shibsp/impl/XMLServiceProvider.cpp

   1 /*\r
   2  *  Copyright 2001-2007 Internet2\r
   3  * \r
   4  * Licensed under the Apache License, Version 2.0 (the "License");\r
   5  * you may not use this file except in compliance with the License.\r
   6  * You may obtain a copy of the License at\r
   7  *\r
   8  *     http://www.apache.org/licenses/LICENSE-2.0\r
   9  *\r
  10  * Unless required by applicable law or agreed to in writing, software\r
  11  * distributed under the License is distributed on an "AS IS" BASIS,\r
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  13  * See the License for the specific language governing permissions and\r
  14  * limitations under the License.\r
  15  */\r
  16 \r
  17 /**\r
  18  * XMLServiceProvider.cpp\r
  19  *\r
  20  * XML-based SP configuration and mgmt\r
  21  */\r
  22 \r
  23 #include "internal.h"\r
  24 #include "exceptions.h"\r
  25 #include "AccessControl.h"\r
  26 #include "Application.h"\r
  27 #include "Handler.h"\r
  28 #include "RequestMapper.h"\r
  29 #include "ServiceProvider.h"\r
  30 #include "SessionCache.h"\r
  31 #include "SPConfig.h"\r
  32 #include "SPRequest.h"\r
  33 #include "TransactionLog.h"\r
  34 #include "attribute/Attribute.h"\r
  35 #include "remoting/ListenerService.h"\r
  36 #include "security/PKIXTrustEngine.h"\r
  37 #include "util/DOMPropertySet.h"\r
  38 #include "util/SPConstants.h"\r
  39 \r
  40 #include <sys/types.h>\r
  41 #include <sys/stat.h>\r
  42 #include <log4cpp/Category.hh>\r
  43 #include <log4cpp/PropertyConfigurator.hh>\r
  44 #include <saml/SAMLConfig.h>\r
  45 #include <saml/saml1/core/Assertions.h>\r
  46 #include <saml/saml2/metadata/ChainingMetadataProvider.h>\r
  47 #include <xmltooling/XMLToolingConfig.h>\r
  48 #include <xmltooling/security/ChainingTrustEngine.h>\r
  49 #include <xmltooling/util/NDC.h>\r
  50 #include <xmltooling/util/ReloadableXMLFile.h>\r
  51 #include <xmltooling/util/ReplayCache.h>\r
  52 \r
  53 using namespace shibsp;\r
  54 using namespace opensaml::saml2;\r
  55 using namespace opensaml::saml2md;\r
  56 using namespace opensaml;\r
  57 using namespace xmltooling;\r
  58 using namespace log4cpp;\r
  59 using namespace std;\r
  60 using xmlsignature::CredentialResolver;\r
  61 \r
  62 namespace {\r
  63 \r
  64 #if defined (_MSC_VER)\r
  65     #pragma warning( push )\r
  66     #pragma warning( disable : 4250 )\r
  67 #endif\r
  68 \r
  69     static vector<const Handler*> g_noHandlers;\r
  70 \r
  71     // Application configuration wrapper\r
  72     class SHIBSP_DLLLOCAL XMLApplication : public virtual Application, public DOMPropertySet, public DOMNodeFilter\r
  73     {\r
  74     public:\r
  75         XMLApplication(const ServiceProvider*, const DOMElement* e, const XMLApplication* base=NULL);\r
  76         ~XMLApplication() { cleanup(); }\r
  77     \r
  78         // PropertySet\r
  79         pair<bool,bool> getBool(const char* name, const char* ns=NULL) const;\r
  80         pair<bool,const char*> getString(const char* name, const char* ns=NULL) const;\r
  81         pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const;\r
  82         pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const;\r
  83         pair<bool,int> getInt(const char* name, const char* ns=NULL) const;\r
  84         const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:target:config:1.0") const;\r
  85 \r
  86         // Application\r
  87         const char* getId() const {return getString("id").second;}\r
  88         const char* getHash() const {return m_hash.c_str();}\r
  89         MetadataProvider* getMetadataProvider() const;\r
  90         TrustEngine* getTrustEngine() const;\r
  91         const vector<const XMLCh*>& getAudiences() const;\r
  92         const PropertySet* getCredentialUse(const EntityDescriptor* provider) const;\r
  93 \r
  94         const Handler* getDefaultSessionInitiator() const;\r
  95         const Handler* getSessionInitiatorById(const char* id) const;\r
  96         const Handler* getDefaultAssertionConsumerService() const;\r
  97         const Handler* getAssertionConsumerServiceByIndex(unsigned short index) const;\r
  98         const vector<const Handler*>& getAssertionConsumerServicesByBinding(const XMLCh* binding) const;\r
  99         const Handler* getHandler(const char* path) const;\r
 100         \r
 101         // Provides filter to exclude special config elements.\r
 102         short acceptNode(const DOMNode* node) const;\r
 103     \r
 104     private:\r
 105         void cleanup();\r
 106         const ServiceProvider* m_sp;   // this is ok because its locking scope includes us\r
 107         const XMLApplication* m_base;\r
 108         string m_hash;\r
 109         MetadataProvider* m_metadata;\r
 110         TrustEngine* m_trust;\r
 111         vector<const XMLCh*> m_audiences;\r
 112 \r
 113         // manage handler objects\r
 114         vector<Handler*> m_handlers;\r
 115 \r
 116         // maps location (path info) to applicable handlers\r
 117         map<string,const Handler*> m_handlerMap;\r
 118 \r
 119         // maps unique indexes to consumer services\r
 120         map<unsigned int,const Handler*> m_acsIndexMap;\r
 121         \r
 122         // pointer to default consumer service\r
 123         const Handler* m_acsDefault;\r
 124 \r
 125         // maps binding strings to supporting consumer service(s)\r
 126 #ifdef HAVE_GOOD_STL\r
 127         typedef map<xstring,vector<const Handler*> > ACSBindingMap;\r
 128 #else\r
 129         typedef map<string,vector<const Handler*> > ACSBindingMap;\r
 130 #endif\r
 131         ACSBindingMap m_acsBindingMap;\r
 132 \r
 133         // maps unique ID strings to session initiators\r
 134         map<string,const Handler*> m_sessionInitMap;\r
 135 \r
 136         // pointer to default session initiator\r
 137         const Handler* m_sessionInitDefault;\r
 138 \r
 139         DOMPropertySet* m_credDefault;\r
 140 #ifdef HAVE_GOOD_STL\r
 141         map<xstring,PropertySet*> m_credMap;\r
 142 #else\r
 143         map<const XMLCh*,PropertySet*> m_credMap;\r
 144 #endif\r
 145     };\r
 146 \r
 147     // Top-level configuration implementation\r
 148     class SHIBSP_DLLLOCAL XMLConfig;\r
 149     class SHIBSP_DLLLOCAL XMLConfigImpl : public DOMPropertySet, public DOMNodeFilter\r
 150     {\r
 151     public:\r
 152         XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer);\r
 153         ~XMLConfigImpl();\r
 154         \r
 155         RequestMapper* m_requestMapper;\r
 156         map<string,Application*> m_appmap;\r
 157         map<string,CredentialResolver*> m_credResolverMap;\r
 158         map< string,vector<const SecurityPolicyRule*> > m_policyMap;\r
 159         string m_policyDefault;\r
 160         \r
 161         // Provides filter to exclude special config elements.\r
 162         short acceptNode(const DOMNode* node) const;\r
 163 \r
 164         void setDocument(DOMDocument* doc) {\r
 165             m_document = doc;\r
 166         }\r
 167 \r
 168     private:\r
 169         void doExtensions(const DOMElement* e, const char* label, Category& log);\r
 170 \r
 171         const XMLConfig* m_outer;\r
 172         DOMDocument* m_document;\r
 173     };\r
 174 \r
 175     class SHIBSP_DLLLOCAL XMLConfig : public ServiceProvider, public ReloadableXMLFile\r
 176     {\r
 177     public:\r
 178         XMLConfig(const DOMElement* e)\r
 179             : ReloadableXMLFile(e), m_impl(NULL), m_listener(NULL), m_sessionCache(NULL), m_tranLog(NULL) {\r
 180         }\r
 181         \r
 182         void init() {\r
 183             load();\r
 184         }\r
 185 \r
 186         ~XMLConfig() {\r
 187             delete m_impl;\r
 188             delete m_sessionCache;\r
 189             delete m_listener;\r
 190             delete m_tranLog;\r
 191             XMLToolingConfig::getConfig().setReplayCache(NULL);\r
 192             for_each(m_storage.begin(), m_storage.end(), cleanup_pair<string,StorageService>());\r
 193         }\r
 194 \r
 195         // PropertySet\r
 196         pair<bool,bool> getBool(const char* name, const char* ns=NULL) const {return m_impl->getBool(name,ns);}\r
 197         pair<bool,const char*> getString(const char* name, const char* ns=NULL) const {return m_impl->getString(name,ns);}\r
 198         pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const {return m_impl->getXMLString(name,ns);}\r
 199         pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const {return m_impl->getUnsignedInt(name,ns);}\r
 200         pair<bool,int> getInt(const char* name, const char* ns=NULL) const {return m_impl->getInt(name,ns);}\r
 201         const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:sp:config:2.0") const {return m_impl->getPropertySet(name,ns);}\r
 202         const DOMElement* getElement() const {return m_impl->getElement();}\r
 203 \r
 204         // ServiceProvider\r
 205         TransactionLog* getTransactionLog() const {\r
 206             if (m_tranLog)\r
 207                 return m_tranLog;\r
 208             throw ConfigurationException("No TransactionLog available.");\r
 209         }\r
 210 \r
 211         StorageService* getStorageService(const char* id) const {\r
 212             if (id) {\r
 213                 map<string,StorageService*>::const_iterator i=m_storage.find(id);\r
 214                 if (i!=m_storage.end())\r
 215                     return i->second;\r
 216             }\r
 217             return NULL;\r
 218         }\r
 219 \r
 220         ListenerService* getListenerService(bool required=true) const {\r
 221             if (required && !m_listener)\r
 222                 throw ConfigurationException("No ListenerService available.");\r
 223             return m_listener;\r
 224         }\r
 225 \r
 226         SessionCache* getSessionCache(bool required=true) const {\r
 227             if (required && !m_sessionCache)\r
 228                 throw ConfigurationException("No SessionCache available.");\r
 229             return m_sessionCache;\r
 230         }\r
 231 \r
 232         RequestMapper* getRequestMapper(bool required=true) const {\r
 233             if (required && !m_impl->m_requestMapper)\r
 234                 throw ConfigurationException("No RequestMapper available.");\r
 235             return m_impl->m_requestMapper;\r
 236         }\r
 237 \r
 238         const Application* getApplication(const char* applicationId) const {\r
 239             map<string,Application*>::const_iterator i=m_impl->m_appmap.find(applicationId);\r
 240             return (i!=m_impl->m_appmap.end()) ? i->second : NULL;\r
 241         }\r
 242 \r
 243         CredentialResolver* getCredentialResolver(const char* id) const {\r
 244             if (id) {\r
 245                 map<string,CredentialResolver*>::const_iterator i=m_impl->m_credResolverMap.find(id);\r
 246                 if (i!=m_impl->m_credResolverMap.end())\r
 247                     return i->second;\r
 248             }\r
 249             return NULL;\r
 250         }\r
 251 \r
 252         vector<const SecurityPolicyRule*>& getPolicyRules(const char* id=NULL) const {\r
 253             if (!id)\r
 254                 id = m_impl->m_policyDefault.c_str();\r
 255             if (m_impl->m_policyMap.count(id))\r
 256                 return m_impl->m_policyMap[id];\r
 257             throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));\r
 258         }\r
 259 \r
 260     protected:\r
 261         pair<bool,DOMElement*> load();\r
 262 \r
 263     private:\r
 264         friend class XMLConfigImpl;\r
 265         XMLConfigImpl* m_impl;\r
 266         mutable ListenerService* m_listener;\r
 267         mutable SessionCache* m_sessionCache;\r
 268         mutable TransactionLog* m_tranLog;\r
 269         mutable map<string,StorageService*> m_storage;\r
 270     };\r
 271 \r
 272 #if defined (_MSC_VER)\r
 273     #pragma warning( pop )\r
 274 #endif\r
 275 \r
 276     static const XMLCh _Application[] =         UNICODE_LITERAL_11(A,p,p,l,i,c,a,t,i,o,n);\r
 277     static const XMLCh Applications[] =         UNICODE_LITERAL_12(A,p,p,l,i,c,a,t,i,o,n,s);\r
 278     static const XMLCh Credentials[] =          UNICODE_LITERAL_11(C,r,e,d,e,n,t,i,a,l,s);\r
 279     static const XMLCh CredentialUse[] =        UNICODE_LITERAL_13(C,r,e,d,e,n,t,i,a,l,U,s,e);\r
 280     static const XMLCh _default[] =             UNICODE_LITERAL_7(d,e,f,a,u,l,t);\r
 281     static const XMLCh fatal[] =                UNICODE_LITERAL_5(f,a,t,a,l);\r
 282     static const XMLCh _Handler[] =             UNICODE_LITERAL_7(H,a,n,d,l,e,r);\r
 283     static const XMLCh _id[] =                  UNICODE_LITERAL_2(i,d);\r
 284     static const XMLCh Implementation[] =       UNICODE_LITERAL_14(I,m,p,l,e,m,e,n,t,a,t,i,o,n);\r
 285     static const XMLCh InProcess[] =            UNICODE_LITERAL_9(I,n,P,r,o,c,e,s,s);\r
 286     static const XMLCh Library[] =              UNICODE_LITERAL_7(L,i,b,r,a,r,y);\r
 287     static const XMLCh Listener[] =             UNICODE_LITERAL_8(L,i,s,t,e,n,e,r);\r
 288     static const XMLCh logger[] =               UNICODE_LITERAL_6(l,o,g,g,e,r);\r
 289     static const XMLCh MemoryListener[] =       UNICODE_LITERAL_14(M,e,m,o,r,y,L,i,s,t,e,n,e,r);\r
 290     static const XMLCh Policy[] =               UNICODE_LITERAL_6(P,o,l,i,c,y);\r
 291     static const XMLCh RelyingParty[] =         UNICODE_LITERAL_12(R,e,l,y,i,n,g,P,a,r,t,y);\r
 292     static const XMLCh _ReplayCache[] =         UNICODE_LITERAL_11(R,e,p,l,a,y,C,a,c,h,e);\r
 293     static const XMLCh _RequestMapper[] =       UNICODE_LITERAL_13(R,e,q,u,e,s,t,M,a,p,p,e,r);\r
 294     static const XMLCh Rule[] =                 UNICODE_LITERAL_4(R,u,l,e);\r
 295     static const XMLCh SecurityPolicies[] =     UNICODE_LITERAL_16(S,e,c,u,r,i,t,y,P,o,l,i,c,i,e,s);\r
 296     static const XMLCh _SessionCache[] =        UNICODE_LITERAL_12(S,e,s,s,i,o,n,C,a,c,h,e);\r
 297     static const XMLCh SessionInitiator[] =     UNICODE_LITERAL_16(S,e,s,s,i,o,n,I,n,i,t,i,a,t,o,r);\r
 298     static const XMLCh _StorageService[] =      UNICODE_LITERAL_14(S,t,o,r,a,g,e,S,e,r,v,i,c,e);\r
 299     static const XMLCh OutOfProcess[] =         UNICODE_LITERAL_12(O,u,t,O,f,P,r,o,c,e,s,s);\r
 300     static const XMLCh TCPListener[] =          UNICODE_LITERAL_11(T,C,P,L,i,s,t,e,n,e,r);\r
 301     static const XMLCh _TrustEngine[] =         UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);\r
 302     static const XMLCh UnixListener[] =         UNICODE_LITERAL_12(U,n,i,x,L,i,s,t,e,n,e,r);\r
 303     static const XMLCh _MetadataProvider[] =    UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r);\r
 304     static const XMLCh _path[] =                UNICODE_LITERAL_4(p,a,t,h);\r
 305     static const XMLCh _type[] =                UNICODE_LITERAL_4(t,y,p,e);\r
 306 };\r
 307 \r
 308 namespace shibsp {\r
 309     ServiceProvider* XMLServiceProviderFactory(const DOMElement* const & e)\r
 310     {\r
 311         return new XMLConfig(e);\r
 312     }\r
 313 };\r
 314 \r
 315 XMLApplication::XMLApplication(\r
 316     const ServiceProvider* sp,\r
 317     const DOMElement* e,\r
 318     const XMLApplication* base\r
 319     ) : m_sp(sp), m_base(base), m_metadata(NULL), m_trust(NULL),\r
 320         m_credDefault(NULL), m_sessionInitDefault(NULL), m_acsDefault(NULL)\r
 321 {\r
 322 #ifdef _DEBUG\r
 323     xmltooling::NDC ndc("XMLApplication");\r
 324 #endif\r
 325     Category& log=Category::getInstance(SHIBSP_LOGCAT".Application");\r
 326 \r
 327     try {\r
 328         // First load any property sets.\r
 329         load(e,log,this);\r
 330 \r
 331         SPConfig& conf=SPConfig::getConfig();\r
 332         SAMLConfig& samlConf=SAMLConfig::getConfig();\r
 333         XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig();\r
 334 \r
 335         m_hash=getId();\r
 336         m_hash+=getString("providerId").second;\r
 337         m_hash=samlConf.hashSHA1(m_hash.c_str(), true);\r
 338 \r
 339         const PropertySet* sessions = getPropertySet("Sessions");\r
 340 \r
 341         // Process handlers.\r
 342         Handler* handler=NULL;\r
 343         bool hardACS=false, hardSessionInit=false;\r
 344         const DOMElement* child = sessions ? XMLHelper::getFirstChildElement(sessions->getElement()) : NULL;\r
 345         while (child) {\r
 346             try {\r
 347                 // A handler is based on the Binding property in conjunction with the element name.\r
 348                 // If it's an ACS or SI, also handle index/id mappings and defaulting.\r
 349                 if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,AssertionConsumerService::LOCAL_NAME)) {\r
 350                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 351                     if (!bindprop.get() || !*(bindprop.get())) {\r
 352                         log.warn("md:AssertionConsumerService element has no Binding attribute, skipping it...");\r
 353                         child = XMLHelper::getNextSiblingElement(child);\r
 354                         continue;\r
 355                     }\r
 356                     handler=conf.AssertionConsumerServiceManager.newPlugin(bindprop.get(),child);\r
 357                     // Map by binding (may be > 1 per binding, e.g. SAML 1.0 vs 1.1)\r
 358 #ifdef HAVE_GOOD_STL\r
 359                     m_acsBindingMap[handler->getXMLString("Binding").second].push_back(handler);\r
 360 #else\r
 361                     m_acsBindingMap[handler->getString("Binding").second].push_back(handler);\r
 362 #endif\r
 363                     m_acsIndexMap[handler->getUnsignedInt("index").second]=handler;\r
 364                     \r
 365                     if (!hardACS) {\r
 366                         pair<bool,bool> defprop=handler->getBool("isDefault");\r
 367                         if (defprop.first) {\r
 368                             if (defprop.second) {\r
 369                                 hardACS=true;\r
 370                                 m_acsDefault=handler;\r
 371                             }\r
 372                         }\r
 373                         else if (!m_acsDefault)\r
 374                             m_acsDefault=handler;\r
 375                     }\r
 376                 }\r
 377                 else if (XMLString::equals(child->getLocalName(),SessionInitiator)) {\r
 378                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 379                     if (!bindprop.get() || !*(bindprop.get())) {\r
 380                         log.warn("SessionInitiator element has no Binding attribute, skipping it...");\r
 381                         child = XMLHelper::getNextSiblingElement(child);\r
 382                         continue;\r
 383                     }\r
 384                     handler=conf.SessionInitiatorManager.newPlugin(bindprop.get(),child);\r
 385                     pair<bool,const char*> si_id=handler->getString("id");\r
 386                     if (si_id.first && si_id.second)\r
 387                         m_sessionInitMap[si_id.second]=handler;\r
 388                     if (!hardSessionInit) {\r
 389                         pair<bool,bool> defprop=handler->getBool("isDefault");\r
 390                         if (defprop.first) {\r
 391                             if (defprop.second) {\r
 392                                 hardSessionInit=true;\r
 393                                 m_sessionInitDefault=handler;\r
 394                             }\r
 395                         }\r
 396                         else if (!m_sessionInitDefault)\r
 397                             m_sessionInitDefault=handler;\r
 398                     }\r
 399                 }\r
 400                 else if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,SingleLogoutService::LOCAL_NAME)) {\r
 401                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 402                     if (!bindprop.get() || !*(bindprop.get())) {\r
 403                         log.warn("md:SingleLogoutService element has no Binding attribute, skipping it...");\r
 404                         child = XMLHelper::getNextSiblingElement(child);\r
 405                         continue;\r
 406                     }\r
 407                     handler=conf.SingleLogoutServiceManager.newPlugin(bindprop.get(),child);\r
 408                 }\r
 409                 else if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,ManageNameIDService::LOCAL_NAME)) {\r
 410                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 411                     if (!bindprop.get() || !*(bindprop.get())) {\r
 412                         log.warn("md:ManageNameIDService element has no Binding attribute, skipping it...");\r
 413                         child = XMLHelper::getNextSiblingElement(child);\r
 414                         continue;\r
 415                     }\r
 416                     handler=conf.ManageNameIDServiceManager.newPlugin(bindprop.get(),child);\r
 417                 }\r
 418                 else {\r
 419                     auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 420                     if (!type.get() || !*(type.get())) {\r
 421                         log.warn("Handler element has no type attribute, skipping it...");\r
 422                         child = XMLHelper::getNextSiblingElement(child);\r
 423                         continue;\r
 424                     }\r
 425                     handler=conf.HandlerManager.newPlugin(type.get(),child);\r
 426                 }\r
 427 \r
 428                 // Save off the objects after giving the property set to the handler for its use.\r
 429                 m_handlers.push_back(handler);\r
 430 \r
 431                 // Insert into location map.\r
 432                 pair<bool,const char*> location=handler->getString("Location");\r
 433                 if (location.first && *location.second == '/')\r
 434                     m_handlerMap[location.second]=handler;\r
 435                 else if (location.first)\r
 436                     m_handlerMap[string("/") + location.second]=handler;\r
 437 \r
 438             }\r
 439             catch (exception& ex) {\r
 440                 log.error("caught exception processing handler element: %s", ex.what());\r
 441             }\r
 442             \r
 443             child = XMLHelper::getNextSiblingElement(child);\r
 444         }\r
 445 \r
 446         DOMNodeList* nlist=e->getElementsByTagNameNS(samlconstants::SAML20_NS,Audience::LOCAL_NAME);\r
 447         for (XMLSize_t i=0; nlist && i<nlist->getLength(); i++)\r
 448             if (nlist->item(i)->getParentNode()->isSameNode(e) && nlist->item(i)->hasChildNodes())\r
 449                 m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());\r
 450 \r
 451         // Always include our own providerId as an audience.\r
 452         m_audiences.push_back(getXMLString("providerId").second);\r
 453 \r
 454         if (conf.isEnabled(SPConfig::AttributeResolver)) {\r
 455             // TODO\r
 456         }\r
 457 \r
 458         if (conf.isEnabled(SPConfig::Metadata)) {\r
 459             child = XMLHelper::getFirstChildElement(e,_MetadataProvider);\r
 460             if (child) {\r
 461                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 462                 log.info("building metadata provider of type %s...",type.get());\r
 463                 try {\r
 464                     auto_ptr<MetadataProvider> mp(samlConf.MetadataProviderManager.newPlugin(type.get(),child));\r
 465                     mp->init();\r
 466                     m_metadata = mp.release();\r
 467                 }\r
 468                 catch (exception& ex) {\r
 469                     log.crit("error building/initializing metadata provider: %s", ex.what());\r
 470                 }\r
 471             }\r
 472         }\r
 473 \r
 474         if (conf.isEnabled(SPConfig::Trust)) {\r
 475             child = XMLHelper::getFirstChildElement(e,_TrustEngine);\r
 476             if (child) {\r
 477                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 478                 log.info("building trust engine of type %s...",type.get());\r
 479                 try {\r
 480                     m_trust = xmlConf.TrustEngineManager.newPlugin(type.get(),child);\r
 481                 }\r
 482                 catch (exception& ex) {\r
 483                     log.crit("error building trust engine: %s",ex.what());\r
 484                 }\r
 485             }\r
 486         }\r
 487         \r
 488         // Finally, load credential mappings.\r
 489         child = XMLHelper::getFirstChildElement(e,CredentialUse);\r
 490         if (child) {\r
 491             m_credDefault=new DOMPropertySet();\r
 492             m_credDefault->load(child,log,this);\r
 493             child = XMLHelper::getFirstChildElement(child,RelyingParty);\r
 494             while (child) {\r
 495                 DOMPropertySet* rp=new DOMPropertySet();\r
 496                 rp->load(child,log,this);\r
 497                 m_credMap[child->getAttributeNS(NULL,opensaml::saml2::Attribute::NAME_ATTRIB_NAME)]=rp;\r
 498                 child = XMLHelper::getNextSiblingElement(child,RelyingParty);\r
 499             }\r
 500         }\r
 501         \r
 502         if (conf.isEnabled(SPConfig::OutOfProcess)) {\r
 503             // Really finally, build local browser profile and binding objects.\r
 504             // TODO: may need some bits here...\r
 505         }\r
 506     }\r
 507     catch (exception&) {\r
 508         cleanup();\r
 509         throw;\r
 510     }\r
 511 #ifndef _DEBUG\r
 512     catch (...) {\r
 513         cleanup();\r
 514         throw;\r
 515     }\r
 516 #endif\r
 517 }\r
 518 \r
 519 void XMLApplication::cleanup()\r
 520 {\r
 521     for_each(m_handlers.begin(),m_handlers.end(),xmltooling::cleanup<Handler>());\r
 522     \r
 523     delete m_credDefault;\r
 524 #ifdef HAVE_GOOD_STL\r
 525     for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair<xstring,PropertySet>());\r
 526 #else\r
 527     for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair<const XMLCh*,PropertySet>());\r
 528 #endif\r
 529 \r
 530     delete m_trust;\r
 531     delete m_metadata;\r
 532 }\r
 533 \r
 534 short XMLApplication::acceptNode(const DOMNode* node) const\r
 535 {\r
 536     if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,opensaml::saml2::Attribute::LOCAL_NAME))\r
 537         return FILTER_REJECT;\r
 538     else if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,Audience::LOCAL_NAME))\r
 539         return FILTER_REJECT;\r
 540     const XMLCh* name=node->getLocalName();\r
 541     if (XMLString::equals(name,_Application) ||\r
 542         XMLString::equals(name,AssertionConsumerService::LOCAL_NAME) ||\r
 543         XMLString::equals(name,SingleLogoutService::LOCAL_NAME) ||\r
 544         XMLString::equals(name,ManageNameIDService::LOCAL_NAME) ||\r
 545         XMLString::equals(name,SessionInitiator) ||\r
 546         XMLString::equals(name,CredentialUse) ||\r
 547         XMLString::equals(name,RelyingParty) ||\r
 548         XMLString::equals(name,_MetadataProvider) ||\r
 549         XMLString::equals(name,_TrustEngine))\r
 550         return FILTER_REJECT;\r
 551 \r
 552     return FILTER_ACCEPT;\r
 553 }\r
 554 \r
 555 pair<bool,bool> XMLApplication::getBool(const char* name, const char* ns) const\r
 556 {\r
 557     pair<bool,bool> ret=DOMPropertySet::getBool(name,ns);\r
 558     if (ret.first)\r
 559         return ret;\r
 560     return m_base ? m_base->getBool(name,ns) : ret;\r
 561 }\r
 562 \r
 563 pair<bool,const char*> XMLApplication::getString(const char* name, const char* ns) const\r
 564 {\r
 565     pair<bool,const char*> ret=DOMPropertySet::getString(name,ns);\r
 566     if (ret.first)\r
 567         return ret;\r
 568     return m_base ? m_base->getString(name,ns) : ret;\r
 569 }\r
 570 \r
 571 pair<bool,const XMLCh*> XMLApplication::getXMLString(const char* name, const char* ns) const\r
 572 {\r
 573     pair<bool,const XMLCh*> ret=DOMPropertySet::getXMLString(name,ns);\r
 574     if (ret.first)\r
 575         return ret;\r
 576     return m_base ? m_base->getXMLString(name,ns) : ret;\r
 577 }\r
 578 \r
 579 pair<bool,unsigned int> XMLApplication::getUnsignedInt(const char* name, const char* ns) const\r
 580 {\r
 581     pair<bool,unsigned int> ret=DOMPropertySet::getUnsignedInt(name,ns);\r
 582     if (ret.first)\r
 583         return ret;\r
 584     return m_base ? m_base->getUnsignedInt(name,ns) : ret;\r
 585 }\r
 586 \r
 587 pair<bool,int> XMLApplication::getInt(const char* name, const char* ns) const\r
 588 {\r
 589     pair<bool,int> ret=DOMPropertySet::getInt(name,ns);\r
 590     if (ret.first)\r
 591         return ret;\r
 592     return m_base ? m_base->getInt(name,ns) : ret;\r
 593 }\r
 594 \r
 595 const PropertySet* XMLApplication::getPropertySet(const char* name, const char* ns) const\r
 596 {\r
 597     const PropertySet* ret=DOMPropertySet::getPropertySet(name,ns);\r
 598     if (ret || !m_base)\r
 599         return ret;\r
 600     return m_base->getPropertySet(name,ns);\r
 601 }\r
 602 \r
 603 MetadataProvider* XMLApplication::getMetadataProvider() const\r
 604 {\r
 605     return (!m_metadata && m_base) ? m_base->getMetadataProvider() : m_metadata;\r
 606 }\r
 607 \r
 608 TrustEngine* XMLApplication::getTrustEngine() const\r
 609 {\r
 610     return (!m_trust && m_base) ? m_base->getTrustEngine() : m_trust;\r
 611 }\r
 612 \r
 613 const vector<const XMLCh*>& XMLApplication::getAudiences() const\r
 614 {\r
 615     return (m_audiences.empty() && m_base) ? m_base->getAudiences() : m_audiences;\r
 616 }\r
 617 \r
 618 const PropertySet* XMLApplication::getCredentialUse(const EntityDescriptor* provider) const\r
 619 {\r
 620     if (!m_credDefault && m_base)\r
 621         return m_base->getCredentialUse(provider);\r
 622         \r
 623 #ifdef HAVE_GOOD_STL\r
 624     map<xstring,PropertySet*>::const_iterator i=m_credMap.find(provider->getEntityID());\r
 625     if (i!=m_credMap.end())\r
 626         return i->second;\r
 627     const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());\r
 628     while (group) {\r
 629         if (group->getName()) {\r
 630             i=m_credMap.find(group->getName());\r
 631             if (i!=m_credMap.end())\r
 632                 return i->second;\r
 633         }\r
 634         group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());\r
 635     }\r
 636 #else\r
 637     map<const XMLCh*,PropertySet*>::const_iterator i=m_credMap.begin();\r
 638     for (; i!=m_credMap.end(); i++) {\r
 639         if (XMLString::equals(i->first,provider->getId()))\r
 640             return i->second;\r
 641         const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());\r
 642         while (group) {\r
 643             if (XMLString::equals(i->first,group->getName()))\r
 644                 return i->second;\r
 645             group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());\r
 646         }\r
 647     }\r
 648 #endif\r
 649     return m_credDefault;\r
 650 }\r
 651 \r
 652 const Handler* XMLApplication::getDefaultSessionInitiator() const\r
 653 {\r
 654     if (m_sessionInitDefault) return m_sessionInitDefault;\r
 655     return m_base ? m_base->getDefaultSessionInitiator() : NULL;\r
 656 }\r
 657 \r
 658 const Handler* XMLApplication::getSessionInitiatorById(const char* id) const\r
 659 {\r
 660     map<string,const Handler*>::const_iterator i=m_sessionInitMap.find(id);\r
 661     if (i!=m_sessionInitMap.end()) return i->second;\r
 662     return m_base ? m_base->getSessionInitiatorById(id) : NULL;\r
 663 }\r
 664 \r
 665 const Handler* XMLApplication::getDefaultAssertionConsumerService() const\r
 666 {\r
 667     if (m_acsDefault) return m_acsDefault;\r
 668     return m_base ? m_base->getDefaultAssertionConsumerService() : NULL;\r
 669 }\r
 670 \r
 671 const Handler* XMLApplication::getAssertionConsumerServiceByIndex(unsigned short index) const\r
 672 {\r
 673     map<unsigned int,const Handler*>::const_iterator i=m_acsIndexMap.find(index);\r
 674     if (i!=m_acsIndexMap.end()) return i->second;\r
 675     return m_base ? m_base->getAssertionConsumerServiceByIndex(index) : NULL;\r
 676 }\r
 677 \r
 678 const vector<const Handler*>& XMLApplication::getAssertionConsumerServicesByBinding(const XMLCh* binding) const\r
 679 {\r
 680 #ifdef HAVE_GOOD_STL\r
 681     ACSBindingMap::const_iterator i=m_acsBindingMap.find(binding);\r
 682 #else\r
 683     auto_ptr_char temp(binding);\r
 684     ACSBindingMap::const_iterator i=m_acsBindingMap.find(temp.get());\r
 685 #endif\r
 686     if (i!=m_acsBindingMap.end())\r
 687         return i->second;\r
 688     return m_base ? m_base->getAssertionConsumerServicesByBinding(binding) : g_noHandlers;\r
 689 }\r
 690 \r
 691 const Handler* XMLApplication::getHandler(const char* path) const\r
 692 {\r
 693     string wrap(path);\r
 694     map<string,const Handler*>::const_iterator i=m_handlerMap.find(wrap.substr(0,wrap.find('?')));\r
 695     if (i!=m_handlerMap.end())\r
 696         return i->second;\r
 697     return m_base ? m_base->getHandler(path) : NULL;\r
 698 }\r
 699 \r
 700 short XMLConfigImpl::acceptNode(const DOMNode* node) const\r
 701 {\r
 702     if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS))\r
 703         return FILTER_ACCEPT;\r
 704     const XMLCh* name=node->getLocalName();\r
 705     if (XMLString::equals(name,Applications) ||\r
 706         XMLString::equals(name,Credentials) ||\r
 707         XMLString::equals(name,Extensions::LOCAL_NAME) ||\r
 708         XMLString::equals(name,Implementation) ||\r
 709         XMLString::equals(name,Listener) ||\r
 710         XMLString::equals(name,MemoryListener) ||\r
 711         XMLString::equals(name,Policy) ||\r
 712         XMLString::equals(name,_RequestMapper) ||\r
 713         XMLString::equals(name,_ReplayCache) ||\r
 714         XMLString::equals(name,_SessionCache) ||\r
 715         XMLString::equals(name,_StorageService) ||\r
 716         XMLString::equals(name,TCPListener) ||\r
 717         XMLString::equals(name,UnixListener))\r
 718         return FILTER_REJECT;\r
 719 \r
 720     return FILTER_ACCEPT;\r
 721 }\r
 722 \r
 723 void XMLConfigImpl::doExtensions(const DOMElement* e, const char* label, Category& log)\r
 724 {\r
 725     const DOMElement* exts=XMLHelper::getFirstChildElement(e,Extensions::LOCAL_NAME);\r
 726     if (exts) {\r
 727         exts=XMLHelper::getFirstChildElement(exts,Library);\r
 728         while (exts) {\r
 729             auto_ptr_char path(exts->getAttributeNS(NULL,_path));\r
 730             try {\r
 731                 if (path.get()) {\r
 732                     XMLToolingConfig::getConfig().load_library(path.get(),(void*)exts);\r
 733                     log.debug("loaded %s extension library (%s)", label, path.get());\r
 734                 }\r
 735             }\r
 736             catch (exception& e) {\r
 737                 const XMLCh* fatal=exts->getAttributeNS(NULL,fatal);\r
 738                 if (fatal && (*fatal==chLatin_t || *fatal==chDigit_1)) {\r
 739                     log.fatal("unable to load mandatory %s extension library %s: %s", label, path.get(), e.what());\r
 740                     throw;\r
 741                 }\r
 742                 else {\r
 743                     log.crit("unable to load optional %s extension library %s: %s", label, path.get(), e.what());\r
 744                 }\r
 745             }\r
 746             exts=XMLHelper::getNextSiblingElement(exts,Library);\r
 747         }\r
 748     }\r
 749 }\r
 750 \r
 751 XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer) : m_requestMapper(NULL), m_outer(outer), m_document(NULL)\r
 752 {\r
 753 #ifdef _DEBUG\r
 754     xmltooling::NDC ndc("XMLConfigImpl");\r
 755 #endif\r
 756     Category& log=Category::getInstance(SHIBSP_LOGCAT".Config");\r
 757 \r
 758     try {\r
 759         SPConfig& conf=SPConfig::getConfig();\r
 760         SAMLConfig& samlConf=SAMLConfig::getConfig();\r
 761         XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig();\r
 762         const DOMElement* SHAR=XMLHelper::getFirstChildElement(e,OutOfProcess);\r
 763         const DOMElement* SHIRE=XMLHelper::getFirstChildElement(e,InProcess);\r
 764 \r
 765         // Initialize log4cpp manually in order to redirect log messages as soon as possible.\r
 766         if (conf.isEnabled(SPConfig::Logging)) {\r
 767             const XMLCh* logconf=NULL;\r
 768             if (conf.isEnabled(SPConfig::OutOfProcess))\r
 769                 logconf=SHAR->getAttributeNS(NULL,logger);\r
 770             else if (conf.isEnabled(SPConfig::InProcess))\r
 771                 logconf=SHIRE->getAttributeNS(NULL,logger);\r
 772             if (!logconf || !*logconf)\r
 773                 logconf=e->getAttributeNS(NULL,logger);\r
 774             if (logconf && *logconf) {\r
 775                 auto_ptr_char logpath(logconf);\r
 776                 log.debug("loading new logging configuration from (%s), check log destination for status of configuration",logpath.get());\r
 777                 XMLToolingConfig::getConfig().log_config(logpath.get());\r
 778             }\r
 779             \r
 780             if (first)\r
 781                 m_outer->m_tranLog = new TransactionLog();\r
 782         }\r
 783         \r
 784         // First load any property sets.\r
 785         load(e,log,this);\r
 786 \r
 787         const DOMElement* child;\r
 788         string plugtype;\r
 789 \r
 790         // Much of the processing can only occur on the first instantiation.\r
 791         if (first) {\r
 792             // Set clock skew.\r
 793             pair<bool,unsigned int> skew=getUnsignedInt("clockSkew");\r
 794             if (skew.first)\r
 795                 xmlConf.clock_skew_secs=skew.second;\r
 796 \r
 797             // Extensions\r
 798             doExtensions(e, "global", log);\r
 799             if (conf.isEnabled(SPConfig::OutOfProcess))\r
 800                 doExtensions(SHAR, "out of process", log);\r
 801 \r
 802             if (conf.isEnabled(SPConfig::InProcess))\r
 803                 doExtensions(SHIRE, "in process", log);\r
 804             \r
 805             // Instantiate the ListenerService and SessionCache objects.\r
 806             if (conf.isEnabled(SPConfig::Listener)) {\r
 807                 child=XMLHelper::getFirstChildElement(SHAR,UnixListener);\r
 808                 if (child)\r
 809                     plugtype=UNIX_LISTENER_SERVICE;\r
 810                 else {\r
 811                     child=XMLHelper::getFirstChildElement(SHAR,TCPListener);\r
 812                     if (child)\r
 813                         plugtype=TCP_LISTENER_SERVICE;\r
 814                     else {\r
 815                         child=XMLHelper::getFirstChildElement(SHAR,MemoryListener);\r
 816                         if (child)\r
 817                             plugtype=MEMORY_LISTENER_SERVICE;\r
 818                         else {\r
 819                             child=XMLHelper::getFirstChildElement(SHAR,Listener);\r
 820                             if (child) {\r
 821                                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 822                                 if (type.get())\r
 823                                     plugtype=type.get();\r
 824                             }\r
 825                         }\r
 826                     }\r
 827                 }\r
 828                 if (child) {\r
 829                     log.info("building ListenerService of type %s...", plugtype.c_str());\r
 830                     m_outer->m_listener = conf.ListenerServiceManager.newPlugin(plugtype.c_str(),child);\r
 831                 }\r
 832                 else {\r
 833                     log.fatal("can't build ListenerService, missing conf:Listener element?");\r
 834                     throw ConfigurationException("Can't build ListenerService, missing conf:Listener element?");\r
 835                 }\r
 836             }\r
 837 \r
 838             if (conf.isEnabled(SPConfig::Caching)) {\r
 839                 if (conf.isEnabled(SPConfig::OutOfProcess)) {\r
 840                     // First build any StorageServices.\r
 841                     string inmemID;\r
 842                     child=XMLHelper::getFirstChildElement(SHAR,_StorageService);\r
 843                     while (child) {\r
 844                         auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
 845                         auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 846                         try {\r
 847                             log.info("building StorageService (%s) of type %s...", id.get(), type.get());\r
 848                             m_outer->m_storage[id.get()] = xmlConf.StorageServiceManager.newPlugin(type.get(),child);\r
 849                             if (!strcmp(type.get(),MEMORY_STORAGE_SERVICE))\r
 850                                 inmemID = id.get();\r
 851                         }\r
 852                         catch (exception& ex) {\r
 853                             log.crit("failed to instantiate StorageService (%s): %s", id.get(), ex.what());\r
 854                         }\r
 855                         child=XMLHelper::getNextSiblingElement(child,_StorageService);\r
 856                     }\r
 857                 \r
 858                     child=XMLHelper::getFirstChildElement(SHAR,_SessionCache);\r
 859                     if (child) {\r
 860                         auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 861                         log.info("building SessionCache of type %s...",type.get());\r
 862                         m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(type.get(),child);\r
 863                     }\r
 864                     else {\r
 865                         log.warn("SessionCache unspecified, building SessionCache of type %s...",STORAGESERVICE_SESSION_CACHE);\r
 866                         if (inmemID.empty()) {\r
 867                             inmemID = "memory";\r
 868                             log.info("no StorageServices configured, providing in-memory version for session cache");\r
 869                             m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);\r
 870                         }\r
 871                         child = e->getOwnerDocument()->createElementNS(NULL,_SessionCache);\r
 872                         auto_ptr_XMLCh ssid(inmemID.c_str());\r
 873                         const_cast<DOMElement*>(child)->setAttributeNS(NULL,_StorageService,ssid.get());\r
 874                         m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(STORAGESERVICE_SESSION_CACHE,child);\r
 875                     }\r
 876 \r
 877                     // Replay cache.\r
 878                     StorageService* replaySS=NULL;\r
 879                     child=XMLHelper::getFirstChildElement(SHAR,_ReplayCache);\r
 880                     if (child) {\r
 881                         auto_ptr_char ssid(child->getAttributeNS(NULL,_StorageService));\r
 882                         if (ssid.get() && *ssid.get()) {\r
 883                             if (m_outer->m_storage.count(ssid.get()))\r
 884                                 replaySS = m_outer->m_storage[ssid.get()];\r
 885                             if (replaySS)\r
 886                                 log.info("building ReplayCache on top of StorageService (%s)...", ssid.get());\r
 887                             else\r
 888                                 log.crit("unable to locate StorageService (%s) in configuration", ssid.get());\r
 889                         }\r
 890                     }\r
 891                     if (!replaySS) {\r
 892                         log.info("building ReplayCache using in-memory StorageService...");\r
 893                         if (inmemID.empty()) {\r
 894                             inmemID = "memory";\r
 895                             log.info("no StorageServices configured, providing in-memory version for legacy config");\r
 896                             m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);\r
 897                         }\r
 898                         replaySS = m_outer->m_storage[inmemID];\r
 899                     }\r
 900                     xmlConf.setReplayCache(new ReplayCache(replaySS));\r
 901                 }\r
 902                 else {\r
 903                     log.info("building in-process SessionCache of type %s...",REMOTED_SESSION_CACHE);\r
 904                     m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(REMOTED_SESSION_CACHE,NULL);\r
 905                 }\r
 906             }\r
 907         } // end of first-time-only stuff\r
 908         \r
 909         // Back to the fully dynamic stuff...next up is the RequestMapper.\r
 910         if (conf.isEnabled(SPConfig::RequestMapping)) {\r
 911             child=XMLHelper::getFirstChildElement(SHIRE,_RequestMapper);\r
 912             if (child) {\r
 913                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 914                 log.info("building RequestMapper of type %s...",type.get());\r
 915                 m_requestMapper=conf.RequestMapperManager.newPlugin(type.get(),child);\r
 916             }\r
 917         }\r
 918         \r
 919         // Now we load the credentials map.\r
 920         if (conf.isEnabled(SPConfig::Credentials)) {\r
 921             child = XMLHelper::getLastChildElement(e,Credentials);\r
 922             if (child) {\r
 923                 // Step down and process resolvers.\r
 924                 child=XMLHelper::getFirstChildElement(child);\r
 925                 while (child) {\r
 926                     auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
 927                     auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 928                     try {\r
 929                         CredentialResolver* cr=xmlConf.CredentialResolverManager.newPlugin(type.get(),child);\r
 930                         m_credResolverMap[id.get()] = cr;\r
 931                     }\r
 932                     catch (exception& ex) {\r
 933                         log.crit("failed to instantiate CredentialResolver (%s): %s", id.get(), ex.what());\r
 934                     }\r
 935                     child = XMLHelper::getNextSiblingElement(child);\r
 936                 }\r
 937             }\r
 938         }\r
 939 \r
 940         // Load security policies.\r
 941         child = XMLHelper::getLastChildElement(e,SecurityPolicies);\r
 942         if (child) {\r
 943             auto_ptr_char def(child->getAttributeNS(NULL,_default));\r
 944             m_policyDefault = def.get();\r
 945             child = XMLHelper::getFirstChildElement(child,Policy);\r
 946             while (child) {\r
 947                 auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
 948                 vector<const SecurityPolicyRule*>& rules = m_policyMap[id.get()];\r
 949                 const DOMElement* rule = XMLHelper::getFirstChildElement(child,Rule);\r
 950                 while (rule) {\r
 951                     auto_ptr_char type(rule->getAttributeNS(NULL,_type));\r
 952                     try {\r
 953                         rules.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(type.get(),rule));\r
 954                     }\r
 955                     catch (exception& ex) {\r
 956                         log.crit("error instantiating policy rule (%s) in policy (%s): %s", type.get(), id.get(), ex.what());\r
 957                     }\r
 958                     rule = XMLHelper::getNextSiblingElement(rule,Rule);\r
 959                 }\r
 960                 child = XMLHelper::getNextSiblingElement(child,Policy);\r
 961             }\r
 962             if (!m_policyMap.count(m_policyDefault))\r
 963                 throw ConfigurationException("Default security policy ($1) not found in conf:SecurityPolicies element.", params(1,m_policyDefault.c_str()));\r
 964         }\r
 965 \r
 966         // Load the default application. This actually has a fixed ID of "default". ;-)\r
 967         child=XMLHelper::getLastChildElement(e,Applications);\r
 968         if (!child) {\r
 969             log.fatal("can't build default Application object, missing conf:Applications element?");\r
 970             throw ConfigurationException("can't build default Application object, missing conf:Applications element?");\r
 971         }\r
 972         XMLApplication* defapp=new XMLApplication(m_outer,child);\r
 973         m_appmap[defapp->getId()]=defapp;\r
 974         \r
 975         // Load any overrides.\r
 976         child = XMLHelper::getFirstChildElement(child,_Application);\r
 977         while (child) {\r
 978             auto_ptr<XMLApplication> iapp(new XMLApplication(m_outer,child,defapp));\r
 979             if (m_appmap.count(iapp->getId()))\r
 980                 log.crit("found conf:Application element with duplicate id attribute (%s), skipping it", iapp->getId());\r
 981             else\r
 982                 m_appmap[iapp->getId()]=iapp.release();\r
 983 \r
 984             child = XMLHelper::getNextSiblingElement(child,_Application);\r
 985         }\r
 986     }\r
 987     catch (exception&) {\r
 988         this->~XMLConfigImpl();\r
 989         throw;\r
 990     }\r
 991 #ifndef _DEBUG\r
 992     catch (...) {\r
 993         this->~XMLConfigImpl();\r
 994         throw;\r
 995     }\r
 996 #endif\r
 997 }\r
 998 \r
 999 XMLConfigImpl::~XMLConfigImpl()\r
1000 {\r
1001     for_each(m_appmap.begin(),m_appmap.end(),cleanup_pair<string,Application>());\r
1002     for_each(m_credResolverMap.begin(),m_credResolverMap.end(),cleanup_pair<string,CredentialResolver>());\r
1003     for (map< string,vector<const SecurityPolicyRule*> >::iterator i=m_policyMap.begin(); i!=m_policyMap.end(); ++i)\r
1004         for_each(i->second.begin(), i->second.end(), xmltooling::cleanup<SecurityPolicyRule>());\r
1005     delete m_requestMapper;\r
1006     if (m_document)\r
1007         m_document->release();\r
1008 }\r
1009 \r
1010 pair<bool,DOMElement*> XMLConfig::load()\r
1011 {\r
1012     // Load from source using base class.\r
1013     pair<bool,DOMElement*> raw = ReloadableXMLFile::load();\r
1014     \r
1015     // If we own it, wrap it.\r
1016     XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : NULL);\r
1017 \r
1018     XMLConfigImpl* impl = new XMLConfigImpl(raw.second,(m_impl==NULL),this);\r
1019     \r
1020     // If we held the document, transfer it to the impl. If we didn't, it's a no-op.\r
1021     impl->setDocument(docjanitor.release());\r
1022 \r
1023     delete m_impl;\r
1024     m_impl = impl;\r
1025 \r
1026     return make_pair(false,(DOMElement*)NULL);\r
1027 }\r