*> load();\r
\r
#pragma warning( pop )\r
#endif\r
\r
- ServiceProvider* XMLServiceProviderFactory(const DOMElement* const & e)\r
- {\r
- return new XMLConfig(e);\r
- }\r
-\r
- static const XMLCh AAPProvider[] = UNICODE_LITERAL_11(A,A,P,P,r,o,v,i,d,e,r);\r
static const XMLCh _Application[] = UNICODE_LITERAL_11(A,p,p,l,i,c,a,t,i,o,n);\r
static const XMLCh Applications[] = UNICODE_LITERAL_12(A,p,p,l,i,c,a,t,i,o,n,s);\r
- static const XMLCh AttributeFactory[] = UNICODE_LITERAL_16(A,t,t,r,i,b,u,t,e,F,a,c,t,o,r,y);\r
static const XMLCh Credentials[] = UNICODE_LITERAL_11(C,r,e,d,e,n,t,i,a,l,s);\r
- static const XMLCh CredentialsProvider[] = UNICODE_LITERAL_19(C,r,e,d,e,n,t,i,a,l,s,P,r,o,v,i,d,e,r);\r
static const XMLCh CredentialUse[] = UNICODE_LITERAL_13(C,r,e,d,e,n,t,i,a,l,U,s,e);\r
- static const XMLCh DiagnosticService[] = UNICODE_LITERAL_17(D,i,a,g,n,o,s,t,i,c,S,e,r,v,i,c,e);\r
+ static const XMLCh _default[] = UNICODE_LITERAL_7(d,e,f,a,u,l,t);\r
static const XMLCh fatal[] = UNICODE_LITERAL_5(f,a,t,a,l);\r
- static const XMLCh FileResolver[] = UNICODE_LITERAL_12(F,i,l,e,R,e,s,o,l,v,e,r);\r
- static const XMLCh Global[] = UNICODE_LITERAL_6(G,l,o,b,a,l);\r
- static const XMLCh Id[] = UNICODE_LITERAL_2(I,d);\r
+ static const XMLCh _Handler[] = UNICODE_LITERAL_7(H,a,n,d,l,e,r);\r
+ static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);\r
static const XMLCh Implementation[] = UNICODE_LITERAL_14(I,m,p,l,e,m,e,n,t,a,t,i,o,n);\r
static const XMLCh InProcess[] = UNICODE_LITERAL_9(I,n,P,r,o,c,e,s,s);\r
static const XMLCh Library[] = UNICODE_LITERAL_7(L,i,b,r,a,r,y);\r
static const XMLCh Listener[] = UNICODE_LITERAL_8(L,i,s,t,e,n,e,r);\r
- static const XMLCh Local[] = UNICODE_LITERAL_5(L,o,c,a,l);\r
static const XMLCh logger[] = UNICODE_LITERAL_6(l,o,g,g,e,r);\r
static const XMLCh MemoryListener[] = UNICODE_LITERAL_14(M,e,m,o,r,y,L,i,s,t,e,n,e,r);\r
- static const XMLCh MemorySessionCache[] = UNICODE_LITERAL_18(M,e,m,o,r,y,S,e,s,s,i,o,n,C,a,c,h,e);\r
+ static const XMLCh Policy[] = UNICODE_LITERAL_6(P,o,l,i,c,y);\r
static const XMLCh RelyingParty[] = UNICODE_LITERAL_12(R,e,l,y,i,n,g,P,a,r,t,y);\r
static const XMLCh _ReplayCache[] = UNICODE_LITERAL_11(R,e,p,l,a,y,C,a,c,h,e);\r
- static const XMLCh RequestMapProvider[] = UNICODE_LITERAL_18(R,e,q,u,e,s,t,M,a,p,P,r,o,v,i,d,e,r);\r
+ static const XMLCh _RequestMapper[] = UNICODE_LITERAL_13(R,e,q,u,e,s,t,M,a,p,p,e,r);\r
+ static const XMLCh Rule[] = UNICODE_LITERAL_4(R,u,l,e);\r
+ static const XMLCh SecurityPolicies[] = UNICODE_LITERAL_16(S,e,c,u,r,i,t,y,P,o,l,i,c,i,e,s);\r
static const XMLCh _SessionCache[] = UNICODE_LITERAL_12(S,e,s,s,i,o,n,C,a,c,h,e);\r
static const XMLCh SessionInitiator[] = UNICODE_LITERAL_16(S,e,s,s,i,o,n,I,n,i,t,i,a,t,o,r);\r
static const XMLCh _StorageService[] = UNICODE_LITERAL_14(S,t,o,r,a,g,e,S,e,r,v,i,c,e);\r
static const XMLCh OutOfProcess[] = UNICODE_LITERAL_12(O,u,t,O,f,P,r,o,c,e,s,s);\r
static const XMLCh TCPListener[] = UNICODE_LITERAL_11(T,C,P,L,i,s,t,e,n,e,r);\r
- static const XMLCh TrustProvider[] = UNICODE_LITERAL_13(T,r,u,s,t,P,r,o,v,i,d,e,r);\r
+ static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);\r
static const XMLCh UnixListener[] = UNICODE_LITERAL_12(U,n,i,x,L,i,s,t,e,n,e,r);\r
static const XMLCh _MetadataProvider[] = UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r);\r
static const XMLCh _path[] = UNICODE_LITERAL_4(p,a,t,h);\r
static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);\r
};\r
\r
+namespace shibsp {\r
+ ServiceProvider* XMLServiceProviderFactory(const DOMElement* const & e)\r
+ {\r
+ return new XMLConfig(e);\r
+ }\r
+};\r
+\r
XMLApplication::XMLApplication(\r
const ServiceProvider* sp,\r
const DOMElement* e,\r
\r
try {\r
// First load any property sets.\r
- map<string,string> root_remap;\r
- root_remap["shire"]="session";\r
- root_remap["shireURL"]="handlerURL";\r
- root_remap["shireSSL"]="handlerSSL";\r
- load(e,log,this,&root_remap);\r
-\r
- const PropertySet* propcheck=getPropertySet("Errors");\r
- if (propcheck && !propcheck->getString("session").first)\r
- throw ConfigurationException("<Errors> element requires 'session' (or deprecated 'shire') attribute");\r
- propcheck=getPropertySet("Sessions");\r
- if (propcheck && !propcheck->getString("handlerURL").first)\r
- throw ConfigurationException("<Sessions> element requires 'handlerURL' (or deprecated 'shireURL') attribute");\r
+ load(e,log,this);\r
\r
SPConfig& conf=SPConfig::getConfig();\r
SAMLConfig& samlConf=SAMLConfig::getConfig();\r
m_hash+=getString("providerId").second;\r
m_hash=samlConf.hashSHA1(m_hash.c_str(), true);\r
\r
+ const PropertySet* sessions = getPropertySet("Sessions");\r
+\r
// Process handlers.\r
Handler* handler=NULL;\r
bool hardACS=false, hardSessionInit=false;\r
- const DOMElement* child = XMLHelper::getFirstChildElement(propcheck->getElement());\r
+ const DOMElement* child = sessions ? XMLHelper::getFirstChildElement(sessions->getElement()) : NULL;\r
while (child) {\r
try {\r
// A handler is based on the Binding property in conjunction with the element name.\r
child = XMLHelper::getNextSiblingElement(child);\r
}\r
\r
- // If no handlers defined at the root, assume a legacy configuration.\r
- if (!m_base && m_handlers.empty()) {\r
- try {\r
- // A legacy config installs a SAML POST handler at the root handler location.\r
- // We use the Sessions element itself as the PropertySet.\r
- Handler* h1=conf.SessionInitiatorManager.newPlugin(\r
- shibspconstants::SHIB1_SESSIONINIT_PROFILE_URI,propcheck->getElement()\r
- );\r
- m_handlers.push_back(h1);\r
- m_sessionInitDefault=h1;\r
-\r
- Handler* h2=conf.AssertionConsumerServiceManager.newPlugin(\r
- samlconstants::SAML1_PROFILE_BROWSER_POST,propcheck->getElement()\r
- );\r
- m_handlers.push_back(h2);\r
- m_handlerMap[""] = h2;\r
- m_acsDefault=h2;\r
- }\r
- catch (exception& ex) {\r
- log.crit("error installing legacy handler configuration: %s", ex.what());\r
- }\r
- }\r
- \r
- DOMNodeList* nlist=e->getElementsByTagNameNS(samlconstants::SAML1_NS,Audience::LOCAL_NAME);\r
+ DOMNodeList* nlist=e->getElementsByTagNameNS(samlconstants::SAML20_NS,Audience::LOCAL_NAME);\r
for (XMLSize_t i=0; nlist && i<nlist->getLength(); i++)\r
if (nlist->item(i)->getParentNode()->isSameNode(e) && nlist->item(i)->hasChildNodes())\r
m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());\r
m_audiences.push_back(getXMLString("providerId").second);\r
\r
if (conf.isEnabled(SPConfig::AttributeResolver)) {\r
- child = XMLHelper::getFirstChildElement(e,AAPProvider);\r
- while (child) {\r
- // TODO: some kind of compatibility\r
- child = XMLHelper::getNextSiblingElement(child,AAPProvider);\r
- }\r
+ // TODO\r
}\r
\r
if (conf.isEnabled(SPConfig::Metadata)) {\r
- vector<MetadataProvider*> os2providers;\r
child = XMLHelper::getFirstChildElement(e,_MetadataProvider);\r
- while (child) {\r
+ if (child) {\r
auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
log.info("building metadata provider of type %s...",type.get());\r
try {\r
auto_ptr<MetadataProvider> mp(samlConf.MetadataProviderManager.newPlugin(type.get(),child));\r
mp->init();\r
- os2providers.push_back(mp.release());\r
+ m_metadata = mp.release();\r
}\r
catch (exception& ex) {\r
log.crit("error building/initializing metadata provider: %s", ex.what());\r
}\r
-\r
- child = XMLHelper::getNextSiblingElement(child,_MetadataProvider);\r
- }\r
- \r
- if (os2providers.size()==1)\r
- m_metadata=os2providers.front();\r
- else if (os2providers.size()>1) {\r
- try {\r
- m_metadata = samlConf.MetadataProviderManager.newPlugin(CHAINING_METADATA_PROVIDER,NULL);\r
- ChainingMetadataProvider* chainMeta = dynamic_cast<ChainingMetadataProvider*>(m_metadata);\r
- while (!os2providers.empty()) {\r
- chainMeta->addMetadataProvider(os2providers.back());\r
- os2providers.pop_back();\r
- }\r
- }\r
- catch (exception& ex) {\r
- log.crit("error building chaining metadata provider wrapper: %s",ex.what());\r
- for_each(os2providers.begin(), os2providers.end(), xmltooling::cleanup<MetadataProvider>());\r
- }\r
}\r
}\r
\r
if (conf.isEnabled(SPConfig::Trust)) {\r
- ChainingTrustEngine* chainTrust = NULL;\r
- child = XMLHelper::getFirstChildElement(e,TrustProvider);\r
- while (child) {\r
+ child = XMLHelper::getFirstChildElement(e,_TrustEngine);\r
+ if (child) {\r
auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
- log.info("building trust provider of type %s...",type.get());\r
+ log.info("building trust engine of type %s...",type.get());\r
try {\r
- if (!m_trust) {\r
- // For compatibility with old engine types, we're assuming a Shib engine is likely,\r
- // which requires chaining, so we'll build that regardless.\r
- m_trust = xmlConf.TrustEngineManager.newPlugin(CHAINING_TRUSTENGINE,NULL);\r
- chainTrust = dynamic_cast<ChainingTrustEngine*>(m_trust);\r
- }\r
- if (!strcmp(type.get(),"edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust")) {\r
- chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE,child));\r
- chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(SHIBBOLETH_PKIX_TRUSTENGINE,child));\r
- }\r
- else if (!strcmp(type.get(),"edu.internet2.middleware.shibboleth.common.provider.BasicTrust")) {\r
- chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE,child));\r
- }\r
- else {\r
- chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(type.get(),child));\r
- }\r
+ m_trust = xmlConf.TrustEngineManager.newPlugin(type.get(),child);\r
}\r
catch (exception& ex) {\r
- log.crit("error building trust provider: %s",ex.what());\r
+ log.crit("error building trust engine: %s",ex.what());\r
}\r
- \r
- child = XMLHelper::getNextSiblingElement(child,TrustProvider);\r
}\r
}\r
\r
\r
delete m_credDefault;\r
#ifdef HAVE_GOOD_STL\r
- for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair<xmltooling::xstring,PropertySet>());\r
+ for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair<xstring,PropertySet>());\r
#else\r
for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair<const XMLCh*,PropertySet>());\r
#endif\r
\r
short XMLApplication::acceptNode(const DOMNode* node) const\r
{\r
- if (XMLHelper::isNodeNamed(node,samlconstants::SAML1_NS,AttributeDesignator::LOCAL_NAME))\r
+ if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,opensaml::saml2::Attribute::LOCAL_NAME))\r
return FILTER_REJECT;\r
- else if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,opensaml::saml1::Attribute::LOCAL_NAME))\r
- return FILTER_REJECT;\r
- else if (XMLHelper::isNodeNamed(node,samlconstants::SAML1_NS,Audience::LOCAL_NAME))\r
+ else if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,Audience::LOCAL_NAME))\r
return FILTER_REJECT;\r
const XMLCh* name=node->getLocalName();\r
if (XMLString::equals(name,_Application) ||\r
XMLString::equals(name,AssertionConsumerService::LOCAL_NAME) ||\r
XMLString::equals(name,SingleLogoutService::LOCAL_NAME) ||\r
- XMLString::equals(name,DiagnosticService) ||\r
+ XMLString::equals(name,ManageNameIDService::LOCAL_NAME) ||\r
XMLString::equals(name,SessionInitiator) ||\r
- XMLString::equals(name,AAPProvider) ||\r
XMLString::equals(name,CredentialUse) ||\r
XMLString::equals(name,RelyingParty) ||\r
XMLString::equals(name,_MetadataProvider) ||\r
- XMLString::equals(name,TrustProvider))\r
+ XMLString::equals(name,_TrustEngine))\r
return FILTER_REJECT;\r
\r
return FILTER_ACCEPT;\r
return m_base->getCredentialUse(provider);\r
\r
#ifdef HAVE_GOOD_STL\r
- map<xmltooling::xstring,PropertySet*>::const_iterator i=m_credMap.find(provider->getEntityID());\r
+ map<xstring,PropertySet*>::const_iterator i=m_credMap.find(provider->getEntityID());\r
if (i!=m_credMap.end())\r
return i->second;\r
const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());\r
\r
short XMLConfigImpl::acceptNode(const DOMNode* node) const\r
{\r
- if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB1SPCONFIG_NS) &&\r
- !XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS))\r
+ if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS))\r
return FILTER_ACCEPT;\r
const XMLCh* name=node->getLocalName();\r
if (XMLString::equals(name,Applications) ||\r
- XMLString::equals(name,AttributeFactory) ||\r
XMLString::equals(name,Credentials) ||\r
- XMLString::equals(name,CredentialsProvider) ||\r
XMLString::equals(name,Extensions::LOCAL_NAME) ||\r
XMLString::equals(name,Implementation) ||\r
XMLString::equals(name,Listener) ||\r
XMLString::equals(name,MemoryListener) ||\r
- XMLString::equals(name,MemorySessionCache) ||\r
- XMLString::equals(name,RequestMapProvider) ||\r
+ XMLString::equals(name,Policy) ||\r
+ XMLString::equals(name,_RequestMapper) ||\r
XMLString::equals(name,_ReplayCache) ||\r
XMLString::equals(name,_SessionCache) ||\r
XMLString::equals(name,_StorageService) ||\r
}\r
}\r
\r
-XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer) : m_outer(outer), m_document(NULL), m_requestMapper(NULL)\r
+XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer) : m_requestMapper(NULL), m_outer(outer), m_document(NULL)\r
{\r
#ifdef _DEBUG\r
xmltooling::NDC ndc("XMLConfigImpl");\r
\r
try {\r
SPConfig& conf=SPConfig::getConfig();\r
+ SAMLConfig& samlConf=SAMLConfig::getConfig();\r
XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig();\r
const DOMElement* SHAR=XMLHelper::getFirstChildElement(e,OutOfProcess);\r
- if (!SHAR)\r
- SHAR=XMLHelper::getFirstChildElement(e,Global);\r
const DOMElement* SHIRE=XMLHelper::getFirstChildElement(e,InProcess);\r
- if (!SHIRE)\r
- SHIRE=XMLHelper::getFirstChildElement(e,Local);\r
\r
// Initialize log4cpp manually in order to redirect log messages as soon as possible.\r
if (conf.isEnabled(SPConfig::Logging)) {\r
}\r
\r
// First load any property sets.\r
- map<string,string> root_remap;\r
- root_remap["Global"]="OutOfProcess";\r
- root_remap["Local"]="InProcess";\r
- load(e,log,this,&root_remap);\r
+ load(e,log,this);\r
\r
const DOMElement* child;\r
string plugtype;\r
}\r
\r
if (conf.isEnabled(SPConfig::Caching)) {\r
- // TODO: This code's a mess, due to a very bad config layout for the caches...\r
- // Needs rework with the new config file.\r
- const DOMElement* container=conf.isEnabled(SPConfig::OutOfProcess) ? SHAR : SHIRE;\r
-\r
- // First build any StorageServices.\r
- string inmemID;\r
- child=XMLHelper::getFirstChildElement(container,_StorageService);\r
- while (child) {\r
- auto_ptr_char id(child->getAttributeNS(NULL,Id));\r
- auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
- if (id.get() && type.get()) {\r
+ if (conf.isEnabled(SPConfig::OutOfProcess)) {\r
+ // First build any StorageServices.\r
+ string inmemID;\r
+ child=XMLHelper::getFirstChildElement(SHAR,_StorageService);\r
+ while (child) {\r
+ auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
+ auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
try {\r
log.info("building StorageService (%s) of type %s...", id.get(), type.get());\r
m_outer->m_storage[id.get()] = xmlConf.StorageServiceManager.newPlugin(type.get(),child);\r
catch (exception& ex) {\r
log.crit("failed to instantiate StorageService (%s): %s", id.get(), ex.what());\r
}\r
+ child=XMLHelper::getNextSiblingElement(child,_StorageService);\r
}\r
- child=XMLHelper::getNextSiblingElement(container,_StorageService);\r
- }\r
\r
- child=XMLHelper::getFirstChildElement(container,_SessionCache);\r
- if (child) {\r
- auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
- log.info("building Session Cache of type %s...",type.get());\r
- m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(type.get(),child);\r
- }\r
- else if (conf.isEnabled(SPConfig::OutOfProcess)) {\r
- log.warn("custom SessionCache unspecified or no longer supported, building SessionCache of type %s...",STORAGESERVICE_SESSION_CACHE);\r
- if (inmemID.empty()) {\r
- inmemID = "memory";\r
- log.info("no StorageServices configured, providing in-memory version for legacy config");\r
- m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);\r
+ child=XMLHelper::getFirstChildElement(SHAR,_SessionCache);\r
+ if (child) {\r
+ auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
+ log.info("building SessionCache of type %s...",type.get());\r
+ m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(type.get(),child);\r
+ }\r
+ else {\r
+ log.warn("SessionCache unspecified, building SessionCache of type %s...",STORAGESERVICE_SESSION_CACHE);\r
+ if (inmemID.empty()) {\r
+ inmemID = "memory";\r
+ log.info("no StorageServices configured, providing in-memory version for session cache");\r
+ m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);\r
+ }\r
+ child = e->getOwnerDocument()->createElementNS(NULL,_SessionCache);\r
+ auto_ptr_XMLCh ssid(inmemID.c_str());\r
+ const_cast<DOMElement*>(child)->setAttributeNS(NULL,_StorageService,ssid.get());\r
+ m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(STORAGESERVICE_SESSION_CACHE,child);\r
+ }\r
+\r
+ // Replay cache.\r
+ StorageService* replaySS=NULL;\r
+ child=XMLHelper::getFirstChildElement(SHAR,_ReplayCache);\r
+ if (child) {\r
+ auto_ptr_char ssid(child->getAttributeNS(NULL,_StorageService));\r
+ if (ssid.get() && *ssid.get()) {\r
+ if (m_outer->m_storage.count(ssid.get()))\r
+ replaySS = m_outer->m_storage[ssid.get()];\r
+ if (replaySS)\r
+ log.info("building ReplayCache on top of StorageService (%s)...", ssid.get());\r
+ else\r
+ log.crit("unable to locate StorageService (%s) in configuration", ssid.get());\r
+ }\r
+ }\r
+ if (!replaySS) {\r
+ log.info("building ReplayCache using in-memory StorageService...");\r
+ if (inmemID.empty()) {\r
+ inmemID = "memory";\r
+ log.info("no StorageServices configured, providing in-memory version for legacy config");\r
+ m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);\r
+ }\r
+ replaySS = m_outer->m_storage[inmemID];\r
}\r
- child = container->getOwnerDocument()->createElementNS(NULL,_SessionCache);\r
- xmltooling::auto_ptr_XMLCh ssid(inmemID.c_str());\r
- const_cast<DOMElement*>(child)->setAttributeNS(NULL,_StorageService,ssid.get());\r
- m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(STORAGESERVICE_SESSION_CACHE,child);\r
+ xmlConf.setReplayCache(new ReplayCache(replaySS));\r
}\r
else {\r
- log.warn("custom SessionCache unspecified or no longer supported, building SessionCache of type %s...",REMOTED_SESSION_CACHE);\r
+ log.info("building in-process SessionCache of type %s...",REMOTED_SESSION_CACHE);\r
m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(REMOTED_SESSION_CACHE,NULL);\r
}\r
- \r
- // Replay cache.\r
- StorageService* replaySS=NULL;\r
- child=XMLHelper::getFirstChildElement(container,_ReplayCache);\r
- if (child) {\r
- auto_ptr_char ssid(child->getAttributeNS(NULL,_StorageService));\r
- if (ssid.get() && *ssid.get()) {\r
- replaySS = m_outer->m_storage[ssid.get()];\r
- if (replaySS)\r
- log.info("building ReplayCache on top of StorageService (%s)...", ssid.get());\r
- else\r
- log.crit("unable to locate StorageService (%s) in configuration", ssid.get());\r
- }\r
- }\r
- if (!replaySS) {\r
- log.info("building ReplayCache using in-memory StorageService...");\r
- if (inmemID.empty()) {\r
- inmemID = "memory";\r
- log.info("no StorageServices configured, providing in-memory version for legacy config");\r
- m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);\r
- }\r
- replaySS = m_outer->m_storage[inmemID];\r
- }\r
- xmlConf.setReplayCache(new ReplayCache(replaySS));\r
}\r
} // end of first-time-only stuff\r
\r
// Back to the fully dynamic stuff...next up is the RequestMapper.\r
if (conf.isEnabled(SPConfig::RequestMapping)) {\r
- child=XMLHelper::getFirstChildElement(SHIRE,RequestMapProvider);\r
+ child=XMLHelper::getFirstChildElement(SHIRE,_RequestMapper);\r
if (child) {\r
auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
log.info("building RequestMapper of type %s...",type.get());\r
m_requestMapper=conf.RequestMapperManager.newPlugin(type.get(),child);\r
}\r
- else {\r
- log.fatal("can't build RequestMapper, missing conf:RequestMapProvider element?");\r
- throw ConfigurationException("can't build RequestMapper, missing conf:RequestMapProvider element?");\r
- }\r
}\r
\r
// Now we load the credentials map.\r
if (conf.isEnabled(SPConfig::Credentials)) {\r
- // Old format was to wrap it in a CredentialsProvider plugin, we're inlining that...\r
- child = XMLHelper::getFirstChildElement(e,CredentialsProvider);\r
- child = XMLHelper::getFirstChildElement(child ? child : e,Credentials);\r
+ child = XMLHelper::getLastChildElement(e,Credentials);\r
if (child) {\r
// Step down and process resolvers.\r
child=XMLHelper::getFirstChildElement(child);\r
while (child) {\r
- auto_ptr_char id(child->getAttributeNS(NULL,Id));\r
- if (!id.get() || !*(id.get())) {\r
- log.warn("skipping CredentialResolver with no Id attribute");\r
- child = XMLHelper::getNextSiblingElement(child);\r
- continue;\r
- }\r
- \r
- if (XMLString::equals(child->getLocalName(),FileResolver))\r
- plugtype=FILESYSTEM_CREDENTIAL_RESOLVER;\r
- else {\r
- auto_ptr_char c(child->getAttributeNS(NULL,_type));\r
- plugtype=c.get();\r
- }\r
- \r
- if (!plugtype.empty()) {\r
- try {\r
- CredentialResolver* cr=\r
- XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(plugtype.c_str(),child);\r
- m_credResolverMap[id.get()] = cr;\r
- }\r
- catch (exception& ex) {\r
- log.crit("failed to instantiate CredentialResolver (%s): %s", id.get(), ex.what());\r
- }\r
+ auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
+ auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
+ try {\r
+ CredentialResolver* cr=xmlConf.CredentialResolverManager.newPlugin(type.get(),child);\r
+ m_credResolverMap[id.get()] = cr;\r
}\r
- else {\r
- log.error("unknown type of CredentialResolver with Id (%s)", id.get());\r
+ catch (exception& ex) {\r
+ log.crit("failed to instantiate CredentialResolver (%s): %s", id.get(), ex.what());\r
}\r
- \r
child = XMLHelper::getNextSiblingElement(child);\r
}\r
}\r
}\r
\r
// Load the default application. This actually has a fixed ID of "default". ;-)\r
- child=XMLHelper::getFirstChildElement(e,Applications);\r
+ child=XMLHelper::getLastChildElement(e,Applications);\r
if (!child) {\r
log.fatal("can't build default Application object, missing conf:Applications element?");\r
throw ConfigurationException("can't build default Application object, missing conf:Applications element?");\r
child = XMLHelper::getFirstChildElement(child,_Application);\r
while (child) {\r
auto_ptr<XMLApplication> iapp(new XMLApplication(m_outer,child,defapp));\r
- if (m_appmap.find(iapp->getId())!=m_appmap.end())\r
- log.crit("found conf:Application element with duplicate Id attribute (%s), skipping it", iapp->getId());\r
+ if (m_appmap.count(iapp->getId()))\r
+ log.crit("found conf:Application element with duplicate id attribute (%s), skipping it", iapp->getId());\r
else\r
m_appmap[iapp->getId()]=iapp.release();\r
\r
child = XMLHelper::getNextSiblingElement(child,_Application);\r
}\r
+\r
+ // Load security policies.\r
+ child = XMLHelper::getLastChildElement(e,SecurityPolicies);\r
+ if (child) {\r
+ auto_ptr_char def(child->getAttributeNS(NULL,_default));\r
+ m_policyDefault = def.get();\r
+ child = XMLHelper::getFirstChildElement(child,Policy);\r
+ while (child) {\r
+ auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
+ vector<const SecurityPolicyRule*>& rules = m_policyMap[id.get()];\r
+ const DOMElement* rule = XMLHelper::getFirstChildElement(child,Rule);\r
+ while (rule) {\r
+ auto_ptr_char type(rule->getAttributeNS(NULL,_type));\r
+ try {\r
+ rules.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(type.get(),rule));\r
+ }\r
+ catch (exception& ex) {\r
+ log.crit("error instantiating policy rule (%s) in policy (%s): %s", type.get(), id.get(), ex.what());\r
+ }\r
+ rule = XMLHelper::getNextSiblingElement(rule,Rule);\r
+ }\r
+ child = XMLHelper::getNextSiblingElement(child,Policy);\r
+ }\r
+ if (!m_policyMap.count(m_policyDefault))\r
+ throw ConfigurationException("Default security policy ($1) not found in conf:SecurityPolicies element.", params(1,m_policyDefault.c_str()));\r
+ }\r
}\r
catch (exception&) {\r
this->~XMLConfigImpl();\r
{\r
for_each(m_appmap.begin(),m_appmap.end(),cleanup_pair<string,Application>());\r
for_each(m_credResolverMap.begin(),m_credResolverMap.end(),cleanup_pair<string,CredentialResolver>());\r
+ for (map< string,vector<const SecurityPolicyRule*> >::iterator i=m_policyMap.begin(); i!=m_policyMap.end(); ++i)\r
+ for_each(i->second.begin(), i->second.end(), xmltooling::cleanup<SecurityPolicyRule>());\r
delete m_requestMapper;\r
if (m_document)\r
m_document->release();\r
void SHIBSP_API registerPKIXTrustEngine();
/** TrustEngine based on Shibboleth PKIX metadata extension. */
- #define SHIBBOLETH_PKIX_TRUSTENGINE "edu.internet2.middleware.shibboleth.security.provider.PKIXTrustEngine"
+ #define SHIBBOLETH_PKIX_TRUSTENGINE "PKIX"
};
#endif /* __shibsp_pkixtrust_h__ */
}
}
if (ns.get()) {
- remap=remapper->find(ns.get());
- if (remap!=remapper->end())
+ if (remapper && (remap=remapper->find(ns.get()))!=remapper->end())
m_map[string("{") + remap->second.c_str() + '}' + realname]=pair<char*,const XMLCh*>(val,a->getNodeValue());
else
m_map[string("{") + ns.get() + '}' + realname]=pair<char*,const XMLCh*>(val,a->getNodeValue());
}
string key;
if (ns.get()) {
- remap=remapper->find(ns.get());
- if (remap!=remapper->end())
+ if (remapper && (remap=remapper->find(ns.get()))!=remapper->end())
key=string("{") + remap->second.c_str() + '}' + realname;
else
key=string("{") + ns.get() + '}' + realname;
chDigit_2, chPeriod, chDigit_0, chNull\r
};\r
\r
-const XMLCh shibspconstants::SHIB1SPCONFIG_NS[] = // urn:mace:shibboleth:target:config:1.0\r
-{ chLatin_u, chLatin_r, chLatin_n, chColon, chLatin_m, chLatin_a, chLatin_c, chLatin_e, chColon,\r
- chLatin_s, chLatin_h, chLatin_i, chLatin_b, chLatin_b, chLatin_o, chLatin_l, chLatin_e, chLatin_t, chLatin_h, chColon,\r
- chLatin_t, chLatin_a, chLatin_r, chLatin_g, chLatin_e, chLatin_t, chColon,\r
- chLatin_c, chLatin_o, chLatin_n, chLatin_f, chLatin_i, chLatin_g, chColon,\r
- chDigit_1, chPeriod, chDigit_0, chNull\r
-};\r
-\r
const XMLCh shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI[] = // urn:mace:shibboleth:1.0:attributeNamespace:uri\r
{ chLatin_u, chLatin_r, chLatin_n, chColon, chLatin_m, chLatin_a, chLatin_c, chLatin_e, chColon,\r
chLatin_s, chLatin_h, chLatin_i, chLatin_b, chLatin_b, chLatin_o, chLatin_l, chLatin_e, chLatin_t, chLatin_h, chColon,\r
/** Shibboleth 2.0 SP configuration namespace ("urn:mace:shibboleth:sp:config:2.0") */
extern SHIBSP_API const XMLCh SHIB2SPCONFIG_NS[];
- /** Shibboleth 1.x "target" (SP) configuration namespace ("urn:mace:shibboleth:target:config:1.0") */
- extern SHIBSP_API const XMLCh SHIB1SPCONFIG_NS[];
-
/** Shibboleth 1.x Protocol Enumeration constant ("urn:mace:shibboleth:1.0") */
extern SHIBSP_API const XMLCh SHIB1_PROTOCOL_ENUM[];