#include <unistd.h> // for getpid()
#endif
-using namespace std;
-using namespace saml;
-using namespace shibboleth;
using namespace shibtarget;
+using namespace shibboleth;
+using namespace saml;
+using namespace std;
extern "C" module MODULE_VAR_EXPORT mod_shib;
ShibTargetConfig* g_Config = NULL;
string g_unsetHeaderValue;
bool g_checkSpoofing = true;
+ bool g_catchAll = true;
static const char* g_UserDataKey = "_shib_check_user_";
}
extern "C" int shib_check_user(request_rec* r)
{
- // Short-circuit entirely?
- if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
- return DECLINED;
+ // Short-circuit entirely?
+ if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
+ return DECLINED;
+
+ ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_check_user(%d): ENTER", (int)getpid());
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_check_user(%d): ENTER", (int)getpid());
-
- ostringstream threadid;
- threadid << "[" << getpid() << "] shib_check_user" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- try {
- ShibTargetApache sta(r, false);
-
- // Check user authentication and export information, then set the handler bypass
- pair<bool,void*> res = sta.doCheckAuthN(true);
- apr_pool_userdata_setn((const void*)42,g_UserDataKey,NULL,r->pool);
- if (res.first) return (int)(long)res.second;
-
- // user auth was okay -- export the assertions now
- res = sta.doExportAssertions();
- if (res.first) return (int)(long)res.second;
-
- // export happened successfully.. this user is ok.
- return OK;
- }
- catch (SAMLException& e) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_check_user threw an exception: %s", e.what());
- return SERVER_ERROR;
- }
-#ifndef _DEBUG
- catch (...) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_check_user threw an uncaught exception!");
- return SERVER_ERROR;
- }
-#endif
+ ostringstream threadid;
+ threadid << "[" << getpid() << "] shib_check_user" << '\0';
+ saml::NDC ndc(threadid.str().c_str());
+
+ try {
+ ShibTargetApache sta(r, false);
+
+ // Check user authentication and export information, then set the handler bypass
+ pair<bool,void*> res = sta.doCheckAuthN(true);
+ apr_pool_userdata_setn((const void*)42,g_UserDataKey,NULL,r->pool);
+ if (res.first) return (int)(long)res.second;
+
+ // user auth was okay -- export the assertions now
+ res = sta.doExportAssertions();
+ if (res.first) return (int)(long)res.second;
+
+ // export happened successfully.. this user is ok.
+ return OK;
+ }
+ catch (exception& e) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_check_user threw an exception: %s", e.what());
+ return SERVER_ERROR;
+ }
+ catch (...) {
+ if (g_catchAll) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_check_user threw an uncaught exception!");
+ return SERVER_ERROR;
+ }
+ throw;
+ }
}
extern "C" int shib_handler(request_rec* r)
{
- // Short-circuit entirely?
- if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
- return DECLINED;
-
- ostringstream threadid;
- threadid << "[" << getpid() << "] shib_handler" << '\0';
- saml::NDC ndc(threadid.str().c_str());
+ // Short-circuit entirely?
+ if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
+ return DECLINED;
+
+ ostringstream threadid;
+ threadid << "[" << getpid() << "] shib_handler" << '\0';
+ saml::NDC ndc(threadid.str().c_str());
#ifndef SHIB_APACHE_13
- // With 2.x, this handler always runs, though last.
- // We check if shib_check_user ran, because it will detect a handler request
- // and dispatch it directly.
- void* data;
- apr_pool_userdata_get(&data,g_UserDataKey,r->pool);
- if (data==(const void*)42) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_handler skipped since check_user ran");
- return DECLINED;
- }
+ // With 2.x, this handler always runs, though last.
+ // We check if shib_check_user ran, because it will detect a handler request
+ // and dispatch it directly.
+ void* data;
+ apr_pool_userdata_get(&data,g_UserDataKey,r->pool);
+ if (data==(const void*)42) {
+ ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_handler skipped since check_user ran");
+ return DECLINED;
+ }
#endif
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_handler(%d): ENTER: %s", (int)getpid(), r->handler);
-
- try {
- ShibTargetApache sta(r, true);
+ ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_handler(%d): ENTER: %s", (int)getpid(), r->handler);
- pair<bool,void*> res = sta.doHandler();
- if (res.first) return (int)(long)res.second;
-
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "doHandler() did not do anything.");
- return SERVER_ERROR;
- }
- catch (SAMLException& e) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_handler threw an exception: %s", e.what());
- return SERVER_ERROR;
- }
-#ifndef _DEBUG
- catch (...) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_handler threw an uncaught exception!");
- return SERVER_ERROR;
- }
-#endif
+ try {
+ ShibTargetApache sta(r, true);
+
+ pair<bool,void*> res = sta.doHandler();
+ if (res.first) return (int)(long)res.second;
+
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "doHandler() did not do anything.");
+ return SERVER_ERROR;
+ }
+ catch (exception& e) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_handler threw an exception: %s", e.what());
+ return SERVER_ERROR;
+ }
+ catch (...) {
+ if (g_catchAll) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_handler threw an uncaught exception!");
+ return SERVER_ERROR;
+ }
+ throw;
+ }
}
/*
*/
extern "C" int shib_auth_checker(request_rec* r)
{
- // Short-circuit entirely?
- if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
- return DECLINED;
-
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_auth_checker(%d): ENTER", (int)getpid());
-
- ostringstream threadid;
- threadid << "[" << getpid() << "] shib_auth_checker" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- try {
- ShibTargetApache sta(r, false);
-
- pair<bool,void*> res = sta.doCheckAuthZ();
- if (res.first) return (int)(long)res.second;
-
- // We're all okay.
- return OK;
- }
- catch (SAMLException& e) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_auth_checker threw an exception: %s", e.what());
- return SERVER_ERROR;
- }
-#ifndef _DEBUG
- catch (...) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_auth_checker threw an uncaught exception!");
- return SERVER_ERROR;
- }
-#endif
+ // Short-circuit entirely?
+ if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
+ return DECLINED;
+
+ ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_auth_checker(%d): ENTER", (int)getpid());
+
+ ostringstream threadid;
+ threadid << "[" << getpid() << "] shib_auth_checker" << '\0';
+ saml::NDC ndc(threadid.str().c_str());
+
+ try {
+ ShibTargetApache sta(r, false);
+
+ pair<bool,void*> res = sta.doCheckAuthZ();
+ if (res.first) return (int)(long)res.second;
+
+ // We're all okay.
+ return OK;
+ }
+ catch (exception& e) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_auth_checker threw an exception: %s", e.what());
+ return SERVER_ERROR;
+ }
+ catch (...) {
+ if (g_catchAll) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_auth_checker threw an uncaught exception!");
+ return SERVER_ERROR;
+ }
+ throw;
+ }
}
// Access control plugin that enforces htaccess rules
ApacheRequestMapper::ApacheRequestMapper(const DOMElement* e) : m_mapper(NULL), m_staKey(NULL), m_propsKey(NULL), m_htaccess(NULL)
{
- IPlugIn* p=SAMLConfig::getConfig().getPlugMgr().newPlugin(shibtarget::XML::XMLRequestMapType,e);
+ IPlugIn* p=saml::SAMLConfig::getConfig().getPlugMgr().newPlugin(shibtarget::XML::XMLRequestMapType,e);
m_mapper=dynamic_cast<IRequestMapper*>(p);
if (!m_mapper) {
delete p;
ap_log_error(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,SH_AP_R(s),"shib_child_init() failed to initialize libraries");
exit(1);
}
- SAMLConfig::getConfig().getPlugMgr().regFactory(shibtarget::XML::htAccessControlType,&htAccessFactory);
- SAMLConfig::getConfig().getPlugMgr().regFactory(shibtarget::XML::NativeRequestMapType,&ApacheRequestMapFactory);
+ PlugManager& mgr = SAMLConfig::getConfig().getPlugMgr();
+ mgr.regFactory(shibtarget::XML::htAccessControlType,&htAccessFactory);
+ mgr.regFactory(shibtarget::XML::NativeRequestMapType,&ApacheRequestMapFactory);
// We hijack the legacy type so that 1.2 config files will load this plugin
- SAMLConfig::getConfig().getPlugMgr().regFactory(shibtarget::XML::LegacyRequestMapType,&ApacheRequestMapFactory);
+ mgr.regFactory(shibtarget::XML::LegacyRequestMapType,&ApacheRequestMapFactory);
if (!g_Config->load(g_szSHIBConfig)) {
ap_log_error(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,SH_AP_R(s),"shib_child_init() failed to load configuration");
}
IConfig* conf=g_Config->getINI();
- Locker locker(conf);
+ saml::Locker locker(conf);
const IPropertySet* props=conf->getPropertySet("Local");
if (props) {
pair<bool,const char*> unsetValue=props->getString("unsetHeaderValue");
if (unsetValue.first)
g_unsetHeaderValue = unsetValue.second;
- pair<bool,bool> checkSpoofing=props->getBool("checkSpoofing");
- if (checkSpoofing.first && !checkSpoofing.second)
- g_checkSpoofing = false;
+ pair<bool,bool> flag=props->getBool("checkSpoofing");
+ g_checkSpoofing = !flag.first || flag.second;
+ flag=props->getBool("catchAll");
+ g_catchAll = !flag.first || flag.second;
}
}
- catch (...) {
+ catch (exception&) {
ap_log_error(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,SH_AP_R(s),"shib_child_init() failed to initialize system");
exit(1);
}
#include <fcgio.h>\r
\r
using namespace shibtarget;\r
-using namespace saml;\r
using namespace std;\r
\r
typedef enum {\r
server_port = strtol(server_port_str, &server_port_str, 10);\r
if (*server_port_str) {\r
cerr << "can't parse SERVER_PORT (" << FCGX_GetParam("SERVER_PORT", req->envp) << ")" << endl;\r
- throw SAMLException("Unable to determine server port.");\r
+ throw exception("Unable to determine server port.");\r
}\r
}\r
\r
}\r
\r
virtual string getPostData(void) {\r
- throw SAMLException("getPostData not implemented by FastCGI authorizer.");\r
+ throw exception("getPostData not implemented by FastCGI authorizer.");\r
}\r
\r
virtual void clearHeader(const string& name) {\r
const string& msg,\r
int code=200,\r
const string& content_type="text/html",\r
- const Iterator<header_t>& headers=EMPTY(header_t)) {\r
+ const saml::Iterator<header_t>& headers=EMPTY(header_t)) {\r
\r
string hdr = m_cookie + "Connection: close\r\nContent-type: " + content_type + "\r\n";\r
while (headers.hasNext()) {\r
exit(1);\r
}\r
}\r
- catch (...) {\r
- cerr << "exception while initializing Shibboleth configuration" << endl;\r
+ catch (exception& e) {\r
+ cerr << "exception while initializing Shibboleth configuration: " << e.what() << endl;\r
exit(1);\r
}\r
\r
print_ok(sta.m_headers);\r
\r
}\r
- catch (SAMLException& e) {\r
+ catch (exception& e) {\r
cerr << "shib: FastCGI authorizer caught an exception: " << e.what() << endl;\r
print_error("<html><body>FastCGI Shibboleth authorizer caught an exception, check log for details.</body></html>");\r
}\r
#include <fcgio.h>\r
\r
using namespace shibtarget;\r
-using namespace saml;\r
using namespace std;\r
\r
typedef enum {\r
server_port = strtol(server_port_str, &server_port_str, 10);\r
if (*server_port_str) {\r
cerr << "can't parse SERVER_PORT (" << FCGX_GetParam("SERVER_PORT", req->envp) << ")" << endl;\r
- throw SAMLException("Unable to determine server port.");\r
+ throw exception("Unable to determine server port.");\r
}\r
}\r
\r
}\r
\r
virtual void clearHeader(const string &name) {\r
- throw SAMLException("clearHeader not implemented by FastCGI responder.");\r
+ throw exception("clearHeader not implemented by FastCGI responder.");\r
}\r
\r
virtual void setHeader(const string &name, const string &value) {\r
- throw SAMLException("setHeader not implemented by FastCGI responder.");\r
+ throw exception("setHeader not implemented by FastCGI responder.");\r
}\r
\r
virtual string getHeader(const string &name) {\r
- throw SAMLException("getHeader not implemented by FastCGI responder.");\r
+ throw exception("getHeader not implemented by FastCGI responder.");\r
}\r
\r
virtual void setRemoteUser(const string &user) {\r
- throw SAMLException("setRemoteUser not implemented by FastCGI responder.");\r
+ throw exception("setRemoteUser not implemented by FastCGI responder.");\r
}\r
\r
virtual string getRemoteUser(void) {\r
- throw SAMLException("getRemoteUser not implemented by FastCGI responder.");\r
+ throw exception("getRemoteUser not implemented by FastCGI responder.");\r
}\r
\r
virtual void* sendPage(\r
const string& msg,\r
int code=200,\r
const string& content_type="text/html",\r
- const Iterator<header_t>& headers=EMPTY(header_t)) {\r
+ const saml::Iterator<header_t>& headers=EMPTY(header_t)) {\r
\r
string hdr = string ("Connection: close\r\nContent-type: ") + content_type + "\r\n" + m_cookie;\r
while (headers.hasNext()) {\r
exit(1);\r
}\r
}\r
- catch (...) {\r
- cerr << "exception while initializing Shibboleth configuration" << endl;\r
+ catch (exception& e) {\r
+ cerr << "exception while initializing Shibboleth configuration:" << e.what() << endl;\r
exit(1);\r
}\r
\r
} \r
\r
}\r
- catch (SAMLException& e) {\r
+ catch (exception& e) {\r
cerr << "shib: FastCGI responder caught an exception: " << e.what() << endl;\r
print_error("<html><body>FastCGI Shibboleth responder caught an exception, check log for details.</body></html>");\r
}\r
// globals
namespace {
+ static const XMLCh catchAll[] =
+ { chLatin_c, chLatin_a, chLatin_t, chLatin_c, chLatin_h, chLatin_A, chLatin_l, chLatin_l, chNull };
static const XMLCh name[] = { chLatin_n, chLatin_a, chLatin_m, chLatin_e, chNull };
static const XMLCh port[] = { chLatin_p, chLatin_o, chLatin_r, chLatin_t, chNull };
static const XMLCh sslport[] = { chLatin_s, chLatin_s, chLatin_l, chLatin_p, chLatin_o, chLatin_r, chLatin_t, chNull };
bool g_bNormalizeRequest = true;
string g_unsetHeaderValue;
bool g_checkSpoofing = true;
+ bool g_catchAll = true;
}
BOOL LogEvent(
return TRUE;
}
-#ifndef _DEBUG
- try
- {
-#endif
+ try {
LPCSTR schemadir=getenv("SHIBSCHEMAS");
if (!schemadir)
schemadir=SHIB_SCHEMAS;
pair<bool,const char*> unsetValue=props->getString("unsetHeaderValue");
if (unsetValue.first)
g_unsetHeaderValue = unsetValue.second;
- pair<bool,bool> checkSpoofing=props->getBool("checkSpoofing");
- if (checkSpoofing.first && !checkSpoofing.second)
- g_checkSpoofing = false;
+ pair<bool,bool> flag=props->getBool("checkSpoofing");
+ g_checkSpoofing = !flag.first || flag.second;
+ flag=props->getBool("checkAll");
+ g_catchAll = !flag.first || flag.second;
+
const DOMElement* impl=saml::XML::getFirstChildElement(
props->getElement(),shibtarget::XML::SHIBTARGET_NS,Implementation
);
if (impl && (impl=saml::XML::getFirstChildElement(impl,shibtarget::XML::SHIBTARGET_NS,ISAPI))) {
- const XMLCh* flag=impl->getAttributeNS(NULL,normalizeRequest);
- g_bNormalizeRequest=(!flag || !*flag || *flag==chDigit_1 || *flag==chLatin_t);
+ const XMLCh* ch=impl->getAttributeNS(NULL,normalizeRequest);
+ g_bNormalizeRequest=(!ch || !*ch || *ch==chDigit_1 || *ch==chLatin_t);
impl=saml::XML::getFirstChildElement(impl,shibtarget::XML::SHIBTARGET_NS,Site);
while (impl) {
auto_ptr_char id(impl->getAttributeNS(NULL,id));
}
}
}
-#ifndef _DEBUG
}
- catch (...)
- {
+ catch (exception&) {
LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, "Filter startup failed with an exception.");
return FALSE;
}
-#endif
pVer->dwFilterVersion=HTTP_FILTER_REVISION;
strncpy(pVer->lpszFilterDesc,"Shibboleth ISAPI Filter",SF_MAX_FILTER_DESC_LEN);
extern "C" DWORD WINAPI HttpFilterProc(PHTTP_FILTER_CONTEXT pfc, DWORD notificationType, LPVOID pvNotification)
{
// Is this a log notification?
- if (notificationType==SF_NOTIFY_LOG)
- {
+ if (notificationType==SF_NOTIFY_LOG) {
if (pfc->pFilterContext)
((PHTTP_FILTER_LOG)pvNotification)->pszClientUserName=static_cast<LPCSTR>(pfc->pFilterContext);
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
PHTTP_FILTER_PREPROC_HEADERS pn=(PHTTP_FILTER_PREPROC_HEADERS)pvNotification;
- try
- {
+ try {
// Determine web site number. This can't really fail, I don't think.
dynabuf buf(128);
GetServerVariable(pfc,"INSTANCE_ID",buf,10);
else
return WriteClientError(pfc,"Shibboleth Filter detected unexpected IIS error.");
}
- catch (SAMLException& e) {
+ catch (exception& e) {
LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, e.what());
return WriteClientError(pfc,"Shibboleth Filter caught an exception, ask administrator to check Event Log for details.");
}
-#ifndef _DEBUG
catch(...) {
- return WriteClientError(pfc,"Shibboleth Filter caught an unknown exception.");
+ if (g_catchAll)
+ return WriteClientError(pfc,"Shibboleth Filter caught an unknown exception.");
+ throw;
}
-#endif
return WriteClientError(pfc,"Shibboleth Filter reached unreachable code, save my walrus!");
}
else
return WriteClientError(lpECB,"Server detected unexpected IIS error.");
}
- catch (SAMLException& e) {
+ catch (exception& e) {
LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, e.what());
return WriteClientError(lpECB,"Shibboleth Extension caught an exception, check Event Log for details.");
}
-#ifndef _DEBUG
catch(...) {
- return WriteClientError(lpECB,"Shibboleth Extension caught an unknown exception.");
+ if (g_catchAll)
+ return WriteClientError(lpECB,"Shibboleth Extension caught an unknown exception.");
+ throw;
}
-#endif
// If we get here we've got an error.
return HSE_STATUS_ERROR;
string g_ServerScheme;
string g_unsetHeaderValue;
bool g_checkSpoofing = true;
+ bool g_catchAll = true;
}
PlugManager::Factory SunRequestMapFactory;
log_error(LOG_INFORM,"nsapi_shib_init",sn,rq,"nsapi_shib loaded for host (%s)",g_ServerName.c_str());
-#ifndef _DEBUG
try {
-#endif
const char* schemadir=pblock_findval("shib-schemas",pb);
if (!schemadir)
schemadir=getenv("SHIBSCHEMAS");
pair<bool,const char*> unsetValue=props->getString("unsetHeaderValue");
if (unsetValue.first)
g_unsetHeaderValue = unsetValue.second;
- pair<bool,bool> checkSpoofing=props->getBool("checkSpoofing");
- if (checkSpoofing.first && !checkSpoofing.second)
- g_checkSpoofing = false;
+ pair<bool,bool> flag=props->getBool("checkSpoofing");
+ g_checkSpoofing = !flag.first || flag.second;
+ flag=props->getBool("catchAll");
+ g_catchAll = !flag.first || flag.second;
}
-#ifndef _DEBUG
}
- catch (...) {
+ catch (exception&) {
g_Config=NULL;
pblock_nvinsert("error","caught exception, unable to initialize Shibboleth libraries",pb);
return REQ_ABORTED;
}
-#endif
return REQ_PROCEED;
}
#define FUNC "shibboleth"
extern "C" NSAPI_PUBLIC int nsapi_shib(pblock* pb, Session* sn, Request* rq)
{
- ostringstream threadid;
- threadid << "[" << getpid() << "] nsapi_shib" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- try {
- ShibTargetNSAPI stn(pb, sn, rq);
-
- // Check user authentication
- pair<bool,void*> res = stn.doCheckAuthN();
- if (res.first) return (int)res.second;
-
- // user authN was okay -- export the assertions now
- param_free(pblock_remove("auth-user",rq->vars));
- // This seems to be required in order to eventually set
- // the auth-user var.
- pblock_nvinsert("auth-type","shibboleth",rq->vars);
- res = stn.doExportAssertions();
- if (res.first) return (int)res.second;
-
- // Check the Authorization
- res = stn.doCheckAuthZ();
- if (res.first) return (int)res.second;
-
- // this user is ok.
- return REQ_PROCEED;
- }
- catch (SAMLException& e) {
- log_error(LOG_FAILURE,FUNC,sn,rq,const_cast<char*>(e.what()));
- return WriteClientError(sn, rq, FUNC, "Shibboleth filter threw an exception, see web server log for error.");
- }
-#ifndef _DEBUG
- catch (...) {
- return WriteClientError(sn, rq, FUNC, "Shibboleth filter threw an uncaught exception.");
- }
-#endif
+ ostringstream threadid;
+ threadid << "[" << getpid() << "] nsapi_shib" << '\0';
+ saml::NDC ndc(threadid.str().c_str());
+
+ try {
+ ShibTargetNSAPI stn(pb, sn, rq);
+
+ // Check user authentication
+ pair<bool,void*> res = stn.doCheckAuthN();
+ if (res.first) return (int)res.second;
+
+ // user authN was okay -- export the assertions now
+ param_free(pblock_remove("auth-user",rq->vars));
+ // This seems to be required in order to eventually set
+ // the auth-user var.
+ pblock_nvinsert("auth-type","shibboleth",rq->vars);
+ res = stn.doExportAssertions();
+ if (res.first) return (int)res.second;
+
+ // Check the Authorization
+ res = stn.doCheckAuthZ();
+ if (res.first) return (int)res.second;
+
+ // this user is ok.
+ return REQ_PROCEED;
+ }
+ catch (exception& e) {
+ log_error(LOG_FAILURE,FUNC,sn,rq,const_cast<char*>(e.what()));
+ return WriteClientError(sn, rq, FUNC, "Shibboleth filter threw an exception, see web server log for error.");
+ }
+ catch (...) {
+ if (g_catchAll)
+ return WriteClientError(sn, rq, FUNC, "Shibboleth filter threw an uncaught exception.");
+ throw;
+ }
}
#define FUNC "shib_handler"
extern "C" NSAPI_PUBLIC int shib_handler(pblock* pb, Session* sn, Request* rq)
{
- ostringstream threadid;
- threadid << "[" << getpid() << "] shib_handler" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- try {
- ShibTargetNSAPI stn(pb, sn, rq);
-
- pair<bool,void*> res = stn.doHandler();
- if (res.first) return (int)res.second;
-
- return WriteClientError(sn, rq, FUNC, "Shibboleth handler did not do anything.");
- }
- catch (SAMLException& e) {
- log_error(LOG_FAILURE,FUNC,sn,rq,const_cast<char*>(e.what()));
- return WriteClientError(sn, rq, FUNC, "Shibboleth handler threw an exception, see web server log for error.");
- }
-#ifndef _DEBUG
- catch (...) {
- return WriteClientError(sn, rq, FUNC, "Shibboleth handler threw an unknown exception.");
- }
-#endif
+ ostringstream threadid;
+ threadid << "[" << getpid() << "] shib_handler" << '\0';
+ saml::NDC ndc(threadid.str().c_str());
+
+ try {
+ ShibTargetNSAPI stn(pb, sn, rq);
+
+ pair<bool,void*> res = stn.doHandler();
+ if (res.first) return (int)res.second;
+
+ return WriteClientError(sn, rq, FUNC, "Shibboleth handler did not do anything.");
+ }
+ catch (exception& e) {
+ log_error(LOG_FAILURE,FUNC,sn,rq,const_cast<char*>(e.what()));
+ return WriteClientError(sn, rq, FUNC, "Shibboleth handler threw an exception, see web server log for error.");
+ }
+ catch (...) {
+ if (g_catchAll)
+ return WriteClientError(sn, rq, FUNC, "Shibboleth handler threw an unknown exception.");
+ throw;
+ }
}
<attribute name="localRelayState" type="boolean" use="optional" default="false"/>
<attribute name="unsetHeaderValue" type="string" use="optional"/>
<attribute name="checkSpoofing" type="boolean" use="optional"/>
+ <attribute name="catchAll" type="boolean" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
# define strcasecmp stricmp
#endif
-using namespace std;
-using namespace saml;
-using namespace shibboleth;
-using namespace shibtarget;
using namespace shibtarget::logging;
+using namespace shibtarget;
+using namespace shibboleth;
+using namespace saml;
+using namespace std;
namespace shibtarget {
class ShibTargetPriv
catch (SAMLException& e) {
mlp.insert(e);
}
-#ifndef _DEBUG
- catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ catch (exception& e) {
+ mlp.insert("errorText", e.what());
}
-#endif
// If we get here then we've got an error.
mlp.insert("errorType", procState);
catch (SAMLException& e) {
mlp.insert(e);
}
-#ifndef _DEBUG
- catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ catch (exception& e) {
+ mlp.insert("errorText", e.what());
}
-#endif
// If we get here then we've got an error.
mlp.insert("errorType", procState);
catch (SAMLException& e) {
mlp.insert(e);
}
-#ifndef _DEBUG
- catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ catch (exception& e) {
+ mlp.insert("errorText", e.what());
}
-#endif
// If we get here then we've got an error.
mlp.insert("errorType", procState);
catch (SAMLException& e) {
mlp.insert(e);
}
-#ifndef _DEBUG
- catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ catch (exception& e) {
+ mlp.insert("errorText", e.what());
}
-#endif
// If we get here then we've got an error.
mlp.insert("errorType", procState);