From: Scott Cantor <cantor.2@osu.edu>
Date: Mon, 4 Aug 2008 15:51:57 +0000 (+0000)
Subject: https://issues.shibboleth.net/jira/browse/SSPCPP-127
X-Git-Tag: 2.1.0~13
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-sp.git;a=commitdiff_plain;h=398fff94448129e24fed2bdf4d37a81836e5e889

https://issues.shibboleth.net/jira/browse/SSPCPP-127
---

diff --git a/isapi_shib/isapi_shib.cpp b/isapi_shib/isapi_shib.cpp
index 4dac1a7..25ed8a7 100644
--- a/isapi_shib/isapi_shib.cpp
+++ b/isapi_shib/isapi_shib.cpp
@@ -1,6 +1,6 @@
 /*
  *  Copyright 2001-2007 Internet2
- * 
+ *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -16,7 +16,7 @@
 
 /**
  * isapi_shib.cpp
- * 
+ *
  * Shibboleth ISAPI filter
  */
 
@@ -60,9 +60,7 @@ namespace {
     static const XMLCh sslport[] =          UNICODE_LITERAL_7(s,s,l,p,o,r,t);
     static const XMLCh scheme[] =           UNICODE_LITERAL_6(s,c,h,e,m,e);
     static const XMLCh id[] =               UNICODE_LITERAL_2(i,d);
-    static const XMLCh ISAPI[] =            UNICODE_LITERAL_5(I,S,A,P,I);
     static const XMLCh Alias[] =            UNICODE_LITERAL_5(A,l,i,a,s);
-    static const XMLCh normalizeRequest[] = UNICODE_LITERAL_16(n,o,r,m,a,l,i,z,e,R,e,q,u,e,s,t);
     static const XMLCh Site[] =             UNICODE_LITERAL_4(S,i,t,e);
 
     struct site_t {
@@ -93,7 +91,7 @@ namespace {
     	char* m_user;
     	bool m_checked;
     };
-    
+
     HINSTANCE g_hinstDLL;
     SPConfig* g_Config = NULL;
     map<string,site_t> g_Sites;
@@ -112,7 +110,7 @@ BOOL LogEvent(
     LPCSTR  message)
 {
     LPCSTR  messages[] = {message, NULL};
-    
+
     HANDLE hElog = RegisterEventSource(lpUNCServerName, "Shibboleth ISAPI Filter");
     BOOL res = ReportEvent(hElog, wType, 0, dwEventID, lpUserSid, 1, 0, messages, NULL);
     return (DeregisterEventSource(hElog) && res);
@@ -129,7 +127,7 @@ extern "C" BOOL WINAPI GetExtensionVersion(HSE_VERSION_INFO* pVer)
 {
     if (!pVer)
         return FALSE;
-        
+
     if (!g_Config) {
         LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL,
                 "Extension mode startup not possible, is the DLL loaded as a filter?");
@@ -195,7 +193,7 @@ extern "C" BOOL WINAPI GetFilterVersion(PHTTP_FILTER_VERSION pVer)
                 "Filter startup failed to load configuration, check native log for details.");
         return FALSE;
     }
-    
+
     // Access implementation-specifics and site mappings.
     ServiceProvider* sp=g_Config->getServiceProvider();
     Locker locker(sp);
@@ -381,7 +379,7 @@ public:
     else {
         m_port = atoi(site.m_port.c_str());
     }
-    
+
     // Scheme may come from site def or be derived from IIS.
     m_scheme=site.m_scheme;
     if (m_scheme.empty() || !g_bNormalizeRequest)
@@ -393,14 +391,14 @@ public:
     m_hostname = var;
     if (site.m_name!=m_hostname && site.m_aliases.find(m_hostname)==site.m_aliases.end())
         m_hostname=site.m_name;
-    
+
     if (!pfc->pFilterContext) {
         pfc->pFilterContext = pfc->AllocMem(pfc, sizeof(context_t), NULL);
         if (static_cast<context_t*>(pfc->pFilterContext)) {
             static_cast<context_t*>(pfc->pFilterContext)->m_user = NULL;
             static_cast<context_t*>(pfc->pFilterContext)->m_checked = false;
         }
-    }    
+    }
   }
   ~ShibTargetIsapiF() { }
 
@@ -537,7 +535,7 @@ public:
   const vector<string>& getClientCertificates() const {
       return g_NoCerts;
   }
-  
+
   // The filter never processes the POST, so stub these methods.
   const char* getQueryString() const { throw IOException("getQueryString not implemented"); }
   const char* getRequestBody() const { throw IOException("getRequestBody not implemented"); }
@@ -580,7 +578,7 @@ extern "C" DWORD WINAPI HttpFilterProc(PHTTP_FILTER_CONTEXT pfc, DWORD notificat
         map<string,site_t>::const_iterator map_i=g_Sites.find(static_cast<char*>(buf));
         if (map_i==g_Sites.end())
             return SF_STATUS_REQ_NEXT_NOTIFICATION;
-            
+
         ostringstream threadid;
         threadid << "[" << getpid() << "] isapi_shib" << '\0';
         xmltooling::NDC ndc(threadid.str().c_str());
@@ -624,7 +622,7 @@ extern "C" DWORD WINAPI HttpFilterProc(PHTTP_FILTER_CONTEXT pfc, DWORD notificat
 
     return WriteClientError(pfc,"Shibboleth Filter reached unreachable code, save my walrus!");
 }
-        
+
 
 /****************************************************************************/
 // ISAPI Extension
@@ -656,7 +654,7 @@ class ShibTargetIsapiE : public AbstractSPRequest
   int m_port;
   string m_scheme,m_hostname,m_uri;
   mutable string m_remote_addr,m_remote_user;
-  
+
 public:
   ShibTargetIsapiE(LPEXTENSION_CONTROL_BLOCK lpECB, const site_t& site)
       : AbstractSPRequest(SHIBSP_LOGCAT".ISAPI"), m_lpECB(lpECB), m_gotBody(false) {
@@ -700,18 +698,18 @@ public:
      * the server is set up for proper PATH_INFO handling, or "IIS sucks rabid weasels mode",
      * which is the default. No perfect way to tell, but we can take a good guess by checking
      * whether the URL is a substring of the PATH_INFO:
-     * 
+     *
      * e.g. for /Shibboleth.sso/SAML/POST
-     * 
+     *
      *  Bad mode (default):
      *      URL:        /Shibboleth.sso
      *      PathInfo:   /Shibboleth.sso/SAML/POST
-     * 
+     *
      *  Good mode:
      *      URL:        /Shibboleth.sso
      *      PathInfo:   /SAML/POST
      */
-    
+
     string uri;
 
     // Clearly we're only in bad mode if path info exists at all.
@@ -727,7 +725,7 @@ public:
     else {
         uri = url;
     }
-    
+
     // For consistency with Apache, let's add the query string.
     if (lpECB->lpszQueryString && *(lpECB->lpszQueryString)) {
         uri += '?';
@@ -919,7 +917,7 @@ extern "C" DWORD WINAPI HttpExtensionProc(LPEXTENSION_CONTROL_BLOCK lpECB)
         ShibTargetIsapiE ste(lpECB, map_i->second);
         pair<bool,long> res = ste.getServiceProvider().doHandler(ste);
         if (res.first) return res.second;
-        
+
         return WriteClientError(lpECB, "Shibboleth Extension failed to process request");
 
     }
diff --git a/schemas/shibboleth-2.0-afp-mf-basic.xsd b/schemas/shibboleth-2.0-afp-mf-basic.xsd
index 595fb39..24d1526 100644
--- a/schemas/shibboleth-2.0-afp-mf-basic.xsd
+++ b/schemas/shibboleth-2.0-afp-mf-basic.xsd
@@ -193,7 +193,7 @@
                         <documentation>The string value to match.</documentation>
                     </annotation>
                 </attribute>
-                <attribute name="ignoreCase" type="boolean" default="false">
+                <attribute name="ignoreCase" type="boolean">
                     <annotation>
                         <documentation>
                             A boolean flag indicating whether case should be ignored when evaluating the match.
@@ -328,7 +328,7 @@
                         </annotation>
                     </element>
                 </choice>
-                <attribute name="language" type="string" default="javascript">
+                <attribute name="language" type="string">
                     <annotation>
                         <documentation>
                             The JSR-233 name for the scripting language that will be used. By default "javascript" is
@@ -355,12 +355,12 @@
                         <documentation>The ID of the attribute whose value should be matched.</documentation>
                     </annotation>
                 </attribute>
-                <attribute name="minimum" type="nonNegativeInteger" default="0">
+                <attribute name="minimum" type="nonNegativeInteger">
                     <annotation>
                         <documentation>Minimum number of values an attribute may have.</documentation>
                     </annotation>
                 </attribute>
-                <attribute name="maximum" type="positiveInteger" default="2147483647">
+                <attribute name="maximum" type="positiveInteger">
                     <annotation>
                         <documentation>Maximum number of values an attribute may have.</documentation>
                     </annotation>
diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd
index ea52138..f9950db 100644
--- a/schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/schemas/shibboleth-2.0-native-sp-config.xsd
@@ -71,7 +71,7 @@
                         <complexType>
                             <attribute name="address" type="conf:string" use="required"/>
                             <attribute name="port" type="unsignedInt" use="required"/>
-                            <attribute name="acl" type="conf:listOfStrings" default="127.0.0.1"/>
+                            <attribute name="acl" type="conf:listOfStrings"/>
                         </complexType>
                     </element>
                     <element name="Listener" type="conf:PluggableType"/>
@@ -103,7 +103,7 @@
 							<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
 						</sequence>
 						<attribute name="path" type="anyURI" use="required"/>
-						<attribute name="fatal" type="boolean" default="true"/>
+						<attribute name="fatal" type="boolean"/>
 						<anyAttribute namespace="##any" processContents="lax"/>
 					</complexType>
 				</element>
@@ -123,7 +123,7 @@
 						<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
 					</sequence>
 					<attribute name="id" type="ID" use="required"/>
-					<attribute name="cleanupInterval" type="unsignedInt" default="900"/>
+					<attribute name="cleanupInterval" type="unsignedInt"/>
 					<anyAttribute namespace="##any" processContents="lax"/>
 				</restriction>
 			</complexContent>
@@ -141,7 +141,7 @@
 						<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
 					</sequence>
 					<attribute name="StorageService" type="IDREF"/>
-					<attribute name="cacheTimeout" type="unsignedInt" default="28800"/>
+					<attribute name="cacheTimeout" type="unsignedInt"/>
 					<anyAttribute namespace="##any" processContents="lax"/>
 				</restriction>
 			</complexContent>
@@ -166,7 +166,7 @@
 			<sequence/>
 			<attribute name="StorageService" type="IDREF"/>
 			<attribute name="context" type="conf:string"/>
-			<attribute name="artifactTTL" type="unsignedInt" default="180"/>
+			<attribute name="artifactTTL" type="unsignedInt"/>
 		</complexType>
 	</element>
 	
@@ -223,7 +223,7 @@
 				</element>
 				<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
 			</sequence>
-			<attribute name="normalizeRequest" type="boolean" default="true"/>
+			<attribute name="normalizeRequest" type="boolean"/>
 			<anyAttribute namespace="##other" processContents="lax"/>
 		</complexType>
 	</element>
@@ -368,7 +368,7 @@
 				</choice>
 			</sequence>
 			<attribute name="regex" type="conf:string" use="required"/>
-			<attribute name="ignoreCase" type="boolean" default="true"/>
+			<attribute name="ignoreCase" type="boolean"/>
 			<attribute name="applicationId" type="conf:string"/>
 			<attributeGroup ref="conf:ContentSettings"/>
 		</complexType>
@@ -405,7 +405,7 @@
 				<element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
 			</sequence>
 			<attribute name="regex" type="conf:string" use="required"/>
-			<attribute name="ignoreCase" type="boolean" default="true"/>
+			<attribute name="ignoreCase" type="boolean"/>
 			<attribute name="applicationId" type="conf:string"/>
 			<attributeGroup ref="conf:ContentSettings"/>
 		</complexType>
@@ -483,7 +483,7 @@
 	</element>
 
 	<attributeGroup name="ApplicationGroup">
-		<attribute name="homeURL" type="anyURI" default="/"/>
+		<attribute name="homeURL" type="anyURI"/>
 		<attribute name="REMOTE_USER" type="conf:listOfStrings"/>
 		<attribute name="unsetHeaders" type="conf:listOfStrings"/>
 		<attribute name="metadataAttributePrefix" type="conf:string"/>
@@ -537,19 +537,19 @@
 				</element>
 			</choice>
 			<attribute name="handlerURL" type="anyURI"/>
-			<attribute name="handlerSSL" type="boolean" default="true"/>
+			<attribute name="handlerSSL" type="boolean"/>
 			<attribute name="exportLocation" type="conf:string"/>
-			<attribute name="exportACL" type="conf:listOfStrings" default="127.0.0.1"/>
+			<attribute name="exportACL" type="conf:listOfStrings"/>
 			<attribute name="cookieName" type="conf:string"/>
 			<attribute name="cookieProps" type="conf:string"/>
             <attribute name="cookieLifetime" type="unsignedInt"/>
-			<attribute name="idpHistory" type="boolean" default="false"/>
+			<attribute name="idpHistory" type="boolean"/>
 			<attribute name="idpHistoryDays" type="unsignedInt"/>
-			<attribute name="lifetime" type="unsignedInt" default="28800"/>
-			<attribute name="timeout" type="unsignedInt" default="3600"/>
+			<attribute name="lifetime" type="unsignedInt"/>
+			<attribute name="timeout" type="unsignedInt"/>
 		    <attribute name="maxTimeSinceAuthn" type="unsignedInt"/>
-			<attribute name="checkAddress" type="boolean" default="true"/>
-			<attribute name="consistentAddress" type="boolean" default="true"/>
+			<attribute name="checkAddress" type="boolean"/>
+			<attribute name="consistentAddress" type="boolean"/>
 			<anyAttribute namespace="##other" processContents="lax"/>
 		</complexType>
 	</element>
@@ -682,7 +682,7 @@
 							<element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
 						</sequence>
 						<attribute name="id" type="conf:string" use="required"/>
-						<attribute name="validate" type="boolean" default="false"/>
+						<attribute name="validate" type="boolean"/>
 						<anyAttribute namespace="##any" processContents="lax"/>
 					</complexType>
 				</element>
diff --git a/shibsp/AbstractSPRequest.cpp b/shibsp/AbstractSPRequest.cpp
index 6420ac4..ff5c98c 100644
--- a/shibsp/AbstractSPRequest.cpp
+++ b/shibsp/AbstractSPRequest.cpp
@@ -82,7 +82,7 @@ Session* AbstractSPRequest::getSession(bool checkTimeout, bool ignoreAddress, bo
         m_sessionTried = true;
 
     // Need address checking and timeout settings.
-    time_t timeout=0;
+    time_t timeout=3600;
     if (checkTimeout || !ignoreAddress) {
         const PropertySet* props=getApplication().getPropertySet("Sessions");
         if (props) {
@@ -207,7 +207,7 @@ const char* AbstractSPRequest::getHandlerURL(const char* resource) const
 #endif
         throw ConfigurationException("Target resource was not an absolute URL.");
 
-    bool ssl_only=false;
+    bool ssl_only=true;
     const char* handler=NULL;
     const PropertySet* props=m_app->getPropertySet("Sessions");
     if (props) {
diff --git a/shibsp/handler/impl/AssertionConsumerService.cpp b/shibsp/handler/impl/AssertionConsumerService.cpp
index b7146bb..8f3b008 100644
--- a/shibsp/handler/impl/AssertionConsumerService.cpp
+++ b/shibsp/handler/impl/AssertionConsumerService.cpp
@@ -445,7 +445,7 @@ void AssertionConsumerService::maintainHistory(
     const PropertySet* sessionProps=application.getPropertySet("Sessions");
     pair<bool,bool> idpHistory=sessionProps->getBool("idpHistory");
 
-    if (!idpHistory.first || idpHistory.second) {
+    if (idpHistory.first && idpHistory.second) {
         pair<bool,const char*> cookieProps=sessionProps->getString("cookieProps");
         if (!cookieProps.first)
             cookieProps.second=defProps;
diff --git a/shibsp/impl/StorageServiceSessionCache.cpp b/shibsp/impl/StorageServiceSessionCache.cpp
index 900ddfa..cb51042 100644
--- a/shibsp/impl/StorageServiceSessionCache.cpp
+++ b/shibsp/impl/StorageServiceSessionCache.cpp
@@ -712,7 +712,7 @@ void StoredSession::addAssertion(Assertion* assertion)
 #endif
 
 SSCache::SSCache(const DOMElement* e)
-    : m_log(Category::getInstance(SHIBSP_LOGCAT".SessionCache")), inproc(true), m_cacheTimeout(3600),
+    : m_log(Category::getInstance(SHIBSP_LOGCAT".SessionCache")), inproc(true), m_cacheTimeout(28800),
 #ifndef SHIBSP_LITE
       m_storage(NULL), m_storage_lite(NULL),
 #endif
@@ -731,7 +731,7 @@ SSCache::SSCache(const DOMElement* e)
         if (tag && *tag) {
             m_cacheTimeout = XMLString::parseInt(tag);
             if (!m_cacheTimeout)
-                m_cacheTimeout=3600;
+                m_cacheTimeout=28800;
         }
         if (inproc) {
             const XMLCh* tag=e->getAttributeNS(NULL,inprocTimeout);
@@ -1541,10 +1541,11 @@ void SSCache::cleanup()
     static const XMLCh cleanupInterval[] = UNICODE_LITERAL_15(c,l,e,a,n,u,p,I,n,t,e,r,v,a,l);
     const XMLCh* tag=m_root ? m_root->getAttributeNS(NULL,cleanupInterval) : NULL;
     int rerun_timer = 900;
-    if (tag && *tag)
+    if (tag && *tag) {
         rerun_timer = XMLString::parseInt(tag);
-    if (rerun_timer <= 0)
-        rerun_timer = 900;
+        if (rerun_timer <= 0)
+            rerun_timer = 900;
+    }
 
     mutex->lock();