const xmltooling::TrustEngine* trustEngine=NULL,
bool validate=true
) : m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_authenticated(false),
- m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) {
+ m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate), m_entityOnly(true) {
if (role)
m_role = new xmltooling::QName(*role);
}
*/
bool getValidating() const {
return m_validate;
- }
+ }
+
+ /**
+ * Returns flag controlling non-entity issuer support.
+ *
+ * @return flag controlling non-entity issuer support
+ */
+ bool requireEntityIssuer() const {
+ return m_entityOnly;
+ }
/**
* Gets a mutable array of installed policy rules.
void setValidating(bool validate=true) {
m_validate = validate;
}
+
+ /**
+ * Sets flag controlling non-entity issuer support.
+ *
+ * @param entityOnly require that Issuer be in entity format
+ */
+ void requireEntityIssuer(bool entityOnly=true) {
+ m_entityOnly = entityOnly;
+ }
/**
* Evaluates the policy against the given request and message,
xmltooling::QName* m_role;
const xmltooling::TrustEngine* m_trust;
bool m_validate;
+ bool m_entityOnly;
};
};
void SecurityPolicy::setIssuer(const Issuer* issuer)
{
if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
- throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
+ throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
if (!m_issuer) {
+ if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
+ throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
m_issuerRole = NULL;
m_issuer=issuer->cloneIssuer();
}
void SecurityPolicy::setIssuer(const XMLCh* issuer)
{
if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
- throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
+ throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
if (!m_issuer && issuer && *issuer) {
m_issuerRole = NULL;