<attribute name="homeURL" type="anyURI" default="/"/>\r
<attribute name="REMOTE_USER" type="conf:listOfStrings"/>\r
<attribute name="unsetHeaders" type="conf:listOfStrings"/>\r
+ <attribute name="metadataAttributePrefix" type="conf:string"/>\r
<attribute name="redirectErrors" type="anyURI"/>\r
<attribute name="localLogout" type="anyURI"/>\r
<attribute name="globalLogout" type="anyURI"/>\r
#include "internal.h"
#include "Application.h"
+#include "SPRequest.h"
+#include "ServiceProvider.h"
+#include "attribute/Attribute.h"
+#include "remoting/ListenerService.h"
+
+#include <algorithm>
using namespace shibsp;
+using namespace xmltooling;
using namespace std;
+Application::Application(const ServiceProvider* sp) : m_sp(sp), m_lock(RWLock::create())
+{
+}
+
+Application::~Application()
+{
+ delete m_lock;
+ for (map< string,multimap<string,const Attribute*> >::iterator i = m_entityAttributes.begin(); i!=m_entityAttributes.end(); ++i)
+ for_each(i->second.begin(), i->second.end(), cleanup_const_pair<string,Attribute>());
+}
+
pair<string,const char*> Application::getCookieNameProps(const char* prefix) const
{
static const char* defProps="; path=/";
// Shouldn't happen, but just in case..
return pair<string,const char*>(prefix,defProps);
}
+
+void Application::clearAttributeHeaders(SPRequest& request) const
+{
+ if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess)) {
+ for (vector< pair<string,string> >::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i)
+ request.clearHeader(i->first.c_str(), i->second.c_str());
+ return;
+ }
+
+ m_lock->rdlock();
+ if (m_unsetHeaders.empty()) {
+ // No headers yet, so we have to request them from the remote half.
+ m_lock->unlock();
+ m_lock->wrlock();
+ if (m_unsetHeaders.empty()) {
+ SharedLock wrlock(m_lock, false);
+ string addr=string(getId()) + "::getHeaders::Application";
+ DDF out,in = DDF(addr.c_str());
+ DDFJanitor jin(in),jout(out);
+ out = getServiceProvider().getListenerService()->send(in);
+ if (out.islist()) {
+ DDF header = out.first();
+ while (header.isstring()) {
+ m_unsetHeaders.push_back(pair<string,string>(header.name(),header.string()));
+ header = out.next();
+ }
+ }
+ }
+ else {
+ m_lock->unlock();
+ }
+ m_lock->rdlock();
+ }
+
+ // Now holding read lock.
+ SharedLock unsetLock(m_lock, false);
+ for (vector< pair<string,string> >::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i)
+ request.clearHeader(i->first.c_str(), i->second.c_str());
+}
+
+const multimap<string,const Attribute*>& Application::getEntityAttributes(const char* entityID) const
+{
+ // TODO
+ return m_entityAttributes[entityID];
+}
# include <xmltooling/security/TrustEngine.h>
#endif
#include <xmltooling/io/HTTPRequest.h>
+#include <xmltooling/util/Threads.h>
namespace shibsp {
class SHIBSP_API AttributeFilter;
class SHIBSP_API AttributeResolver;
#endif
+ class SHIBSP_API Attribute;
class SHIBSP_API Handler;
class SHIBSP_API ServiceProvider;
class SHIBSP_API SessionInitiator;
class SHIBSP_API SPRequest;
+#if defined (_MSC_VER)
+ #pragma warning( push )
+ #pragma warning( disable : 4251 )
+#endif
+
/**
* Interface to a Shibboleth Application instance.
*
{
MAKE_NONCOPYABLE(Application);
protected:
- Application() {}
+ /**
+ * Constructor.
+ *
+ * @param sp parent ServiceProvider instance
+ */
+ Application(const ServiceProvider* sp);
+
+ /** Pointer to parent SP instance. */
+ const ServiceProvider* m_sp;
+
+ /** Shared lock for manipulating application state. */
+ mutable xmltooling::RWLock* m_lock;
+
+ /** Cache of entity attributes. */
+ mutable std::map< std::string,std::multimap<std::string,const Attribute*> > m_entityAttributes;
+
+ /** Pairs of raw and normalized CGI header names to clear. */
+ mutable std::vector< std::pair<std::string,std::string> > m_unsetHeaders;
+
public:
- virtual ~Application() {}
+ virtual ~Application();
/**
* Returns the owning ServiceProvider instance.
*
* @return a locked ServiceProvider
*/
- virtual const ServiceProvider& getServiceProvider() const=0;
+ const ServiceProvider& getServiceProvider() const {
+ return *m_sp;
+ }
/**
* Returns the Application's ID.
*
* @return the ID
*/
- virtual const char* getId() const=0;
+ virtual const char* getId() const {
+ return getString("id").second;
+ }
/**
* Returns a unique hash for the Application.
*
* @param request SP request to clear
*/
- virtual void clearAttributeHeaders(SPRequest& request) const=0;
+ virtual void clearAttributeHeaders(SPRequest& request) const;
+
+ /**
+ * Returns an indexed set of attributes associated with an entity (as opposed to a user).
+ *
+ * @param entityID unique ID of entity
+ * @return a map of attributes keyed by their ID
+ */
+ virtual const std::multimap<std::string,const Attribute*>& getEntityAttributes(const char* entityID) const;
/**
* Returns the default SessionInitiator when automatically requesting a session.
*/
virtual const Handler* getHandler(const char* path) const=0;
};
+
+#if defined (_MSC_VER)
+ #pragma warning( pop )
+#endif
+
};
#endif /* __shibsp_app_h__ */
}
request.setHeader(a->first.c_str(), header.c_str());
}
+
+ // Maybe export metadata attributes.
+ pair<bool,const char*> prefix = app->getString("metadataAttributePrefix");
+ if (prefix.first && session->getEntityID()) {
+ const multimap<string,const Attribute*>& eattributes = app->getEntityAttributes(session->getEntityID());
+ for (multimap<string,const Attribute*>::const_iterator a = eattributes.begin(); a!=eattributes.end(); ++a) {
+ string hname = string(prefix.second) + a->first;
+ string header(request.getSecureHeader(hname.c_str()));
+ const vector<string>& vals = a->second->getSerializedValues();
+ for (vector<string>::const_iterator v = vals.begin(); v!=vals.end(); ++v) {
+ if (!header.empty())
+ header += ";";
+ string::size_type pos = v->find_first_of(';',string::size_type(0));
+ if (pos!=string::npos) {
+ string value(*v);
+ for (; pos != string::npos; pos = value.find_first_of(';',pos)) {
+ value.insert(pos, "\\");
+ pos += 2;
+ }
+ header += value;
+ }
+ else {
+ header += (*v);
+ }
+ }
+ request.setHeader(hname.c_str(), header.c_str());
+ }
+ }
return make_pair(false,0);
}
const vector<const Assertion*>* tokens
) const
{
- const saml2md::EntityDescriptor* entity = dynamic_cast<const saml2md::EntityDescriptor*>(issuer->getParent());
-
// First we do the extraction of any pushed information, including from metadata.
vector<Attribute*> resolvedAttributes;
AttributeExtractor* extractor = application.getAttributeExtractor();
if (extractor) {
Locker extlocker(extractor);
- if (entity) {
- m_log.debug("extracting metadata-derived attributes...");
- try {
- extractor->extractAttributes(application, issuer, *entity, resolvedAttributes);
- }
- catch (exception& ex) {
- m_log.error("caught exception extracting attributes: %s", ex.what());
- }
- }
m_log.debug("extracting pushed attributes...");
if (v1nameid) {
try {
auto_ptr<ResolutionContext> ctx(
resolver->createResolutionContext(
application,
- entity,
+ issuer ? dynamic_cast<const saml2md::EntityDescriptor*>(issuer->getParent()) : NULL,
protocol,
nameid,
authncontext_class,
#include "ServiceProvider.h"
#include "SessionCache.h"
#include "SPConfig.h"
-#include "SPRequest.h"
#include "handler/SessionInitiator.h"
#include "remoting/ListenerService.h"
#include "util/DOMPropertySet.h"
XMLApplication(const ServiceProvider*, const DOMElement* e, const XMLApplication* base=NULL);
~XMLApplication() { cleanup(); }
- // Application
- const ServiceProvider& getServiceProvider() const {return *m_sp;}
- const char* getId() const {return getString("id").second;}
const char* getHash() const {return m_hash.c_str();}
#ifndef SHIBSP_LITE
return (m_remoteUsers.empty() && m_base) ? m_base->getRemoteUserAttributeIds() : m_remoteUsers;
}
- void clearAttributeHeaders(SPRequest& request) const;
const SessionInitiator* getDefaultSessionInitiator() const;
const SessionInitiator* getSessionInitiatorById(const char* id) const;
const Handler* getDefaultAssertionConsumerService() const;
private:
void cleanup();
- const ServiceProvider* m_sp; // this is ok because its locking scope includes us
const XMLApplication* m_base;
string m_hash;
#ifndef SHIBSP_LITE
map<const XMLCh*,PropertySet*> m_partyMap;
#endif
#endif
+ std::set<std::string> m_remoteUsers;
vector<string> m_frontLogout,m_backLogout;
- set<string> m_remoteUsers;
- mutable vector< pair<string,string> > m_unsetHeaders;
- RWLock* m_unsetLock;
// manage handler objects
vector<Handler*> m_handlers;
const ServiceProvider* sp,
const DOMElement* e,
const XMLApplication* base
- ) : m_sp(sp), m_base(base),
+ ) : Application(sp), m_base(base),
#ifndef SHIBSP_LITE
m_metadata(NULL), m_trust(NULL),
m_attrExtractor(NULL), m_attrFilter(NULL), m_attrResolver(NULL),
m_credResolver(NULL), m_partyDefault(NULL),
#endif
- m_unsetLock(NULL), m_acsDefault(NULL), m_sessionInitDefault(NULL), m_artifactResolutionDefault(NULL)
+ m_acsDefault(NULL), m_sessionInitDefault(NULL), m_artifactResolutionDefault(NULL)
{
#ifdef _DEBUG
xmltooling::NDC ndc("XMLApplication");
attributes = getString("unsetHeaders");
if (attributes.first) {
+ string transformedprefix("HTTP_");
+ const char* pch;
+ pair<bool,const char*> prefix = getString("metadataAttributePrefix");
+ if (prefix.first) {
+ pch = prefix.second;
+ while (*pch) {
+ transformedprefix += (isalnum(*pch) ? toupper(*pch) : '_');
+ pch++;
+ }
+ }
char* dup = strdup(attributes.second);
char* pos;
char* start = dup;
if (pos)
*pos=0;
- string transformed("HTTP_");
- const char* pch = start;
+ string transformed;
+ pch = start;
while (*pch) {
transformed += (isalnum(*pch) ? toupper(*pch) : '_');
pch++;
}
- m_unsetHeaders.push_back(pair<string,string>(start,transformed));
+ m_unsetHeaders.push_back(pair<string,string>(start,string("HTTP_") + transformed));
+ if (prefix.first)
+ m_unsetHeaders.push_back(pair<string,string>(string(prefix.second) + start, transformedprefix + transformed));
start = pos ? pos+1 : NULL;
}
free(dup);
m_unsetHeaders.push_back(pair<string,string>("Shib-Application-ID","HTTP_SHIB_APPLICATION_ID"));
}
else {
+ string transformedprefix("HTTP_");
+ const char* pch;
+ pair<bool,const char*> prefix = getString("metadataAttributePrefix");
+ if (prefix.first) {
+ pch = prefix.second;
+ while (*pch) {
+ transformedprefix += (isalnum(*pch) ? toupper(*pch) : '_');
+ pch++;
+ }
+ }
for (vector<string>::const_iterator hdr = unsetHeaders.begin(); hdr!=unsetHeaders.end(); ++hdr) {
- string transformed("HTTP_");
- const char* pch = hdr->c_str();
+ string transformed;
+ pch = hdr->c_str();
while (*pch) {
transformed += (isalnum(*pch) ? toupper(*pch) : '_');
pch++;
}
- m_unsetHeaders.push_back(pair<string,string>(*hdr,transformed));
+ m_unsetHeaders.push_back(pair<string,string>(*hdr, string("HTTP_") + transformed));
+ if (prefix.first)
+ m_unsetHeaders.push_back(pair<string,string>(string(prefix.second) + *hdr, transformedprefix + transformed));
}
m_unsetHeaders.push_back(pair<string,string>("Shib-Application-ID","HTTP_SHIB_APPLICATION_ID"));
}
}
#endif
- // In process only, we need a shared lock around accessing the header clearing list.
- if (!conf.isEnabled(SPConfig::OutOfProcess)) {
- m_unsetLock = RWLock::create();
- }
- else if (!conf.isEnabled(SPConfig::InProcess)) {
+ // Out of process only, we register a listener endpoint.
+ if (!conf.isEnabled(SPConfig::InProcess)) {
ListenerService* listener = sp->getListenerService(false);
if (listener) {
string addr=string(getId()) + "::getHeaders::Application";
string addr=string(getId()) + "::getHeaders::Application";
listener->unregListener(addr.c_str(),this);
}
- delete m_unsetLock;
- m_unsetLock = NULL;
for_each(m_handlers.begin(),m_handlers.end(),xmltooling::cleanup<Handler>());
m_handlers.clear();
#ifndef SHIBSP_LITE
return m_base ? m_base->getHandler(path) : NULL;
}
-void XMLApplication::clearAttributeHeaders(SPRequest& request) const
-{
- if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess)) {
- for (vector< pair<string,string> >::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i)
- request.clearHeader(i->first.c_str(), i->second.c_str());
- return;
- }
-
- m_unsetLock->rdlock();
- if (m_unsetHeaders.empty()) {
- // No headers yet, so we have to request them from the remote half.
- m_unsetLock->unlock();
- m_unsetLock->wrlock();
- if (m_unsetHeaders.empty()) {
- SharedLock wrlock(m_unsetLock, false);
- string addr=string(getId()) + "::getHeaders::Application";
- DDF out,in = DDF(addr.c_str());
- DDFJanitor jin(in),jout(out);
- out = getServiceProvider().getListenerService()->send(in);
- if (out.islist()) {
- DDF header = out.first();
- while (header.isstring()) {
- m_unsetHeaders.push_back(pair<string,string>(header.name(),header.string()));
- header = out.next();
- }
- }
- }
- else {
- m_unsetLock->unlock();
- }
- m_unsetLock->rdlock();
- }
-
- // Now holding read lock.
- SharedLock unsetLock(m_unsetLock, false);
- for (vector< pair<string,string> >::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i)
- request.clearHeader(i->first.c_str(), i->second.c_str());
-}
-
short XMLConfigImpl::acceptNode(const DOMNode* node) const
{
if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS))