projects / shibboleth / sp.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Handle openssl when pkg_config not supported.
[shibboleth/sp.git] / shibsp / ServiceProvider.cpp
1 /*
2  *  Copyright 2001-2010 Internet2
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 /**
18  * ServiceProvider.cpp
19  *
20  * Interface to a Shibboleth ServiceProvider instance.
21  */
22
23 #include "internal.h"
24 #include "exceptions.h"
25 #include "AccessControl.h"
26 #include "Application.h"
27 #include "ServiceProvider.h"
28 #include "SessionCache.h"
29 #include "SPRequest.h"
30 #include "attribute/Attribute.h"
31 #include "handler/SessionInitiator.h"
32 #include "util/TemplateParameters.h"
33
34 #include <fstream>
35 #include <sstream>
36 #ifndef SHIBSP_LITE
37 # include <saml/exceptions.h>
38 # include <saml/saml2/metadata/MetadataProvider.h>
39 #endif
40 #include <xmltooling/XMLToolingConfig.h>
41 #include <xmltooling/util/NDC.h>
42 #include <xmltooling/util/PathResolver.h>
43 #include <xmltooling/util/URLEncoder.h>
44 #include <xmltooling/util/XMLHelper.h>
45
46 using namespace shibsp;
47 using namespace xmltooling::logging;
48 using namespace xmltooling;
49 using namespace std;
50
51 namespace shibsp {
52     SHIBSP_DLLLOCAL PluginManager<ServiceProvider,string,const DOMElement*>::Factory XMLServiceProviderFactory;
53
54     long SHIBSP_DLLLOCAL sendError(
55         Category& log, SPRequest& request, const Application* app, const char* page, TemplateParameters& tp, bool mayRedirect=true
56         )
57     {
58         // The properties we need can be set in the RequestMap, or the Errors element.
59         bool mderror = dynamic_cast<const opensaml::saml2md::MetadataException*>(tp.getRichException())!=nullptr;
60         bool accesserror = (strcmp(page, "access")==0);
61         pair<bool,const char*> redirectErrors = pair<bool,const char*>(false,nullptr);
62         pair<bool,const char*> pathname = pair<bool,const char*>(false,nullptr);
63
64         // Strictly for error handling, detect a nullptr application and point at the default.
65         if (!app)
66             app = request.getServiceProvider().getApplication(nullptr);
67
68         const PropertySet* props=app->getPropertySet("Errors");
69
70         // First look for settings in the request map of the form pageError.
71         try {
72             RequestMapper::Settings settings = request.getRequestSettings();
73             if (mderror)
74                 pathname = settings.first->getString("metadataError");
75             if (!pathname.first) {
76                 string pagename(page);
77                 pagename += "Error";
78                 pathname = settings.first->getString(pagename.c_str());
79             }
80             if (mayRedirect)
81                 redirectErrors = settings.first->getString("redirectErrors");
82         }
83         catch (exception& ex) {
84             log.error(ex.what());
85         }
86
87         // Check for redirection on errors instead of template.
88         if (mayRedirect) {
89             if (!redirectErrors.first && props)
90                 redirectErrors = props->getString("redirectErrors");
91             if (redirectErrors.first) {
92                 string loc(redirectErrors.second);
93                 loc = loc + '?' + tp.toQueryString();
94                 return request.sendRedirect(loc.c_str());
95             }
96         }
97
98         request.setContentType("text/html");
99         request.setResponseHeader("Expires","01-Jan-1997 12:00:00 GMT");
100         request.setResponseHeader("Cache-Control","private,no-store,no-cache");
101
102         // Nothing in the request map, so check for a property named "page" in the Errors property set.
103         if (!pathname.first && props) {
104             if (mderror)
105                 pathname=props->getString("metadata");
106             if (!pathname.first)
107                 pathname=props->getString(page);
108         }
109
110         // If there's still no template to use, just use pageError.html unless it's an access issue.
111         string fname;
112         if (!pathname.first) {
113             if (!accesserror) {
114                 fname = string(page) + "Error.html";
115                 pathname.second = fname.c_str();
116             }
117         }
118         else {
119             fname = pathname.second;
120         }
121
122         // If we have a template to use, use it.
123         if (!fname.empty()) {
124             ifstream infile(XMLToolingConfig::getConfig().getPathResolver()->resolve(fname, PathResolver::XMLTOOLING_CFG_FILE).c_str());
125             if (infile) {
126                 tp.setPropertySet(props);
127                 stringstream str;
128                 XMLToolingConfig::getConfig().getTemplateEngine()->run(infile, str, tp, tp.getRichException());
129                 return request.sendError(str);
130             }
131         }
132
133         // If we got here, then either it's an access error or a template failed.
134         if (accesserror) {
135             istringstream msg("Access Denied");
136             return request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_FORBIDDEN);
137         }
138
139         log.error("sendError could not process error template (%s)", pathname.second);
140         istringstream msg("Internal Server Error. Please contact the site administrator.");
141         return request.sendError(msg);
142     }
143
144     void SHIBSP_DLLLOCAL clearHeaders(SPRequest& request) {
145         const Application& app = request.getApplication();
146         app.clearHeader(request, "Shib-Session-ID", "HTTP_SHIB_SESSION_ID");
147         app.clearHeader(request, "Shib-Session-Index", "HTTP_SHIB_SESSION_INDEX");
148         app.clearHeader(request, "Shib-Identity-Provider", "HTTP_SHIB_IDENTITY_PROVIDER");
149         app.clearHeader(request, "Shib-Authentication-Method", "HTTP_SHIB_AUTHENTICATION_METHOD");
150         app.clearHeader(request, "Shib-Authentication-Instant", "HTTP_SHIB_AUTHENTICATION_INSTANT");
151         app.clearHeader(request, "Shib-AuthnContext-Class", "HTTP_SHIB_AUTHNCONTEXT_CLASS");
152         app.clearHeader(request, "Shib-AuthnContext-Decl", "HTTP_SHIB_AUTHNCONTEXT_DECL");
153         app.clearHeader(request, "Shib-Assertion-Count", "HTTP_SHIB_ASSERTION_COUNT");
154         app.clearAttributeHeaders(request);
155         request.clearHeader("REMOTE_USER", "HTTP_REMOTE_USER");
156     }
157 };
158
159 void SHIBSP_API shibsp::registerServiceProviders()
160 {
161     SPConfig::getConfig().ServiceProviderManager.registerFactory(XML_SERVICE_PROVIDER, XMLServiceProviderFactory);
162 }
163
164 ServiceProvider::ServiceProvider()
165 {
166 }
167
168 ServiceProvider::~ServiceProvider()
169 {
170 }
171
172 #ifndef SHIBSP_LITE
173 SecurityPolicyProvider* ServiceProvider::getSecurityPolicyProvider(bool required) const
174 {
175     if (required)
176         throw ConfigurationException("No SecurityPolicyProvider available.");
177     return nullptr;
178 }
179 #endif
180
181 Remoted* ServiceProvider::regListener(const char* address, Remoted* listener)
182 {
183     Remoted* ret=nullptr;
184     map<string,Remoted*>::const_iterator i=m_listenerMap.find(address);
185     if (i!=m_listenerMap.end())
186         ret=i->second;
187     m_listenerMap[address]=listener;
188     Category::getInstance(SHIBSP_LOGCAT".ServiceProvider").info("registered remoted message endpoint (%s)",address);
189     return ret;
190 }
191
192 bool ServiceProvider::unregListener(const char* address, Remoted* current, Remoted* restore)
193 {
194     map<string,Remoted*>::const_iterator i=m_listenerMap.find(address);
195     if (i!=m_listenerMap.end() && i->second==current) {
196         if (restore)
197             m_listenerMap[address]=restore;
198         else
199             m_listenerMap.erase(address);
200         Category::getInstance(SHIBSP_LOGCAT".ServiceProvider").info("unregistered remoted message endpoint (%s)",address);
201         return true;
202     }
203     return false;
204 }
205
206 Remoted* ServiceProvider::lookupListener(const char *address) const
207 {
208     map<string,Remoted*>::const_iterator i=m_listenerMap.find(address);
209     return (i==m_listenerMap.end()) ? nullptr : i->second;
210 }
211
212 pair<bool,long> ServiceProvider::doAuthentication(SPRequest& request, bool handler) const
213 {
214 #ifdef _DEBUG
215     xmltooling::NDC ndc("doAuthentication");
216 #endif
217     Category& log = Category::getInstance(SHIBSP_LOGCAT".ServiceProvider");
218
219     const Application* app=nullptr;
220     string targetURL = request.getRequestURL();
221
222     try {
223         RequestMapper::Settings settings = request.getRequestSettings();
224         app = &(request.getApplication());
225
226         // If not SSL, check to see if we should block or redirect it.
227         if (!request.isSecure()) {
228             pair<bool,const char*> redirectToSSL = settings.first->getString("redirectToSSL");
229             if (redirectToSSL.first) {
230 #ifdef HAVE_STRCASECMP
231                 if (!strcasecmp("GET",request.getMethod()) || !strcasecmp("HEAD",request.getMethod())) {
232 #else
233                 if (!stricmp("GET",request.getMethod()) || !stricmp("HEAD",request.getMethod())) {
234 #endif
235                     // Compute the new target URL
236                     string redirectURL = string("https://") + request.getHostname();
237                     if (strcmp(redirectToSSL.second,"443")) {
238                         redirectURL = redirectURL + ':' + redirectToSSL.second;
239                     }
240                     redirectURL += request.getRequestURI();
241                     return make_pair(true, request.sendRedirect(redirectURL.c_str()));
242                 }
243                 else {
244                     TemplateParameters tp;
245                     tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
246                     return make_pair(true,sendError(log, request, app, "ssl", tp, false));
247                 }
248             }
249         }
250
251         const char* handlerURL=request.getHandlerURL(targetURL.c_str());
252         if (!handlerURL)
253             throw ConfigurationException("Cannot determine handler from resource URL, check configuration.");
254
255         // If the request URL contains the handler base URL for this application, either dispatch
256         // directly (mainly Apache 2.0) or just pass back control.
257         if (strstr(targetURL.c_str(),handlerURL)) {
258             if (handler)
259                 return doHandler(request);
260             else
261                 return make_pair(true, request.returnOK());
262         }
263
264         // Three settings dictate how to proceed.
265         pair<bool,const char*> authType = settings.first->getString("authType");
266         pair<bool,bool> requireSession = settings.first->getBool("requireSession");
267         pair<bool,const char*> requireSessionWith = settings.first->getString("requireSessionWith");
268
269         // If no session is required AND the AuthType (an Apache-derived concept) isn't shibboleth,
270         // then we ignore this request and consider it unprotected. Apache might lie to us if
271         // ShibBasicHijack is on, but that's up to it.
272         if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first &&
273 #ifdef HAVE_STRCASECMP
274                 (!authType.first || strcasecmp(authType.second,"shibboleth")))
275 #else
276                 (!authType.first || _stricmp(authType.second,"shibboleth")))
277 #endif
278             return make_pair(true,request.returnDecline());
279
280         // Fix for secadv 20050901
281         clearHeaders(request);
282
283         Session* session = nullptr;
284         try {
285             session = request.getSession();
286         }
287         catch (exception& e) {
288             log.warn("error during session lookup: %s", e.what());
289             // If it's not a retryable session failure, we throw to the outer handler for reporting.
290             if (dynamic_cast<opensaml::RetryableProfileException*>(&e)==nullptr)
291                 throw;
292         }
293
294         if (!session) {
295             // No session.  Maybe that's acceptable?
296             if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first)
297                 return make_pair(true,request.returnOK());
298
299             // No session, but we require one. Initiate a new session using the indicated method.
300             const SessionInitiator* initiator=nullptr;
301             if (requireSessionWith.first) {
302                 initiator=app->getSessionInitiatorById(requireSessionWith.second);
303                 if (!initiator) {
304                     throw ConfigurationException(
305                         "No session initiator found with id ($1), check requireSessionWith command.", params(1,requireSessionWith.second)
306                         );
307                 }
308             }
309             else {
310                 initiator=app->getDefaultSessionInitiator();
311                 if (!initiator)
312                     throw ConfigurationException("No default session initiator found, check configuration.");
313             }
314
315             return initiator->run(request,false);
316         }
317
318         request.setAuthType("shibboleth");
319
320         // We're done.  Everything is okay.  Nothing to report.  Nothing to do..
321         // Let the caller decide how to proceed.
322         log.debug("doAuthentication succeeded");
323         return make_pair(false,0L);
324     }
325     catch (exception& e) {
326         request.log(SPRequest::SPError, e.what());
327         TemplateParameters tp(&e);
328         tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
329         return make_pair(true,sendError(log, request, app, "session", tp));
330     }
331 }
332
333 pair<bool,long> ServiceProvider::doAuthorization(SPRequest& request) const
334 {
335 #ifdef _DEBUG
336     xmltooling::NDC ndc("doAuthorization");
337 #endif
338     Category& log = Category::getInstance(SHIBSP_LOGCAT".ServiceProvider");
339
340     const Application* app=nullptr;
341     string targetURL = request.getRequestURL();
342
343     try {
344         RequestMapper::Settings settings = request.getRequestSettings();
345         app = &(request.getApplication());
346
347         // Three settings dictate how to proceed.
348         pair<bool,const char*> authType = settings.first->getString("authType");
349         pair<bool,bool> requireSession = settings.first->getBool("requireSession");
350         pair<bool,const char*> requireSessionWith = settings.first->getString("requireSessionWith");
351
352         // If no session is required AND the AuthType (an Apache-derived concept) isn't shibboleth,
353         // then we ignore this request and consider it unprotected. Apache might lie to us if
354         // ShibBasicHijack is on, but that's up to it.
355         if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first &&
356 #ifdef HAVE_STRCASECMP
357                 (!authType.first || strcasecmp(authType.second,"shibboleth")))
358 #else
359                 (!authType.first || _stricmp(authType.second,"shibboleth")))
360 #endif
361             return make_pair(true,request.returnDecline());
362
363         // Do we have an access control plugin?
364         if (settings.second) {
365             const Session* session = nullptr;
366             try {
367                 session = request.getSession(false);
368             }
369             catch (exception& e) {
370                 log.warn("unable to obtain session to pass to access control provider: %s", e.what());
371             }
372
373             Locker acllock(settings.second);
374             switch (settings.second->authorized(request,session)) {
375                 case AccessControl::shib_acl_true:
376                     log.debug("access control provider granted access");
377                     return make_pair(true,request.returnOK());
378
379                 case AccessControl::shib_acl_false:
380                 {
381                     log.warn("access control provider denied access");
382                     TemplateParameters tp;
383                     tp.m_map["requestURL"] = targetURL;
384                     return make_pair(true,sendError(log, request, app, "access", tp, false));
385                 }
386
387                 default:
388                     // Use the "DECLINE" interface to signal we don't know what to do.
389                     return make_pair(true,request.returnDecline());
390             }
391         }
392         else {
393             return make_pair(true,request.returnDecline());
394         }
395     }
396     catch (exception& e) {
397         request.log(SPRequest::SPError, e.what());
398         TemplateParameters tp(&e);
399         tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
400         return make_pair(true,sendError(log, request, app, "access", tp));
401     }
402 }
403
404 pair<bool,long> ServiceProvider::doExport(SPRequest& request, bool requireSession) const
405 {
406 #ifdef _DEBUG
407     xmltooling::NDC ndc("doExport");
408 #endif
409     Category& log = Category::getInstance(SHIBSP_LOGCAT".ServiceProvider");
410
411     const Application* app=nullptr;
412     string targetURL = request.getRequestURL();
413
414     try {
415         RequestMapper::Settings settings = request.getRequestSettings();
416         app = &(request.getApplication());
417
418         const Session* session = nullptr;
419         try {
420             session = request.getSession(false);
421         }
422         catch (exception& e) {
423             log.warn("unable to obtain session to export to request: %s", e.what());
424                 // If we have to have a session, then this is a fatal error.
425                 if (requireSession)
426                         throw;
427         }
428
429                 // Still no data?
430         if (!session) {
431                 if (requireSession)
432                 throw opensaml::RetryableProfileException("Unable to obtain session to export to request.");
433                 else
434                         return make_pair(false,0L);     // just bail silently
435         }
436
437         app->setHeader(request, "Shib-Application-ID", app->getId());
438         app->setHeader(request, "Shib-Session-ID", session->getID());
439
440         // Export the IdP name and Authn method/context info.
441         const char* hval = session->getEntityID();
442         if (hval)
443             app->setHeader(request, "Shib-Identity-Provider", hval);
444         hval = session->getAuthnInstant();
445         if (hval)
446             app->setHeader(request, "Shib-Authentication-Instant", hval);
447         hval = session->getAuthnContextClassRef();
448         if (hval) {
449             app->setHeader(request, "Shib-Authentication-Method", hval);
450             app->setHeader(request, "Shib-AuthnContext-Class", hval);
451         }
452         hval = session->getAuthnContextDeclRef();
453         if (hval)
454             app->setHeader(request, "Shib-AuthnContext-Decl", hval);
455         hval = session->getSessionIndex();
456         if (hval)
457             app->setHeader(request, "Shib-Session-Index", hval);
458
459         // Maybe export the assertion keys.
460         pair<bool,bool> exp=settings.first->getBool("exportAssertion");
461         if (exp.first && exp.second) {
462             const PropertySet* sessions=app->getPropertySet("Sessions");
463             pair<bool,const char*> exportLocation = sessions ? sessions->getString("exportLocation") : pair<bool,const char*>(false,nullptr);
464             if (!exportLocation.first)
465                 log.warn("can't export assertions without an exportLocation Sessions property");
466             else {
467                 const URLEncoder* encoder = XMLToolingConfig::getConfig().getURLEncoder();
468                 string exportName = "Shib-Assertion-00";
469                 string baseURL;
470                 if (!strncmp(exportLocation.second, "http", 4))
471                     baseURL = exportLocation.second;
472                 else
473                     baseURL = string(request.getHandlerURL(targetURL.c_str())) + exportLocation.second;
474                 baseURL = baseURL + "?key=" + session->getID() + "&ID=";
475                 const vector<const char*>& tokens = session->getAssertionIDs();
476                 vector<const char*>::size_type count = 0;
477                 for (vector<const char*>::const_iterator tokenids = tokens.begin(); tokenids!=tokens.end(); ++tokenids) {
478                     count++;
479                     *(exportName.rbegin()) = '0' + (count%10);
480                     *(++exportName.rbegin()) = '0' + (count/10);
481                     string fullURL = baseURL + encoder->encode(*tokenids);
482                     app->setHeader(request, exportName.c_str(), fullURL.c_str());
483                 }
484                 app->setHeader(request, "Shib-Assertion-Count", exportName.c_str() + 15);
485             }
486         }
487
488         // Export the attributes.
489         const multimap<string,const Attribute*>& attributes = session->getIndexedAttributes();
490         for (multimap<string,const Attribute*>::const_iterator a = attributes.begin(); a!=attributes.end(); ++a) {
491             if (a->second->isInternal())
492                 continue;
493             string header(app->getSecureHeader(request, a->first.c_str()));
494             const vector<string>& vals = a->second->getSerializedValues();
495             for (vector<string>::const_iterator v = vals.begin(); v!=vals.end(); ++v) {
496                 if (!header.empty())
497                     header += ";";
498                 string::size_type pos = v->find_first_of(';',string::size_type(0));
499                 if (pos!=string::npos) {
500                     string value(*v);
501                     for (; pos != string::npos; pos = value.find_first_of(';',pos)) {
502                         value.insert(pos, "\\");
503                         pos += 2;
504                     }
505                     header += value;
506                 }
507                 else {
508                     header += (*v);
509                 }
510             }
511             app->setHeader(request, a->first.c_str(), header.c_str());
512         }
513
514         // Check for REMOTE_USER.
515         bool remoteUserSet = false;
516         const vector<string>& rmids = app->getRemoteUserAttributeIds();
517         for (vector<string>::const_iterator rmid = rmids.begin(); !remoteUserSet && rmid != rmids.end(); ++rmid) {
518             pair<multimap<string,const Attribute*>::const_iterator,multimap<string,const Attribute*>::const_iterator> matches =
519                 attributes.equal_range(*rmid);
520             for (; matches.first != matches.second; ++matches.first) {
521                 const vector<string>& vals = matches.first->second->getSerializedValues();
522                 if (!vals.empty()) {
523                     request.setRemoteUser(vals.front().c_str());
524                     remoteUserSet = true;
525                     break;
526                 }
527             }
528         }
529
530         return make_pair(false,0L);
531     }
532     catch (exception& e) {
533         request.log(SPRequest::SPError, e.what());
534         TemplateParameters tp(&e);
535         tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
536         return make_pair(true,sendError(log, request, app, "session", tp));
537     }
538 }
539
540 pair<bool,long> ServiceProvider::doHandler(SPRequest& request) const
541 {
542 #ifdef _DEBUG
543     xmltooling::NDC ndc("doHandler");
544 #endif
545     Category& log = Category::getInstance(SHIBSP_LOGCAT".ServiceProvider");
546
547     const Application* app=nullptr;
548     string targetURL = request.getRequestURL();
549
550     try {
551         RequestMapper::Settings settings = request.getRequestSettings();
552         app = &(request.getApplication());
553
554         // If not SSL, check to see if we should block or redirect it.
555         if (!request.isSecure()) {
556             pair<bool,const char*> redirectToSSL = settings.first->getString("redirectToSSL");
557             if (redirectToSSL.first) {
558 #ifdef HAVE_STRCASECMP
559                 if (!strcasecmp("GET",request.getMethod()) || !strcasecmp("HEAD",request.getMethod())) {
560 #else
561                 if (!stricmp("GET",request.getMethod()) || !stricmp("HEAD",request.getMethod())) {
562 #endif
563                     // Compute the new target URL
564                     string redirectURL = string("https://") + request.getHostname();
565                     if (strcmp(redirectToSSL.second,"443")) {
566                         redirectURL = redirectURL + ':' + redirectToSSL.second;
567                     }
568                     redirectURL += request.getRequestURI();
569                     return make_pair(true, request.sendRedirect(redirectURL.c_str()));
570                 }
571                 else {
572                     TemplateParameters tp;
573                     tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
574                     return make_pair(true,sendError(log, request, app, "ssl", tp, false));
575                 }
576             }
577         }
578
579         const char* handlerURL=request.getHandlerURL(targetURL.c_str());
580         if (!handlerURL)
581             throw ConfigurationException("Cannot determine handler from resource URL, check configuration.");
582
583         // Make sure we only process handler requests.
584         if (!strstr(targetURL.c_str(),handlerURL))
585             return make_pair(true, request.returnDecline());
586
587         const PropertySet* sessionProps=app->getPropertySet("Sessions");
588         if (!sessionProps)
589             throw ConfigurationException("Unable to map request to application session settings, check configuration.");
590
591         // Process incoming request.
592         pair<bool,bool> handlerSSL=sessionProps->getBool("handlerSSL");
593
594         // Make sure this is SSL, if it should be
595         if ((!handlerSSL.first || handlerSSL.second) && !request.isSecure())
596             throw opensaml::FatalProfileException("Blocked non-SSL access to Shibboleth handler.");
597
598         // We dispatch based on our path info. We know the request URL begins with or equals the handler URL,
599         // so the path info is the next character (or null).
600         const Handler* handler=app->getHandler(targetURL.c_str() + strlen(handlerURL));
601         if (!handler)
602             throw ConfigurationException("Shibboleth handler invoked at an unconfigured location.");
603
604         pair<bool,long> hret=handler->run(request);
605
606         // Did the handler run successfully?
607         if (hret.first)
608             return hret;
609
610         throw ConfigurationException("Configured Shibboleth handler failed to process the request.");
611     }
612     catch (exception& e) {
613         request.log(SPRequest::SPError, e.what());
614         TemplateParameters tp(&e);
615         tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
616         tp.m_request = &request;
617         return make_pair(true,sendError(log, request, app, "session", tp));
618     }
619 }
Shibboleth SP