shibsp/impl/XMLServiceProvider.cpp

   1 /*\r
   2  *  Copyright 2001-2007 Internet2\r
   3  * \r
   4  * Licensed under the Apache License, Version 2.0 (the "License");\r
   5  * you may not use this file except in compliance with the License.\r
   6  * You may obtain a copy of the License at\r
   7  *\r
   8  *     http://www.apache.org/licenses/LICENSE-2.0\r
   9  *\r
  10  * Unless required by applicable law or agreed to in writing, software\r
  11  * distributed under the License is distributed on an "AS IS" BASIS,\r
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  13  * See the License for the specific language governing permissions and\r
  14  * limitations under the License.\r
  15  */\r
  16 \r
  17 /**\r
  18  * XMLServiceProvider.cpp\r
  19  *\r
  20  * XML-based SP configuration and mgmt\r
  21  */\r
  22 \r
  23 #include "internal.h"\r
  24 #include "exceptions.h"\r
  25 #include "AccessControl.h"\r
  26 #include "Application.h"\r
  27 #include "Handler.h"\r
  28 #include "RequestMapper.h"\r
  29 #include "ServiceProvider.h"\r
  30 #include "SessionCache.h"\r
  31 #include "SPConfig.h"\r
  32 #include "SPRequest.h"\r
  33 #include "TransactionLog.h"\r
  34 #include "attribute/Attribute.h"\r
  35 #include "remoting/ListenerService.h"\r
  36 #include "security/PKIXTrustEngine.h"\r
  37 #include "util/DOMPropertySet.h"\r
  38 #include "util/SPConstants.h"\r
  39 \r
  40 #include <sys/types.h>\r
  41 #include <sys/stat.h>\r
  42 #include <log4cpp/Category.hh>\r
  43 #include <log4cpp/PropertyConfigurator.hh>\r
  44 #include <saml/SAMLConfig.h>\r
  45 #include <saml/saml1/core/Assertions.h>\r
  46 #include <saml/saml2/metadata/ChainingMetadataProvider.h>\r
  47 #include <xmltooling/XMLToolingConfig.h>\r
  48 #include <xmltooling/security/ChainingTrustEngine.h>\r
  49 #include <xmltooling/util/NDC.h>\r
  50 #include <xmltooling/util/ReloadableXMLFile.h>\r
  51 #include <xmltooling/util/ReplayCache.h>\r
  52 \r
  53 using namespace shibsp;\r
  54 using namespace opensaml::saml2;\r
  55 using namespace opensaml::saml2md;\r
  56 using namespace opensaml;\r
  57 using namespace xmltooling;\r
  58 using namespace log4cpp;\r
  59 using namespace std;\r
  60 using xmlsignature::CredentialResolver;\r
  61 \r
  62 namespace {\r
  63 \r
  64 #if defined (_MSC_VER)\r
  65     #pragma warning( push )\r
  66     #pragma warning( disable : 4250 )\r
  67 #endif\r
  68 \r
  69     static vector<const Handler*> g_noHandlers;\r
  70 \r
  71     // Application configuration wrapper\r
  72     class SHIBSP_DLLLOCAL XMLApplication : public virtual Application, public DOMPropertySet, public DOMNodeFilter\r
  73     {\r
  74     public:\r
  75         XMLApplication(const ServiceProvider*, const DOMElement* e, const XMLApplication* base=NULL);\r
  76         ~XMLApplication() { cleanup(); }\r
  77     \r
  78         // PropertySet\r
  79         pair<bool,bool> getBool(const char* name, const char* ns=NULL) const;\r
  80         pair<bool,const char*> getString(const char* name, const char* ns=NULL) const;\r
  81         pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const;\r
  82         pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const;\r
  83         pair<bool,int> getInt(const char* name, const char* ns=NULL) const;\r
  84         const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:target:config:1.0") const;\r
  85 \r
  86         // Application\r
  87         const ServiceProvider& getServiceProvider() const {return *m_sp;}\r
  88         const char* getId() const {return getString("id").second;}\r
  89         const char* getHash() const {return m_hash.c_str();}\r
  90         MetadataProvider* getMetadataProvider() const;\r
  91         TrustEngine* getTrustEngine() const;\r
  92         const vector<const XMLCh*>& getAudiences() const;\r
  93         const PropertySet* getCredentialUse(const EntityDescriptor* provider) const;\r
  94 \r
  95         const Handler* getDefaultSessionInitiator() const;\r
  96         const Handler* getSessionInitiatorById(const char* id) const;\r
  97         const Handler* getDefaultAssertionConsumerService() const;\r
  98         const Handler* getAssertionConsumerServiceByIndex(unsigned short index) const;\r
  99         const vector<const Handler*>& getAssertionConsumerServicesByBinding(const XMLCh* binding) const;\r
 100         const Handler* getHandler(const char* path) const;\r
 101         \r
 102         // Provides filter to exclude special config elements.\r
 103         short acceptNode(const DOMNode* node) const;\r
 104     \r
 105     private:\r
 106         void cleanup();\r
 107         const ServiceProvider* m_sp;   // this is ok because its locking scope includes us\r
 108         const XMLApplication* m_base;\r
 109         string m_hash;\r
 110         MetadataProvider* m_metadata;\r
 111         TrustEngine* m_trust;\r
 112         vector<const XMLCh*> m_audiences;\r
 113 \r
 114         // manage handler objects\r
 115         vector<Handler*> m_handlers;\r
 116 \r
 117         // maps location (path info) to applicable handlers\r
 118         map<string,const Handler*> m_handlerMap;\r
 119 \r
 120         // maps unique indexes to consumer services\r
 121         map<unsigned int,const Handler*> m_acsIndexMap;\r
 122         \r
 123         // pointer to default consumer service\r
 124         const Handler* m_acsDefault;\r
 125 \r
 126         // maps binding strings to supporting consumer service(s)\r
 127 #ifdef HAVE_GOOD_STL\r
 128         typedef map<xstring,vector<const Handler*> > ACSBindingMap;\r
 129 #else\r
 130         typedef map<string,vector<const Handler*> > ACSBindingMap;\r
 131 #endif\r
 132         ACSBindingMap m_acsBindingMap;\r
 133 \r
 134         // maps unique ID strings to session initiators\r
 135         map<string,const Handler*> m_sessionInitMap;\r
 136 \r
 137         // pointer to default session initiator\r
 138         const Handler* m_sessionInitDefault;\r
 139 \r
 140         DOMPropertySet* m_credDefault;\r
 141 #ifdef HAVE_GOOD_STL\r
 142         map<xstring,PropertySet*> m_credMap;\r
 143 #else\r
 144         map<const XMLCh*,PropertySet*> m_credMap;\r
 145 #endif\r
 146     };\r
 147 \r
 148     // Top-level configuration implementation\r
 149     class SHIBSP_DLLLOCAL XMLConfig;\r
 150     class SHIBSP_DLLLOCAL XMLConfigImpl : public DOMPropertySet, public DOMNodeFilter\r
 151     {\r
 152     public:\r
 153         XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer);\r
 154         ~XMLConfigImpl();\r
 155         \r
 156         RequestMapper* m_requestMapper;\r
 157         map<string,Application*> m_appmap;\r
 158         map<string,CredentialResolver*> m_credResolverMap;\r
 159         map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > > m_policyMap;\r
 160         \r
 161         // Provides filter to exclude special config elements.\r
 162         short acceptNode(const DOMNode* node) const;\r
 163 \r
 164         void setDocument(DOMDocument* doc) {\r
 165             m_document = doc;\r
 166         }\r
 167 \r
 168     private:\r
 169         void doExtensions(const DOMElement* e, const char* label, Category& log);\r
 170 \r
 171         const XMLConfig* m_outer;\r
 172         DOMDocument* m_document;\r
 173     };\r
 174 \r
 175     class SHIBSP_DLLLOCAL XMLConfig : public ServiceProvider, public ReloadableXMLFile\r
 176     {\r
 177     public:\r
 178         XMLConfig(const DOMElement* e)\r
 179             : ReloadableXMLFile(e), m_impl(NULL), m_listener(NULL), m_sessionCache(NULL), m_tranLog(NULL) {\r
 180         }\r
 181         \r
 182         void init() {\r
 183             load();\r
 184         }\r
 185 \r
 186         ~XMLConfig() {\r
 187             delete m_impl;\r
 188             delete m_sessionCache;\r
 189             delete m_listener;\r
 190             delete m_tranLog;\r
 191             XMLToolingConfig::getConfig().setReplayCache(NULL);\r
 192             for_each(m_storage.begin(), m_storage.end(), cleanup_pair<string,StorageService>());\r
 193         }\r
 194 \r
 195         // PropertySet\r
 196         pair<bool,bool> getBool(const char* name, const char* ns=NULL) const {return m_impl->getBool(name,ns);}\r
 197         pair<bool,const char*> getString(const char* name, const char* ns=NULL) const {return m_impl->getString(name,ns);}\r
 198         pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const {return m_impl->getXMLString(name,ns);}\r
 199         pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const {return m_impl->getUnsignedInt(name,ns);}\r
 200         pair<bool,int> getInt(const char* name, const char* ns=NULL) const {return m_impl->getInt(name,ns);}\r
 201         const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:sp:config:2.0") const {return m_impl->getPropertySet(name,ns);}\r
 202         const DOMElement* getElement() const {return m_impl->getElement();}\r
 203 \r
 204         // ServiceProvider\r
 205         TransactionLog* getTransactionLog() const {\r
 206             if (m_tranLog)\r
 207                 return m_tranLog;\r
 208             throw ConfigurationException("No TransactionLog available.");\r
 209         }\r
 210 \r
 211         StorageService* getStorageService(const char* id) const {\r
 212             if (id) {\r
 213                 map<string,StorageService*>::const_iterator i=m_storage.find(id);\r
 214                 if (i!=m_storage.end())\r
 215                     return i->second;\r
 216             }\r
 217             return NULL;\r
 218         }\r
 219 \r
 220         ListenerService* getListenerService(bool required=true) const {\r
 221             if (required && !m_listener)\r
 222                 throw ConfigurationException("No ListenerService available.");\r
 223             return m_listener;\r
 224         }\r
 225 \r
 226         SessionCache* getSessionCache(bool required=true) const {\r
 227             if (required && !m_sessionCache)\r
 228                 throw ConfigurationException("No SessionCache available.");\r
 229             return m_sessionCache;\r
 230         }\r
 231 \r
 232         RequestMapper* getRequestMapper(bool required=true) const {\r
 233             if (required && !m_impl->m_requestMapper)\r
 234                 throw ConfigurationException("No RequestMapper available.");\r
 235             return m_impl->m_requestMapper;\r
 236         }\r
 237 \r
 238         const Application* getApplication(const char* applicationId) const {\r
 239             map<string,Application*>::const_iterator i=m_impl->m_appmap.find(applicationId);\r
 240             return (i!=m_impl->m_appmap.end()) ? i->second : NULL;\r
 241         }\r
 242 \r
 243         CredentialResolver* getCredentialResolver(const char* id) const {\r
 244             if (id) {\r
 245                 map<string,CredentialResolver*>::const_iterator i=m_impl->m_credResolverMap.find(id);\r
 246                 if (i!=m_impl->m_credResolverMap.end())\r
 247                     return i->second;\r
 248             }\r
 249             return NULL;\r
 250         }\r
 251 \r
 252         const PropertySet* getPolicySettings(const char* id) const {\r
 253             map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);\r
 254             if (i!=m_impl->m_policyMap.end())\r
 255                 return i->second.first;\r
 256             throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));\r
 257         }\r
 258 \r
 259         const vector<const SecurityPolicyRule*>& getPolicyRules(const char* id) const {\r
 260             map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);\r
 261             if (i!=m_impl->m_policyMap.end())\r
 262                 return i->second.second;\r
 263             throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));\r
 264         }\r
 265 \r
 266     protected:\r
 267         pair<bool,DOMElement*> load();\r
 268 \r
 269     private:\r
 270         friend class XMLConfigImpl;\r
 271         XMLConfigImpl* m_impl;\r
 272         mutable ListenerService* m_listener;\r
 273         mutable SessionCache* m_sessionCache;\r
 274         mutable TransactionLog* m_tranLog;\r
 275         mutable map<string,StorageService*> m_storage;\r
 276     };\r
 277 \r
 278 #if defined (_MSC_VER)\r
 279     #pragma warning( pop )\r
 280 #endif\r
 281 \r
 282     static const XMLCh _Application[] =         UNICODE_LITERAL_11(A,p,p,l,i,c,a,t,i,o,n);\r
 283     static const XMLCh Applications[] =         UNICODE_LITERAL_12(A,p,p,l,i,c,a,t,i,o,n,s);\r
 284     static const XMLCh Credentials[] =          UNICODE_LITERAL_11(C,r,e,d,e,n,t,i,a,l,s);\r
 285     static const XMLCh CredentialUse[] =        UNICODE_LITERAL_13(C,r,e,d,e,n,t,i,a,l,U,s,e);\r
 286     static const XMLCh fatal[] =                UNICODE_LITERAL_5(f,a,t,a,l);\r
 287     static const XMLCh _Handler[] =             UNICODE_LITERAL_7(H,a,n,d,l,e,r);\r
 288     static const XMLCh _id[] =                  UNICODE_LITERAL_2(i,d);\r
 289     static const XMLCh Implementation[] =       UNICODE_LITERAL_14(I,m,p,l,e,m,e,n,t,a,t,i,o,n);\r
 290     static const XMLCh InProcess[] =            UNICODE_LITERAL_9(I,n,P,r,o,c,e,s,s);\r
 291     static const XMLCh Library[] =              UNICODE_LITERAL_7(L,i,b,r,a,r,y);\r
 292     static const XMLCh Listener[] =             UNICODE_LITERAL_8(L,i,s,t,e,n,e,r);\r
 293     static const XMLCh logger[] =               UNICODE_LITERAL_6(l,o,g,g,e,r);\r
 294     static const XMLCh MemoryListener[] =       UNICODE_LITERAL_14(M,e,m,o,r,y,L,i,s,t,e,n,e,r);\r
 295     static const XMLCh Policy[] =               UNICODE_LITERAL_6(P,o,l,i,c,y);\r
 296     static const XMLCh RelyingParty[] =         UNICODE_LITERAL_12(R,e,l,y,i,n,g,P,a,r,t,y);\r
 297     static const XMLCh _ReplayCache[] =         UNICODE_LITERAL_11(R,e,p,l,a,y,C,a,c,h,e);\r
 298     static const XMLCh _RequestMapper[] =       UNICODE_LITERAL_13(R,e,q,u,e,s,t,M,a,p,p,e,r);\r
 299     static const XMLCh Rule[] =                 UNICODE_LITERAL_4(R,u,l,e);\r
 300     static const XMLCh SecurityPolicies[] =     UNICODE_LITERAL_16(S,e,c,u,r,i,t,y,P,o,l,i,c,i,e,s);\r
 301     static const XMLCh _SessionCache[] =        UNICODE_LITERAL_12(S,e,s,s,i,o,n,C,a,c,h,e);\r
 302     static const XMLCh SessionInitiator[] =     UNICODE_LITERAL_16(S,e,s,s,i,o,n,I,n,i,t,i,a,t,o,r);\r
 303     static const XMLCh _StorageService[] =      UNICODE_LITERAL_14(S,t,o,r,a,g,e,S,e,r,v,i,c,e);\r
 304     static const XMLCh OutOfProcess[] =         UNICODE_LITERAL_12(O,u,t,O,f,P,r,o,c,e,s,s);\r
 305     static const XMLCh TCPListener[] =          UNICODE_LITERAL_11(T,C,P,L,i,s,t,e,n,e,r);\r
 306     static const XMLCh _TrustEngine[] =         UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);\r
 307     static const XMLCh UnixListener[] =         UNICODE_LITERAL_12(U,n,i,x,L,i,s,t,e,n,e,r);\r
 308     static const XMLCh _MetadataProvider[] =    UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r);\r
 309     static const XMLCh _path[] =                UNICODE_LITERAL_4(p,a,t,h);\r
 310     static const XMLCh _type[] =                UNICODE_LITERAL_4(t,y,p,e);\r
 311 \r
 312     class SHIBSP_DLLLOCAL PolicyNodeFilter : public DOMNodeFilter\r
 313     {\r
 314     public:\r
 315         short acceptNode(const DOMNode* node) const {\r
 316             if (XMLHelper::isNodeNamed(node,shibspconstants::SHIB2SPCONFIG_NS,Rule))\r
 317                 return FILTER_REJECT;\r
 318             return FILTER_ACCEPT;\r
 319         }\r
 320     };\r
 321 };\r
 322 \r
 323 namespace shibsp {\r
 324     ServiceProvider* XMLServiceProviderFactory(const DOMElement* const & e)\r
 325     {\r
 326         return new XMLConfig(e);\r
 327     }\r
 328 };\r
 329 \r
 330 XMLApplication::XMLApplication(\r
 331     const ServiceProvider* sp,\r
 332     const DOMElement* e,\r
 333     const XMLApplication* base\r
 334     ) : m_sp(sp), m_base(base), m_metadata(NULL), m_trust(NULL),\r
 335         m_credDefault(NULL), m_sessionInitDefault(NULL), m_acsDefault(NULL)\r
 336 {\r
 337 #ifdef _DEBUG\r
 338     xmltooling::NDC ndc("XMLApplication");\r
 339 #endif\r
 340     Category& log=Category::getInstance(SHIBSP_LOGCAT".Application");\r
 341 \r
 342     try {\r
 343         // First load any property sets.\r
 344         load(e,log,this);\r
 345 \r
 346         SPConfig& conf=SPConfig::getConfig();\r
 347         SAMLConfig& samlConf=SAMLConfig::getConfig();\r
 348         XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig();\r
 349 \r
 350         m_hash=getId();\r
 351         m_hash+=getString("providerId").second;\r
 352         m_hash=samlConf.hashSHA1(m_hash.c_str(), true);\r
 353 \r
 354         const PropertySet* sessions = getPropertySet("Sessions");\r
 355 \r
 356         // Process handlers.\r
 357         Handler* handler=NULL;\r
 358         bool hardACS=false, hardSessionInit=false;\r
 359         const DOMElement* child = sessions ? XMLHelper::getFirstChildElement(sessions->getElement()) : NULL;\r
 360         while (child) {\r
 361             try {\r
 362                 // A handler is based on the Binding property in conjunction with the element name.\r
 363                 // If it's an ACS or SI, also handle index/id mappings and defaulting.\r
 364                 if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,AssertionConsumerService::LOCAL_NAME)) {\r
 365                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 366                     if (!bindprop.get() || !*(bindprop.get())) {\r
 367                         log.warn("md:AssertionConsumerService element has no Binding attribute, skipping it...");\r
 368                         child = XMLHelper::getNextSiblingElement(child);\r
 369                         continue;\r
 370                     }\r
 371                     handler=conf.AssertionConsumerServiceManager.newPlugin(bindprop.get(),child);\r
 372                     // Map by binding (may be > 1 per binding, e.g. SAML 1.0 vs 1.1)\r
 373 #ifdef HAVE_GOOD_STL\r
 374                     m_acsBindingMap[handler->getXMLString("Binding").second].push_back(handler);\r
 375 #else\r
 376                     m_acsBindingMap[handler->getString("Binding").second].push_back(handler);\r
 377 #endif\r
 378                     m_acsIndexMap[handler->getUnsignedInt("index").second]=handler;\r
 379                     \r
 380                     if (!hardACS) {\r
 381                         pair<bool,bool> defprop=handler->getBool("isDefault");\r
 382                         if (defprop.first) {\r
 383                             if (defprop.second) {\r
 384                                 hardACS=true;\r
 385                                 m_acsDefault=handler;\r
 386                             }\r
 387                         }\r
 388                         else if (!m_acsDefault)\r
 389                             m_acsDefault=handler;\r
 390                     }\r
 391                 }\r
 392                 else if (XMLString::equals(child->getLocalName(),SessionInitiator)) {\r
 393                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 394                     if (!bindprop.get() || !*(bindprop.get())) {\r
 395                         log.warn("SessionInitiator element has no Binding attribute, skipping it...");\r
 396                         child = XMLHelper::getNextSiblingElement(child);\r
 397                         continue;\r
 398                     }\r
 399                     handler=conf.SessionInitiatorManager.newPlugin(bindprop.get(),child);\r
 400                     pair<bool,const char*> si_id=handler->getString("id");\r
 401                     if (si_id.first && si_id.second)\r
 402                         m_sessionInitMap[si_id.second]=handler;\r
 403                     if (!hardSessionInit) {\r
 404                         pair<bool,bool> defprop=handler->getBool("isDefault");\r
 405                         if (defprop.first) {\r
 406                             if (defprop.second) {\r
 407                                 hardSessionInit=true;\r
 408                                 m_sessionInitDefault=handler;\r
 409                             }\r
 410                         }\r
 411                         else if (!m_sessionInitDefault)\r
 412                             m_sessionInitDefault=handler;\r
 413                     }\r
 414                 }\r
 415                 else if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,SingleLogoutService::LOCAL_NAME)) {\r
 416                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 417                     if (!bindprop.get() || !*(bindprop.get())) {\r
 418                         log.warn("md:SingleLogoutService element has no Binding attribute, skipping it...");\r
 419                         child = XMLHelper::getNextSiblingElement(child);\r
 420                         continue;\r
 421                     }\r
 422                     handler=conf.SingleLogoutServiceManager.newPlugin(bindprop.get(),child);\r
 423                 }\r
 424                 else if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,ManageNameIDService::LOCAL_NAME)) {\r
 425                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 426                     if (!bindprop.get() || !*(bindprop.get())) {\r
 427                         log.warn("md:ManageNameIDService element has no Binding attribute, skipping it...");\r
 428                         child = XMLHelper::getNextSiblingElement(child);\r
 429                         continue;\r
 430                     }\r
 431                     handler=conf.ManageNameIDServiceManager.newPlugin(bindprop.get(),child);\r
 432                 }\r
 433                 else {\r
 434                     auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 435                     if (!type.get() || !*(type.get())) {\r
 436                         log.warn("Handler element has no type attribute, skipping it...");\r
 437                         child = XMLHelper::getNextSiblingElement(child);\r
 438                         continue;\r
 439                     }\r
 440                     handler=conf.HandlerManager.newPlugin(type.get(),child);\r
 441                 }\r
 442 \r
 443                 // Save off the objects after giving the property set to the handler for its use.\r
 444                 m_handlers.push_back(handler);\r
 445 \r
 446                 // Insert into location map.\r
 447                 pair<bool,const char*> location=handler->getString("Location");\r
 448                 if (location.first && *location.second == '/')\r
 449                     m_handlerMap[location.second]=handler;\r
 450                 else if (location.first)\r
 451                     m_handlerMap[string("/") + location.second]=handler;\r
 452 \r
 453             }\r
 454             catch (exception& ex) {\r
 455                 log.error("caught exception processing handler element: %s", ex.what());\r
 456             }\r
 457             \r
 458             child = XMLHelper::getNextSiblingElement(child);\r
 459         }\r
 460 \r
 461         DOMNodeList* nlist=e->getElementsByTagNameNS(samlconstants::SAML20_NS,Audience::LOCAL_NAME);\r
 462         for (XMLSize_t i=0; nlist && i<nlist->getLength(); i++)\r
 463             if (nlist->item(i)->getParentNode()->isSameNode(e) && nlist->item(i)->hasChildNodes())\r
 464                 m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());\r
 465 \r
 466         // Always include our own providerId as an audience.\r
 467         m_audiences.push_back(getXMLString("providerId").second);\r
 468 \r
 469         if (conf.isEnabled(SPConfig::AttributeResolver)) {\r
 470             // TODO\r
 471         }\r
 472 \r
 473         if (conf.isEnabled(SPConfig::Metadata)) {\r
 474             child = XMLHelper::getFirstChildElement(e,_MetadataProvider);\r
 475             if (child) {\r
 476                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 477                 log.info("building MetadataProvider of type %s...",type.get());\r
 478                 try {\r
 479                     auto_ptr<MetadataProvider> mp(samlConf.MetadataProviderManager.newPlugin(type.get(),child));\r
 480                     mp->init();\r
 481                     m_metadata = mp.release();\r
 482                 }\r
 483                 catch (exception& ex) {\r
 484                     log.crit("error building/initializing MetadataProvider: %s", ex.what());\r
 485                 }\r
 486             }\r
 487         }\r
 488 \r
 489         if (conf.isEnabled(SPConfig::Trust)) {\r
 490             child = XMLHelper::getFirstChildElement(e,_TrustEngine);\r
 491             if (child) {\r
 492                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 493                 log.info("building TrustEngine of type %s...",type.get());\r
 494                 try {\r
 495                     m_trust = xmlConf.TrustEngineManager.newPlugin(type.get(),child);\r
 496                 }\r
 497                 catch (exception& ex) {\r
 498                     log.crit("error building TrustEngine: %s",ex.what());\r
 499                 }\r
 500             }\r
 501         }\r
 502         \r
 503         // Finally, load credential mappings.\r
 504         child = XMLHelper::getFirstChildElement(e,CredentialUse);\r
 505         if (child) {\r
 506             m_credDefault=new DOMPropertySet();\r
 507             m_credDefault->load(child,log,this);\r
 508             child = XMLHelper::getFirstChildElement(child,RelyingParty);\r
 509             while (child) {\r
 510                 DOMPropertySet* rp=new DOMPropertySet();\r
 511                 rp->load(child,log,this);\r
 512                 m_credMap[child->getAttributeNS(NULL,opensaml::saml2::Attribute::NAME_ATTRIB_NAME)]=rp;\r
 513                 child = XMLHelper::getNextSiblingElement(child,RelyingParty);\r
 514             }\r
 515         }\r
 516         \r
 517         if (conf.isEnabled(SPConfig::OutOfProcess)) {\r
 518             // Really finally, build local browser profile and binding objects.\r
 519             // TODO: may need some bits here...\r
 520         }\r
 521     }\r
 522     catch (exception&) {\r
 523         cleanup();\r
 524         throw;\r
 525     }\r
 526 #ifndef _DEBUG\r
 527     catch (...) {\r
 528         cleanup();\r
 529         throw;\r
 530     }\r
 531 #endif\r
 532 }\r
 533 \r
 534 void XMLApplication::cleanup()\r
 535 {\r
 536     for_each(m_handlers.begin(),m_handlers.end(),xmltooling::cleanup<Handler>());\r
 537     \r
 538     delete m_credDefault;\r
 539 #ifdef HAVE_GOOD_STL\r
 540     for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair<xstring,PropertySet>());\r
 541 #else\r
 542     for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair<const XMLCh*,PropertySet>());\r
 543 #endif\r
 544 \r
 545     delete m_trust;\r
 546     delete m_metadata;\r
 547 }\r
 548 \r
 549 short XMLApplication::acceptNode(const DOMNode* node) const\r
 550 {\r
 551     if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,opensaml::saml2::Attribute::LOCAL_NAME))\r
 552         return FILTER_REJECT;\r
 553     else if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,Audience::LOCAL_NAME))\r
 554         return FILTER_REJECT;\r
 555     const XMLCh* name=node->getLocalName();\r
 556     if (XMLString::equals(name,_Application) ||\r
 557         XMLString::equals(name,AssertionConsumerService::LOCAL_NAME) ||\r
 558         XMLString::equals(name,SingleLogoutService::LOCAL_NAME) ||\r
 559         XMLString::equals(name,ManageNameIDService::LOCAL_NAME) ||\r
 560         XMLString::equals(name,SessionInitiator) ||\r
 561         XMLString::equals(name,CredentialUse) ||\r
 562         XMLString::equals(name,RelyingParty) ||\r
 563         XMLString::equals(name,_MetadataProvider) ||\r
 564         XMLString::equals(name,_TrustEngine))\r
 565         return FILTER_REJECT;\r
 566 \r
 567     return FILTER_ACCEPT;\r
 568 }\r
 569 \r
 570 pair<bool,bool> XMLApplication::getBool(const char* name, const char* ns) const\r
 571 {\r
 572     pair<bool,bool> ret=DOMPropertySet::getBool(name,ns);\r
 573     if (ret.first)\r
 574         return ret;\r
 575     return m_base ? m_base->getBool(name,ns) : ret;\r
 576 }\r
 577 \r
 578 pair<bool,const char*> XMLApplication::getString(const char* name, const char* ns) const\r
 579 {\r
 580     pair<bool,const char*> ret=DOMPropertySet::getString(name,ns);\r
 581     if (ret.first)\r
 582         return ret;\r
 583     return m_base ? m_base->getString(name,ns) : ret;\r
 584 }\r
 585 \r
 586 pair<bool,const XMLCh*> XMLApplication::getXMLString(const char* name, const char* ns) const\r
 587 {\r
 588     pair<bool,const XMLCh*> ret=DOMPropertySet::getXMLString(name,ns);\r
 589     if (ret.first)\r
 590         return ret;\r
 591     return m_base ? m_base->getXMLString(name,ns) : ret;\r
 592 }\r
 593 \r
 594 pair<bool,unsigned int> XMLApplication::getUnsignedInt(const char* name, const char* ns) const\r
 595 {\r
 596     pair<bool,unsigned int> ret=DOMPropertySet::getUnsignedInt(name,ns);\r
 597     if (ret.first)\r
 598         return ret;\r
 599     return m_base ? m_base->getUnsignedInt(name,ns) : ret;\r
 600 }\r
 601 \r
 602 pair<bool,int> XMLApplication::getInt(const char* name, const char* ns) const\r
 603 {\r
 604     pair<bool,int> ret=DOMPropertySet::getInt(name,ns);\r
 605     if (ret.first)\r
 606         return ret;\r
 607     return m_base ? m_base->getInt(name,ns) : ret;\r
 608 }\r
 609 \r
 610 const PropertySet* XMLApplication::getPropertySet(const char* name, const char* ns) const\r
 611 {\r
 612     const PropertySet* ret=DOMPropertySet::getPropertySet(name,ns);\r
 613     if (ret || !m_base)\r
 614         return ret;\r
 615     return m_base->getPropertySet(name,ns);\r
 616 }\r
 617 \r
 618 MetadataProvider* XMLApplication::getMetadataProvider() const\r
 619 {\r
 620     return (!m_metadata && m_base) ? m_base->getMetadataProvider() : m_metadata;\r
 621 }\r
 622 \r
 623 TrustEngine* XMLApplication::getTrustEngine() const\r
 624 {\r
 625     return (!m_trust && m_base) ? m_base->getTrustEngine() : m_trust;\r
 626 }\r
 627 \r
 628 const vector<const XMLCh*>& XMLApplication::getAudiences() const\r
 629 {\r
 630     return (m_audiences.empty() && m_base) ? m_base->getAudiences() : m_audiences;\r
 631 }\r
 632 \r
 633 const PropertySet* XMLApplication::getCredentialUse(const EntityDescriptor* provider) const\r
 634 {\r
 635     if (!m_credDefault && m_base)\r
 636         return m_base->getCredentialUse(provider);\r
 637         \r
 638 #ifdef HAVE_GOOD_STL\r
 639     map<xstring,PropertySet*>::const_iterator i=m_credMap.find(provider->getEntityID());\r
 640     if (i!=m_credMap.end())\r
 641         return i->second;\r
 642     const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());\r
 643     while (group) {\r
 644         if (group->getName()) {\r
 645             i=m_credMap.find(group->getName());\r
 646             if (i!=m_credMap.end())\r
 647                 return i->second;\r
 648         }\r
 649         group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());\r
 650     }\r
 651 #else\r
 652     map<const XMLCh*,PropertySet*>::const_iterator i=m_credMap.begin();\r
 653     for (; i!=m_credMap.end(); i++) {\r
 654         if (XMLString::equals(i->first,provider->getId()))\r
 655             return i->second;\r
 656         const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());\r
 657         while (group) {\r
 658             if (XMLString::equals(i->first,group->getName()))\r
 659                 return i->second;\r
 660             group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());\r
 661         }\r
 662     }\r
 663 #endif\r
 664     return m_credDefault;\r
 665 }\r
 666 \r
 667 const Handler* XMLApplication::getDefaultSessionInitiator() const\r
 668 {\r
 669     if (m_sessionInitDefault) return m_sessionInitDefault;\r
 670     return m_base ? m_base->getDefaultSessionInitiator() : NULL;\r
 671 }\r
 672 \r
 673 const Handler* XMLApplication::getSessionInitiatorById(const char* id) const\r
 674 {\r
 675     map<string,const Handler*>::const_iterator i=m_sessionInitMap.find(id);\r
 676     if (i!=m_sessionInitMap.end()) return i->second;\r
 677     return m_base ? m_base->getSessionInitiatorById(id) : NULL;\r
 678 }\r
 679 \r
 680 const Handler* XMLApplication::getDefaultAssertionConsumerService() const\r
 681 {\r
 682     if (m_acsDefault) return m_acsDefault;\r
 683     return m_base ? m_base->getDefaultAssertionConsumerService() : NULL;\r
 684 }\r
 685 \r
 686 const Handler* XMLApplication::getAssertionConsumerServiceByIndex(unsigned short index) const\r
 687 {\r
 688     map<unsigned int,const Handler*>::const_iterator i=m_acsIndexMap.find(index);\r
 689     if (i!=m_acsIndexMap.end()) return i->second;\r
 690     return m_base ? m_base->getAssertionConsumerServiceByIndex(index) : NULL;\r
 691 }\r
 692 \r
 693 const vector<const Handler*>& XMLApplication::getAssertionConsumerServicesByBinding(const XMLCh* binding) const\r
 694 {\r
 695 #ifdef HAVE_GOOD_STL\r
 696     ACSBindingMap::const_iterator i=m_acsBindingMap.find(binding);\r
 697 #else\r
 698     auto_ptr_char temp(binding);\r
 699     ACSBindingMap::const_iterator i=m_acsBindingMap.find(temp.get());\r
 700 #endif\r
 701     if (i!=m_acsBindingMap.end())\r
 702         return i->second;\r
 703     return m_base ? m_base->getAssertionConsumerServicesByBinding(binding) : g_noHandlers;\r
 704 }\r
 705 \r
 706 const Handler* XMLApplication::getHandler(const char* path) const\r
 707 {\r
 708     string wrap(path);\r
 709     map<string,const Handler*>::const_iterator i=m_handlerMap.find(wrap.substr(0,wrap.find('?')));\r
 710     if (i!=m_handlerMap.end())\r
 711         return i->second;\r
 712     return m_base ? m_base->getHandler(path) : NULL;\r
 713 }\r
 714 \r
 715 short XMLConfigImpl::acceptNode(const DOMNode* node) const\r
 716 {\r
 717     if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS))\r
 718         return FILTER_ACCEPT;\r
 719     const XMLCh* name=node->getLocalName();\r
 720     if (XMLString::equals(name,Applications) ||\r
 721         XMLString::equals(name,Credentials) ||\r
 722         XMLString::equals(name,Extensions::LOCAL_NAME) ||\r
 723         XMLString::equals(name,Implementation) ||\r
 724         XMLString::equals(name,Listener) ||\r
 725         XMLString::equals(name,MemoryListener) ||\r
 726         XMLString::equals(name,Policy) ||\r
 727         XMLString::equals(name,_RequestMapper) ||\r
 728         XMLString::equals(name,_ReplayCache) ||\r
 729         XMLString::equals(name,_SessionCache) ||\r
 730         XMLString::equals(name,_StorageService) ||\r
 731         XMLString::equals(name,TCPListener) ||\r
 732         XMLString::equals(name,UnixListener))\r
 733         return FILTER_REJECT;\r
 734 \r
 735     return FILTER_ACCEPT;\r
 736 }\r
 737 \r
 738 void XMLConfigImpl::doExtensions(const DOMElement* e, const char* label, Category& log)\r
 739 {\r
 740     const DOMElement* exts=XMLHelper::getFirstChildElement(e,Extensions::LOCAL_NAME);\r
 741     if (exts) {\r
 742         exts=XMLHelper::getFirstChildElement(exts,Library);\r
 743         while (exts) {\r
 744             auto_ptr_char path(exts->getAttributeNS(NULL,_path));\r
 745             try {\r
 746                 if (path.get()) {\r
 747                     XMLToolingConfig::getConfig().load_library(path.get(),(void*)exts);\r
 748                     log.debug("loaded %s extension library (%s)", label, path.get());\r
 749                 }\r
 750             }\r
 751             catch (exception& e) {\r
 752                 const XMLCh* fatal=exts->getAttributeNS(NULL,fatal);\r
 753                 if (fatal && (*fatal==chLatin_t || *fatal==chDigit_1)) {\r
 754                     log.fatal("unable to load mandatory %s extension library %s: %s", label, path.get(), e.what());\r
 755                     throw;\r
 756                 }\r
 757                 else {\r
 758                     log.crit("unable to load optional %s extension library %s: %s", label, path.get(), e.what());\r
 759                 }\r
 760             }\r
 761             exts=XMLHelper::getNextSiblingElement(exts,Library);\r
 762         }\r
 763     }\r
 764 }\r
 765 \r
 766 XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer) : m_requestMapper(NULL), m_outer(outer), m_document(NULL)\r
 767 {\r
 768 #ifdef _DEBUG\r
 769     xmltooling::NDC ndc("XMLConfigImpl");\r
 770 #endif\r
 771     Category& log=Category::getInstance(SHIBSP_LOGCAT".Config");\r
 772 \r
 773     try {\r
 774         SPConfig& conf=SPConfig::getConfig();\r
 775         SAMLConfig& samlConf=SAMLConfig::getConfig();\r
 776         XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig();\r
 777         const DOMElement* SHAR=XMLHelper::getFirstChildElement(e,OutOfProcess);\r
 778         const DOMElement* SHIRE=XMLHelper::getFirstChildElement(e,InProcess);\r
 779 \r
 780         // Initialize log4cpp manually in order to redirect log messages as soon as possible.\r
 781         if (conf.isEnabled(SPConfig::Logging)) {\r
 782             const XMLCh* logconf=NULL;\r
 783             if (conf.isEnabled(SPConfig::OutOfProcess))\r
 784                 logconf=SHAR->getAttributeNS(NULL,logger);\r
 785             else if (conf.isEnabled(SPConfig::InProcess))\r
 786                 logconf=SHIRE->getAttributeNS(NULL,logger);\r
 787             if (!logconf || !*logconf)\r
 788                 logconf=e->getAttributeNS(NULL,logger);\r
 789             if (logconf && *logconf) {\r
 790                 auto_ptr_char logpath(logconf);\r
 791                 log.debug("loading new logging configuration from (%s), check log destination for status of configuration",logpath.get());\r
 792                 XMLToolingConfig::getConfig().log_config(logpath.get());\r
 793             }\r
 794             \r
 795             if (first)\r
 796                 m_outer->m_tranLog = new TransactionLog();\r
 797         }\r
 798         \r
 799         // First load any property sets.\r
 800         load(e,log,this);\r
 801 \r
 802         const DOMElement* child;\r
 803         string plugtype;\r
 804 \r
 805         // Much of the processing can only occur on the first instantiation.\r
 806         if (first) {\r
 807             // Set clock skew.\r
 808             pair<bool,unsigned int> skew=getUnsignedInt("clockSkew");\r
 809             if (skew.first)\r
 810                 xmlConf.clock_skew_secs=skew.second;\r
 811 \r
 812             // Extensions\r
 813             doExtensions(e, "global", log);\r
 814             if (conf.isEnabled(SPConfig::OutOfProcess))\r
 815                 doExtensions(SHAR, "out of process", log);\r
 816 \r
 817             if (conf.isEnabled(SPConfig::InProcess))\r
 818                 doExtensions(SHIRE, "in process", log);\r
 819             \r
 820             // Instantiate the ListenerService and SessionCache objects.\r
 821             if (conf.isEnabled(SPConfig::Listener)) {\r
 822                 child=XMLHelper::getFirstChildElement(SHAR,UnixListener);\r
 823                 if (child)\r
 824                     plugtype=UNIX_LISTENER_SERVICE;\r
 825                 else {\r
 826                     child=XMLHelper::getFirstChildElement(SHAR,TCPListener);\r
 827                     if (child)\r
 828                         plugtype=TCP_LISTENER_SERVICE;\r
 829                     else {\r
 830                         child=XMLHelper::getFirstChildElement(SHAR,MemoryListener);\r
 831                         if (child)\r
 832                             plugtype=MEMORY_LISTENER_SERVICE;\r
 833                         else {\r
 834                             child=XMLHelper::getFirstChildElement(SHAR,Listener);\r
 835                             if (child) {\r
 836                                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 837                                 if (type.get())\r
 838                                     plugtype=type.get();\r
 839                             }\r
 840                         }\r
 841                     }\r
 842                 }\r
 843                 if (child) {\r
 844                     log.info("building ListenerService of type %s...", plugtype.c_str());\r
 845                     m_outer->m_listener = conf.ListenerServiceManager.newPlugin(plugtype.c_str(),child);\r
 846                 }\r
 847                 else {\r
 848                     log.fatal("can't build ListenerService, missing conf:Listener element?");\r
 849                     throw ConfigurationException("Can't build ListenerService, missing conf:Listener element?");\r
 850                 }\r
 851             }\r
 852 \r
 853             if (conf.isEnabled(SPConfig::Caching)) {\r
 854                 if (conf.isEnabled(SPConfig::OutOfProcess)) {\r
 855                     // First build any StorageServices.\r
 856                     string inmemID;\r
 857                     child=XMLHelper::getFirstChildElement(SHAR,_StorageService);\r
 858                     while (child) {\r
 859                         auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
 860                         auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 861                         try {\r
 862                             log.info("building StorageService (%s) of type %s...", id.get(), type.get());\r
 863                             m_outer->m_storage[id.get()] = xmlConf.StorageServiceManager.newPlugin(type.get(),child);\r
 864                             if (!strcmp(type.get(),MEMORY_STORAGE_SERVICE))\r
 865                                 inmemID = id.get();\r
 866                         }\r
 867                         catch (exception& ex) {\r
 868                             log.crit("failed to instantiate StorageService (%s): %s", id.get(), ex.what());\r
 869                         }\r
 870                         child=XMLHelper::getNextSiblingElement(child,_StorageService);\r
 871                     }\r
 872                 \r
 873                     child=XMLHelper::getFirstChildElement(SHAR,_SessionCache);\r
 874                     if (child) {\r
 875                         auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 876                         log.info("building SessionCache of type %s...",type.get());\r
 877                         m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(type.get(),child);\r
 878                     }\r
 879                     else {\r
 880                         log.warn("SessionCache unspecified, building SessionCache of type %s...",STORAGESERVICE_SESSION_CACHE);\r
 881                         if (inmemID.empty()) {\r
 882                             inmemID = "memory";\r
 883                             log.info("no StorageServices configured, providing in-memory version for session cache");\r
 884                             m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);\r
 885                         }\r
 886                         child = e->getOwnerDocument()->createElementNS(NULL,_SessionCache);\r
 887                         auto_ptr_XMLCh ssid(inmemID.c_str());\r
 888                         const_cast<DOMElement*>(child)->setAttributeNS(NULL,_StorageService,ssid.get());\r
 889                         m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(STORAGESERVICE_SESSION_CACHE,child);\r
 890                     }\r
 891 \r
 892                     // Replay cache.\r
 893                     StorageService* replaySS=NULL;\r
 894                     child=XMLHelper::getFirstChildElement(SHAR,_ReplayCache);\r
 895                     if (child) {\r
 896                         auto_ptr_char ssid(child->getAttributeNS(NULL,_StorageService));\r
 897                         if (ssid.get() && *ssid.get()) {\r
 898                             if (m_outer->m_storage.count(ssid.get()))\r
 899                                 replaySS = m_outer->m_storage[ssid.get()];\r
 900                             if (replaySS)\r
 901                                 log.info("building ReplayCache on top of StorageService (%s)...", ssid.get());\r
 902                             else\r
 903                                 log.crit("unable to locate StorageService (%s) in configuration", ssid.get());\r
 904                         }\r
 905                     }\r
 906                     if (!replaySS) {\r
 907                         log.info("building ReplayCache using in-memory StorageService...");\r
 908                         if (inmemID.empty()) {\r
 909                             inmemID = "memory";\r
 910                             log.info("no StorageServices configured, providing in-memory version for legacy config");\r
 911                             m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);\r
 912                         }\r
 913                         replaySS = m_outer->m_storage[inmemID];\r
 914                     }\r
 915                     xmlConf.setReplayCache(new ReplayCache(replaySS));\r
 916                 }\r
 917                 else {\r
 918                     log.info("building in-process SessionCache of type %s...",REMOTED_SESSION_CACHE);\r
 919                     m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(REMOTED_SESSION_CACHE,NULL);\r
 920                 }\r
 921             }\r
 922         } // end of first-time-only stuff\r
 923         \r
 924         // Back to the fully dynamic stuff...next up is the RequestMapper.\r
 925         if (conf.isEnabled(SPConfig::RequestMapping)) {\r
 926             child=XMLHelper::getFirstChildElement(SHIRE,_RequestMapper);\r
 927             if (child) {\r
 928                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 929                 log.info("building RequestMapper of type %s...",type.get());\r
 930                 m_requestMapper=conf.RequestMapperManager.newPlugin(type.get(),child);\r
 931             }\r
 932         }\r
 933         \r
 934         // Now we load the credentials map.\r
 935         if (conf.isEnabled(SPConfig::Credentials)) {\r
 936             child = XMLHelper::getLastChildElement(e,Credentials);\r
 937             if (child) {\r
 938                 // Step down and process resolvers.\r
 939                 child=XMLHelper::getFirstChildElement(child);\r
 940                 while (child) {\r
 941                     auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
 942                     auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 943                     try {\r
 944                         CredentialResolver* cr=xmlConf.CredentialResolverManager.newPlugin(type.get(),child);\r
 945                         m_credResolverMap[id.get()] = cr;\r
 946                     }\r
 947                     catch (exception& ex) {\r
 948                         log.crit("failed to instantiate CredentialResolver (%s): %s", id.get(), ex.what());\r
 949                     }\r
 950                     child = XMLHelper::getNextSiblingElement(child);\r
 951                 }\r
 952             }\r
 953         }\r
 954 \r
 955         // Load security policies.\r
 956         child = XMLHelper::getLastChildElement(e,SecurityPolicies);\r
 957         if (child) {\r
 958             PolicyNodeFilter filter;\r
 959             child = XMLHelper::getFirstChildElement(child,Policy);\r
 960             while (child) {\r
 961                 auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
 962                 pair< PropertySet*,vector<const SecurityPolicyRule*> >& rules = m_policyMap[id.get()];\r
 963                 rules.first = NULL;\r
 964                 auto_ptr<DOMPropertySet> settings(new DOMPropertySet());\r
 965                 settings->load(child, log, &filter);\r
 966                 rules.first = settings.release();\r
 967                 const DOMElement* rule = XMLHelper::getFirstChildElement(child,Rule);\r
 968                 while (rule) {\r
 969                     auto_ptr_char type(rule->getAttributeNS(NULL,_type));\r
 970                     try {\r
 971                         rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(type.get(),rule));\r
 972                     }\r
 973                     catch (exception& ex) {\r
 974                         log.crit("error instantiating policy rule (%s) in policy (%s): %s", type.get(), id.get(), ex.what());\r
 975                     }\r
 976                     rule = XMLHelper::getNextSiblingElement(rule,Rule);\r
 977                 }\r
 978                 child = XMLHelper::getNextSiblingElement(child,Policy);\r
 979             }\r
 980         }\r
 981 \r
 982         // Load the default application. This actually has a fixed ID of "default". ;-)\r
 983         child=XMLHelper::getLastChildElement(e,Applications);\r
 984         if (!child) {\r
 985             log.fatal("can't build default Application object, missing conf:Applications element?");\r
 986             throw ConfigurationException("can't build default Application object, missing conf:Applications element?");\r
 987         }\r
 988         XMLApplication* defapp=new XMLApplication(m_outer,child);\r
 989         m_appmap[defapp->getId()]=defapp;\r
 990         \r
 991         // Load any overrides.\r
 992         child = XMLHelper::getFirstChildElement(child,_Application);\r
 993         while (child) {\r
 994             auto_ptr<XMLApplication> iapp(new XMLApplication(m_outer,child,defapp));\r
 995             if (m_appmap.count(iapp->getId()))\r
 996                 log.crit("found conf:Application element with duplicate id attribute (%s), skipping it", iapp->getId());\r
 997             else\r
 998                 m_appmap[iapp->getId()]=iapp.release();\r
 999 \r
1000             child = XMLHelper::getNextSiblingElement(child,_Application);\r
1001         }\r
1002     }\r
1003     catch (exception&) {\r
1004         this->~XMLConfigImpl();\r
1005         throw;\r
1006     }\r
1007 #ifndef _DEBUG\r
1008     catch (...) {\r
1009         this->~XMLConfigImpl();\r
1010         throw;\r
1011     }\r
1012 #endif\r
1013 }\r
1014 \r
1015 XMLConfigImpl::~XMLConfigImpl()\r
1016 {\r
1017     for_each(m_appmap.begin(),m_appmap.end(),cleanup_pair<string,Application>());\r
1018     for_each(m_credResolverMap.begin(),m_credResolverMap.end(),cleanup_pair<string,CredentialResolver>());\r
1019     for (map< string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::iterator i=m_policyMap.begin(); i!=m_policyMap.end(); ++i) {\r
1020         delete i->second.first;\r
1021         for_each(i->second.second.begin(), i->second.second.end(), xmltooling::cleanup<SecurityPolicyRule>());\r
1022     }\r
1023     delete m_requestMapper;\r
1024     if (m_document)\r
1025         m_document->release();\r
1026 }\r
1027 \r
1028 pair<bool,DOMElement*> XMLConfig::load()\r
1029 {\r
1030     // Load from source using base class.\r
1031     pair<bool,DOMElement*> raw = ReloadableXMLFile::load();\r
1032     \r
1033     // If we own it, wrap it.\r
1034     XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : NULL);\r
1035 \r
1036     XMLConfigImpl* impl = new XMLConfigImpl(raw.second,(m_impl==NULL),this);\r
1037     \r
1038     // If we held the document, transfer it to the impl. If we didn't, it's a no-op.\r
1039     impl->setDocument(docjanitor.release());\r
1040 \r
1041     delete m_impl;\r
1042     m_impl = impl;\r
1043 \r
1044     return make_pair(false,(DOMElement*)NULL);\r
1045 }\r