From: Scott Cantor <cantor.2@osu.edu>
Date: Sun, 29 Apr 2012 22:53:52 +0000 (+0000)
Subject: Option to enable SSPCPP-437
X-Git-Tag: 2.5.0~127
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-sp.git;a=commitdiff_plain;h=2719fe66897c8ae954c70f557c29ab7126ec72b5

Option to enable SSPCPP-437
---

diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd
index 963d600..43d86dc 100644
--- a/schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/schemas/shibboleth-2.0-native-sp-config.xsd
@@ -465,6 +465,7 @@
     <attribute name="requireTransportAuth" type="boolean"/>
     <attribute name="requireSignedAssertions" type="boolean"/>
     <attribute name="sessionHook" type="anyURI"/>
+    <attribute name="artifactByFilesystem" type="boolean"/>
   </attributeGroup>
     
   <complexType name="SessionsType">
diff --git a/shibsp/binding/impl/ArtifactResolver.cpp b/shibsp/binding/impl/ArtifactResolver.cpp
index bfdc867..73aac7e 100644
--- a/shibsp/binding/impl/ArtifactResolver.cpp
+++ b/shibsp/binding/impl/ArtifactResolver.cpp
@@ -162,6 +162,9 @@ ArtifactResponse* ArtifactResolver::resolve(
         ep_end = ep_start + 1;
     }
 
+    const PropertySet* rp = sppolicy.getApplication().getRelyingParty(dynamic_cast<const EntityDescriptor*>(ssoDescriptor.getParent()));
+    pair<bool,bool> artifactByFilesystem = rp->getBool("artifactByFilesystem");
+
     for (vector<ArtifactResolutionService*>::const_iterator ep = ep_start; !response && ep != ep_end; ++ep) {
         try {
             if (XMLString::equals((*ep)->getBinding(), binding.get())) {
@@ -170,7 +173,7 @@ ArtifactResponse* ArtifactResolver::resolve(
                 ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve();
                 Issuer* iss = IssuerBuilder::buildIssuer();
                 request->setIssuer(iss);
-                iss->setName(sppolicy.getApplication().getRelyingParty(dynamic_cast<EntityDescriptor*>(ssoDescriptor.getParent()))->getXMLString("entityID").second);
+                iss->setName(rp->getXMLString("entityID").second);
                 auto_ptr_XMLCh artbuf(artifact.encode().c_str());
                 Artifact* a = ArtifactBuilder::buildArtifact();
                 a->setArtifact(artbuf.get());
@@ -184,7 +187,7 @@ ArtifactResponse* ArtifactResolver::resolve(
                     break;
                 }
             }
-            else if (XMLString::equals((*ep)->getBinding(), shibspconstants::SHIB2_BINDING_FILE)) {
+            else if (artifactByFilesystem.first && artifactByFilesystem.second && XMLString::equals((*ep)->getBinding(), shibspconstants::SHIB2_BINDING_FILE)) {
                 // This implements a resolution process against the local file system for custom integration needs.
                 // The local filesystem is presumed to be "secure" so that unsigned, unencrypted responses are acceptable.
                 // The binding here is not SOAP, but rather REST-like, with the base location used to construct a filename