namespace opensaml {
SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ClientCertAuthRuleFactory;
SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory MessageFlowRuleFactory;
- SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SAML1MessageRuleFactory;
- SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SAML2MessageRuleFactory;
+ SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory NullSecurityRuleFactory;
SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SimpleSigningRuleFactory;
SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory XMLSigningRuleFactory;
};
SAMLConfig& conf=SAMLConfig::getConfig();
conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory);
conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory);
- conf.SecurityPolicyRuleManager.registerFactory(SAML1MESSAGE_POLICY_RULE, SAML1MessageRuleFactory);
- conf.SecurityPolicyRuleManager.registerFactory(SAML2MESSAGE_POLICY_RULE, SAML2MessageRuleFactory);
+ conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory);
conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory);
conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory);
}
SecurityPolicy::~SecurityPolicy()
{
- reset();
+ reset(false);
}
-void SecurityPolicy::reset()
+void SecurityPolicy::reset(bool messageOnly)
{
- delete m_messageQName;
XMLString::release(&m_messageID);
- delete m_issuer;
- m_messageQName=NULL;
m_messageID=NULL;
m_issueInstant=0;
- m_issuer=NULL;
- m_issuerRole=NULL;
- m_secure=false;
+ if (!messageOnly) {
+ delete m_issuer;
+ m_issuer=NULL;
+ m_issuerRole=NULL;
+ m_authenticated=false;
+ }
}
void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request)
void SecurityPolicy::setIssuer(const Issuer* issuer)
{
if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
- throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
+ throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
if (!m_issuer) {
+ if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
+ throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
m_issuerRole = NULL;
m_issuer=issuer->cloneIssuer();
}
void SecurityPolicy::setIssuer(const XMLCh* issuer)
{
if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
- throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
+ throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
if (!m_issuer && issuer && *issuer) {
m_issuerRole = NULL;