2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * XMLServiceProvider.cpp
20 * XML-based SP configuration and mgmt
24 #include "exceptions.h"
25 #include "AccessControl.h"
26 #include "Application.h"
27 #include "RequestMapper.h"
28 #include "ServiceProvider.h"
29 #include "SessionCache.h"
31 #include "SPRequest.h"
32 #include "handler/SessionInitiator.h"
33 #include "remoting/ListenerService.h"
34 #include "util/DOMPropertySet.h"
35 #include "util/SPConstants.h"
37 #include <log4cpp/Category.hh>
38 #include <log4cpp/PropertyConfigurator.hh>
39 #include <xercesc/util/XMLUniDefs.hpp>
40 #include <xmltooling/XMLToolingConfig.h>
41 #include <xmltooling/util/NDC.h>
42 #include <xmltooling/util/ReloadableXMLFile.h>
43 #include <xmltooling/util/XMLHelper.h>
46 # include "TransactionLog.h"
47 # include "attribute/filtering/AttributeFilter.h"
48 # include "attribute/resolver/AttributeExtractor.h"
49 # include "attribute/resolver/AttributeResolver.h"
50 # include "security/PKIXTrustEngine.h"
51 # include <saml/SAMLConfig.h>
52 # include <saml/binding/ArtifactMap.h>
53 # include <saml/binding/SAMLArtifact.h>
54 # include <saml/saml1/core/Assertions.h>
55 # include <saml/saml2/binding/SAML2ArtifactType0004.h>
56 # include <saml/saml2/metadata/ChainingMetadataProvider.h>
57 # include <xmltooling/security/ChainingTrustEngine.h>
58 # include <xmltooling/util/ReplayCache.h>
59 using namespace opensaml::saml2;
60 using namespace opensaml::saml2p;
61 using namespace opensaml::saml2md;
62 using namespace opensaml;
65 using namespace shibsp;
66 using namespace xmltooling;
67 using namespace log4cpp;
72 #if defined (_MSC_VER)
73 #pragma warning( push )
74 #pragma warning( disable : 4250 )
77 static vector<const Handler*> g_noHandlers;
79 // Application configuration wrapper
80 class SHIBSP_DLLLOCAL XMLApplication : public Application, public Remoted, public DOMPropertySet, public DOMNodeFilter
83 XMLApplication(const ServiceProvider*, const DOMElement* e, const XMLApplication* base=NULL);
84 ~XMLApplication() { cleanup(); }
87 const ServiceProvider& getServiceProvider() const {return *m_sp;}
88 const char* getId() const {return getString("id").second;}
89 const char* getHash() const {return m_hash.c_str();}
92 SAMLArtifact* generateSAML1Artifact(const EntityDescriptor* relyingParty) const {
93 throw ConfigurationException("No support for SAML 1.x artifact generation.");
95 SAML2Artifact* generateSAML2Artifact(const EntityDescriptor* relyingParty) const {
96 pair<bool,int> index = make_pair(false,0);
97 const PropertySet* props = getRelyingParty(relyingParty);
99 index = getInt("artifactEndpointIndex");
101 index = getArtifactEndpointIndex();
102 return new SAML2ArtifactType0004(SAMLConfig::getConfig().hashSHA1(getString("entityID").second),index.first ? index.second : 1);
105 MetadataProvider* getMetadataProvider(bool required=true) const {
106 if (required && !m_base && !m_metadata)
107 throw ConfigurationException("No MetadataProvider available.");
108 return (!m_metadata && m_base) ? m_base->getMetadataProvider() : m_metadata;
110 TrustEngine* getTrustEngine(bool required=true) const {
111 if (required && !m_base && !m_trust)
112 throw ConfigurationException("No TrustEngine available.");
113 return (!m_trust && m_base) ? m_base->getTrustEngine() : m_trust;
115 AttributeExtractor* getAttributeExtractor() const {
116 return (!m_attrExtractor && m_base) ? m_base->getAttributeExtractor() : m_attrExtractor;
118 AttributeFilter* getAttributeFilter() const {
119 return (!m_attrFilter && m_base) ? m_base->getAttributeFilter() : m_attrFilter;
121 AttributeResolver* getAttributeResolver() const {
122 return (!m_attrResolver && m_base) ? m_base->getAttributeResolver() : m_attrResolver;
124 CredentialResolver* getCredentialResolver() const {
125 return (!m_credResolver && m_base) ? m_base->getCredentialResolver() : m_credResolver;
127 const PropertySet* getRelyingParty(const EntityDescriptor* provider) const;
128 const vector<const XMLCh*>& getAudiences() const {
129 return (m_audiences.empty() && m_base) ? m_base->getAudiences() : m_audiences;
132 string getNotificationURL(const char* resource, bool front, unsigned int index) const;
134 const set<string>& getRemoteUserAttributeIds() const {
135 return (m_remoteUsers.empty() && m_base) ? m_base->getRemoteUserAttributeIds() : m_remoteUsers;
138 void clearAttributeHeaders(SPRequest& request) const;
139 const SessionInitiator* getDefaultSessionInitiator() const;
140 const SessionInitiator* getSessionInitiatorById(const char* id) const;
141 const Handler* getDefaultAssertionConsumerService() const;
142 const Handler* getAssertionConsumerServiceByIndex(unsigned short index) const;
143 const vector<const Handler*>& getAssertionConsumerServicesByBinding(const XMLCh* binding) const;
144 const Handler* getHandler(const char* path) const;
146 void receive(DDF& in, ostream& out) {
147 // Only current function is to return the headers to clear.
149 DDF ret=DDF(NULL).list();
150 DDFJanitor jret(ret);
151 for (vector< pair<string,string> >::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i) {
152 header = DDF(i->first.c_str()).string(i->second.c_str());
158 // Provides filter to exclude special config elements.
159 short acceptNode(const DOMNode* node) const;
163 const ServiceProvider* m_sp; // this is ok because its locking scope includes us
164 const XMLApplication* m_base;
167 MetadataProvider* m_metadata;
168 TrustEngine* m_trust;
169 AttributeExtractor* m_attrExtractor;
170 AttributeFilter* m_attrFilter;
171 AttributeResolver* m_attrResolver;
172 CredentialResolver* m_credResolver;
173 vector<const XMLCh*> m_audiences;
175 // RelyingParty properties
176 DOMPropertySet* m_partyDefault;
178 map<xstring,PropertySet*> m_partyMap;
180 map<const XMLCh*,PropertySet*> m_partyMap;
183 vector<string> m_frontLogout,m_backLogout;
184 set<string> m_remoteUsers;
185 mutable vector< pair<string,string> > m_unsetHeaders;
188 // manage handler objects
189 vector<Handler*> m_handlers;
191 // maps location (path info) to applicable handlers
192 map<string,const Handler*> m_handlerMap;
194 // maps unique indexes to consumer services
195 map<unsigned int,const Handler*> m_acsIndexMap;
197 // pointer to default consumer service
198 const Handler* m_acsDefault;
200 // maps binding strings to supporting consumer service(s)
202 typedef map<xstring,vector<const Handler*> > ACSBindingMap;
204 typedef map<string,vector<const Handler*> > ACSBindingMap;
206 ACSBindingMap m_acsBindingMap;
208 // pointer to default session initiator
209 const SessionInitiator* m_sessionInitDefault;
211 // maps unique ID strings to session initiators
212 map<string,const SessionInitiator*> m_sessionInitMap;
214 // pointer to default artifact resolution service
215 const Handler* m_artifactResolutionDefault;
217 pair<bool,int> getArtifactEndpointIndex() const {
218 if (m_artifactResolutionDefault) return m_artifactResolutionDefault->getInt("index");
219 return m_base ? m_base->getArtifactEndpointIndex() : make_pair(false,0);
223 // Top-level configuration implementation
224 class SHIBSP_DLLLOCAL XMLConfig;
225 class SHIBSP_DLLLOCAL XMLConfigImpl : public DOMPropertySet, public DOMNodeFilter
228 XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer, Category& log);
231 RequestMapper* m_requestMapper;
232 map<string,Application*> m_appmap;
234 map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > > m_policyMap;
237 // Provides filter to exclude special config elements.
238 short acceptNode(const DOMNode* node) const;
240 void setDocument(DOMDocument* doc) {
245 void doExtensions(const DOMElement* e, const char* label, Category& log);
248 const XMLConfig* m_outer;
249 DOMDocument* m_document;
252 class SHIBSP_DLLLOCAL XMLConfig : public ServiceProvider, public ReloadableXMLFile, public Remoted
255 XMLConfig(const DOMElement* e) : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".Config")),
256 m_impl(NULL), m_listener(NULL), m_sessionCache(NULL)
269 delete m_sessionCache;
273 SAMLConfig::getConfig().setArtifactMap(NULL);
274 XMLToolingConfig::getConfig().setReplayCache(NULL);
275 for_each(m_storage.begin(), m_storage.end(), cleanup_pair<string,StorageService>());
280 const PropertySet* getParent() const { return m_impl->getParent(); }
281 void setParent(const PropertySet* parent) {return m_impl->setParent(parent);}
282 pair<bool,bool> getBool(const char* name, const char* ns=NULL) const {return m_impl->getBool(name,ns);}
283 pair<bool,const char*> getString(const char* name, const char* ns=NULL) const {return m_impl->getString(name,ns);}
284 pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const {return m_impl->getXMLString(name,ns);}
285 pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const {return m_impl->getUnsignedInt(name,ns);}
286 pair<bool,int> getInt(const char* name, const char* ns=NULL) const {return m_impl->getInt(name,ns);}
287 const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:2.0:native:sp:config") const {return m_impl->getPropertySet(name,ns);}
288 const DOMElement* getElement() const {return m_impl->getElement();}
291 void receive(DDF& in, ostream& out);
295 TransactionLog* getTransactionLog() const {
298 throw ConfigurationException("No TransactionLog available.");
301 StorageService* getStorageService(const char* id) const {
303 map<string,StorageService*>::const_iterator i=m_storage.find(id);
304 if (i!=m_storage.end())
311 ListenerService* getListenerService(bool required=true) const {
312 if (required && !m_listener)
313 throw ConfigurationException("No ListenerService available.");
317 SessionCache* getSessionCache(bool required=true) const {
318 if (required && !m_sessionCache)
319 throw ConfigurationException("No SessionCache available.");
320 return m_sessionCache;
323 RequestMapper* getRequestMapper(bool required=true) const {
324 if (required && !m_impl->m_requestMapper)
325 throw ConfigurationException("No RequestMapper available.");
326 return m_impl->m_requestMapper;
329 const Application* getApplication(const char* applicationId) const {
330 map<string,Application*>::const_iterator i=m_impl->m_appmap.find(applicationId);
331 return (i!=m_impl->m_appmap.end()) ? i->second : NULL;
335 const PropertySet* getPolicySettings(const char* id) const {
336 map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);
337 if (i!=m_impl->m_policyMap.end())
338 return i->second.first;
339 throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));
342 const vector<const SecurityPolicyRule*>& getPolicyRules(const char* id) const {
343 map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);
344 if (i!=m_impl->m_policyMap.end())
345 return i->second.second;
346 throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));
351 pair<bool,DOMElement*> load();
354 friend class XMLConfigImpl;
355 XMLConfigImpl* m_impl;
356 mutable ListenerService* m_listener;
357 mutable SessionCache* m_sessionCache;
359 mutable TransactionLog* m_tranLog;
360 mutable map<string,StorageService*> m_storage;
364 #if defined (_MSC_VER)
365 #pragma warning( pop )
368 static const XMLCh _Application[] = UNICODE_LITERAL_11(A,p,p,l,i,c,a,t,i,o,n);
369 static const XMLCh Applications[] = UNICODE_LITERAL_12(A,p,p,l,i,c,a,t,i,o,n,s);
370 static const XMLCh _ArtifactMap[] = UNICODE_LITERAL_11(A,r,t,i,f,a,c,t,M,a,p);
371 static const XMLCh _AttributeExtractor[] = UNICODE_LITERAL_18(A,t,t,r,i,b,u,t,e,E,x,t,r,a,c,t,o,r);
372 static const XMLCh _AttributeFilter[] = UNICODE_LITERAL_15(A,t,t,r,i,b,u,t,e,F,i,l,t,e,r);
373 static const XMLCh _AttributeResolver[] = UNICODE_LITERAL_17(A,t,t,r,i,b,u,t,e,R,e,s,o,l,v,e,r);
374 static const XMLCh _AssertionConsumerService[] = UNICODE_LITERAL_24(A,s,s,e,r,t,i,o,n,C,o,n,s,u,m,e,r,S,e,r,v,i,c,e);
375 static const XMLCh _ArtifactResolutionService[] =UNICODE_LITERAL_25(A,r,t,i,f,a,c,t,R,e,s,o,l,u,t,i,o,n,S,e,r,v,i,c,e);
376 static const XMLCh _Audience[] = UNICODE_LITERAL_8(A,u,d,i,e,n,c,e);
377 static const XMLCh Binding[] = UNICODE_LITERAL_7(B,i,n,d,i,n,g);
378 static const XMLCh Channel[]= UNICODE_LITERAL_7(C,h,a,n,n,e,l);
379 static const XMLCh _CredentialResolver[] = UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r);
380 static const XMLCh DefaultRelyingParty[] = UNICODE_LITERAL_19(D,e,f,a,u,l,t,R,e,l,y,i,n,g,P,a,r,t,y);
381 static const XMLCh _Extensions[] = UNICODE_LITERAL_10(E,x,t,e,n,s,i,o,n,s);
382 static const XMLCh _fatal[] = UNICODE_LITERAL_5(f,a,t,a,l);
383 static const XMLCh _Handler[] = UNICODE_LITERAL_7(H,a,n,d,l,e,r);
384 static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);
385 static const XMLCh Implementation[] = UNICODE_LITERAL_14(I,m,p,l,e,m,e,n,t,a,t,i,o,n);
386 static const XMLCh InProcess[] = UNICODE_LITERAL_9(I,n,P,r,o,c,e,s,s);
387 static const XMLCh Library[] = UNICODE_LITERAL_7(L,i,b,r,a,r,y);
388 static const XMLCh Listener[] = UNICODE_LITERAL_8(L,i,s,t,e,n,e,r);
389 static const XMLCh Location[] = UNICODE_LITERAL_8(L,o,c,a,t,i,o,n);
390 static const XMLCh logger[] = UNICODE_LITERAL_6(l,o,g,g,e,r);
391 static const XMLCh _LogoutInitiator[] = UNICODE_LITERAL_15(L,o,g,o,u,t,I,n,i,t,i,a,t,o,r);
392 static const XMLCh _ManageNameIDService[] = UNICODE_LITERAL_19(M,a,n,a,g,e,N,a,m,e,I,D,S,e,r,v,i,c,e);
393 static const XMLCh MemoryListener[] = UNICODE_LITERAL_14(M,e,m,o,r,y,L,i,s,t,e,n,e,r);
394 static const XMLCh _MetadataProvider[] = UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r);
395 static const XMLCh Notify[] = UNICODE_LITERAL_6(N,o,t,i,f,y);
396 static const XMLCh OutOfProcess[] = UNICODE_LITERAL_12(O,u,t,O,f,P,r,o,c,e,s,s);
397 static const XMLCh _path[] = UNICODE_LITERAL_4(p,a,t,h);
398 static const XMLCh Policy[] = UNICODE_LITERAL_6(P,o,l,i,c,y);
399 static const XMLCh RelyingParty[] = UNICODE_LITERAL_12(R,e,l,y,i,n,g,P,a,r,t,y);
400 static const XMLCh _ReplayCache[] = UNICODE_LITERAL_11(R,e,p,l,a,y,C,a,c,h,e);
401 static const XMLCh _RequestMapper[] = UNICODE_LITERAL_13(R,e,q,u,e,s,t,M,a,p,p,e,r);
402 static const XMLCh Rule[] = UNICODE_LITERAL_4(R,u,l,e);
403 static const XMLCh SecurityPolicies[] = UNICODE_LITERAL_16(S,e,c,u,r,i,t,y,P,o,l,i,c,i,e,s);
404 static const XMLCh _SessionCache[] = UNICODE_LITERAL_12(S,e,s,s,i,o,n,C,a,c,h,e);
405 static const XMLCh _SessionInitiator[] = UNICODE_LITERAL_16(S,e,s,s,i,o,n,I,n,i,t,i,a,t,o,r);
406 static const XMLCh _SingleLogoutService[] = UNICODE_LITERAL_19(S,i,n,g,l,e,L,o,g,o,u,t,S,e,r,v,i,c,e);
407 static const XMLCh _StorageService[] = UNICODE_LITERAL_14(S,t,o,r,a,g,e,S,e,r,v,i,c,e);
408 static const XMLCh TCPListener[] = UNICODE_LITERAL_11(T,C,P,L,i,s,t,e,n,e,r);
409 static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
410 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
411 static const XMLCh UnixListener[] = UNICODE_LITERAL_12(U,n,i,x,L,i,s,t,e,n,e,r);
414 class SHIBSP_DLLLOCAL PolicyNodeFilter : public DOMNodeFilter
417 short acceptNode(const DOMNode* node) const {
418 if (XMLHelper::isNodeNamed(node,shibspconstants::SHIB2SPCONFIG_NS,Rule))
419 return FILTER_REJECT;
420 return FILTER_ACCEPT;
426 ServiceProvider* XMLServiceProviderFactory(const DOMElement* const & e)
428 return new XMLConfig(e);
432 XMLApplication::XMLApplication(
433 const ServiceProvider* sp,
435 const XMLApplication* base
436 ) : m_sp(sp), m_base(base),
438 m_metadata(NULL), m_trust(NULL),
439 m_attrExtractor(NULL), m_attrFilter(NULL), m_attrResolver(NULL),
440 m_credResolver(NULL), m_partyDefault(NULL),
442 m_unsetLock(NULL), m_acsDefault(NULL), m_sessionInitDefault(NULL), m_artifactResolutionDefault(NULL)
445 xmltooling::NDC ndc("XMLApplication");
447 Category& log=Category::getInstance(SHIBSP_LOGCAT".Application");
450 // First load any property sets.
455 SPConfig& conf=SPConfig::getConfig();
457 SAMLConfig& samlConf=SAMLConfig::getConfig();
458 XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig();
461 // This used to be an actual hash, but now it's just a hex-encode to avoid xmlsec.
462 static char DIGITS[] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
463 string tohash=getId();
464 tohash+=getString("entityID").second;
465 for (const char* ch = tohash.c_str(); *ch; ++ch) {
466 m_hash += (DIGITS[((unsigned char)(0xF0 & *ch)) >> 4 ]);
467 m_hash += (DIGITS[0x0F & *ch]);
470 // Load attribute ID lists for REMOTE_USER and header clearing.
471 if (conf.isEnabled(SPConfig::InProcess)) {
472 pair<bool,const char*> attributes = getString("REMOTE_USER");
473 if (attributes.first) {
474 char* dup = strdup(attributes.second);
477 while (start && *start) {
478 while (*start && isspace(*start))
482 pos = strchr(start,' ');
485 m_remoteUsers.insert(start);
486 start = pos ? pos+1 : NULL;
491 attributes = getString("unsetHeaders");
492 if (attributes.first) {
493 char* dup = strdup(attributes.second);
496 while (start && *start) {
497 while (*start && isspace(*start))
501 pos = strchr(start,' ');
505 string transformed("HTTP_");
506 const char* pch = start;
508 transformed += (isalnum(*pch) ? toupper(*pch) : '_');
511 m_unsetHeaders.push_back(pair<string,string>(start,transformed));
512 start = pos ? pos+1 : NULL;
515 m_unsetHeaders.push_back(pair<string,string>("Shib-Application-ID","HTTP_SHIB_APPLICATION_ID"));
519 Handler* handler=NULL;
520 const PropertySet* sessions = getPropertySet("Sessions");
522 // Process assertion export handler.
523 pair<bool,const char*> location = sessions ? sessions->getString("exportLocation") : pair<bool,const char*>(false,NULL);
524 if (location.first) {
526 handler = conf.HandlerManager.newPlugin(samlconstants::SAML20_BINDING_URI, make_pair(sessions->getElement(), getId()));
527 m_handlers.push_back(handler);
529 // Insert into location map. If it contains the handlerURL, we skip past that part.
530 const char* pch = strstr(location.second, sessions->getString("handlerURL").second);
532 location.second = pch + strlen(sessions->getString("handlerURL").second);
533 if (*location.second == '/')
534 m_handlerMap[location.second]=handler;
536 m_handlerMap[string("/") + location.second]=handler;
538 catch (exception& ex) {
539 log.error("caught exception installing assertion lookup handler: %s", ex.what());
543 // Process other handlers.
544 bool hardACS=false, hardSessionInit=false, hardArt=false;
545 const DOMElement* child = sessions ? XMLHelper::getFirstChildElement(sessions->getElement()) : NULL;
548 // A handler is based on the Binding property in conjunction with the element name.
549 // If it's an ACS or SI, also handle index/id mappings and defaulting.
550 if (XMLString::equals(child->getLocalName(),_AssertionConsumerService)) {
551 auto_ptr_char bindprop(child->getAttributeNS(NULL,Binding));
552 if (!bindprop.get() || !*(bindprop.get())) {
553 log.warn("md:AssertionConsumerService element has no Binding attribute, skipping it...");
554 child = XMLHelper::getNextSiblingElement(child);
557 handler=conf.AssertionConsumerServiceManager.newPlugin(bindprop.get(),make_pair(child, getId()));
558 // Map by binding (may be > 1 per binding, e.g. SAML 1.0 vs 1.1)
560 m_acsBindingMap[handler->getXMLString("Binding").second].push_back(handler);
562 m_acsBindingMap[handler->getString("Binding").second].push_back(handler);
564 m_acsIndexMap[handler->getUnsignedInt("index").second]=handler;
567 pair<bool,bool> defprop=handler->getBool("isDefault");
569 if (defprop.second) {
571 m_acsDefault=handler;
574 else if (!m_acsDefault)
575 m_acsDefault=handler;
578 else if (XMLString::equals(child->getLocalName(),_SessionInitiator)) {
579 auto_ptr_char type(child->getAttributeNS(NULL,_type));
580 if (!type.get() || !*(type.get())) {
581 log.warn("SessionInitiator element has no type attribute, skipping it...");
582 child = XMLHelper::getNextSiblingElement(child);
585 SessionInitiator* sihandler=conf.SessionInitiatorManager.newPlugin(type.get(),make_pair(child, getId()));
587 pair<bool,const char*> si_id=handler->getString("id");
588 if (si_id.first && si_id.second)
589 m_sessionInitMap[si_id.second]=sihandler;
590 if (!hardSessionInit) {
591 pair<bool,bool> defprop=handler->getBool("isDefault");
593 if (defprop.second) {
594 hardSessionInit=true;
595 m_sessionInitDefault=sihandler;
598 else if (!m_sessionInitDefault)
599 m_sessionInitDefault=sihandler;
602 else if (XMLString::equals(child->getLocalName(),_LogoutInitiator)) {
603 auto_ptr_char type(child->getAttributeNS(NULL,_type));
604 if (!type.get() || !*(type.get())) {
605 log.warn("LogoutInitiator element has no type attribute, skipping it...");
606 child = XMLHelper::getNextSiblingElement(child);
609 handler=conf.LogoutInitiatorManager.newPlugin(type.get(),make_pair(child, getId()));
611 else if (XMLString::equals(child->getLocalName(),_ArtifactResolutionService)) {
612 auto_ptr_char bindprop(child->getAttributeNS(NULL,Binding));
613 if (!bindprop.get() || !*(bindprop.get())) {
614 log.warn("md:ArtifactResolutionService element has no Binding attribute, skipping it...");
615 child = XMLHelper::getNextSiblingElement(child);
618 handler=conf.ArtifactResolutionServiceManager.newPlugin(bindprop.get(),make_pair(child, getId()));
621 pair<bool,bool> defprop=handler->getBool("isDefault");
623 if (defprop.second) {
625 m_artifactResolutionDefault=handler;
628 else if (!m_artifactResolutionDefault)
629 m_artifactResolutionDefault=handler;
632 else if (XMLString::equals(child->getLocalName(),_SingleLogoutService)) {
633 auto_ptr_char bindprop(child->getAttributeNS(NULL,Binding));
634 if (!bindprop.get() || !*(bindprop.get())) {
635 log.warn("md:SingleLogoutService element has no Binding attribute, skipping it...");
636 child = XMLHelper::getNextSiblingElement(child);
639 handler=conf.SingleLogoutServiceManager.newPlugin(bindprop.get(),make_pair(child, getId()));
641 else if (XMLString::equals(child->getLocalName(),_ManageNameIDService)) {
642 auto_ptr_char bindprop(child->getAttributeNS(NULL,Binding));
643 if (!bindprop.get() || !*(bindprop.get())) {
644 log.warn("md:ManageNameIDService element has no Binding attribute, skipping it...");
645 child = XMLHelper::getNextSiblingElement(child);
648 handler=conf.ManageNameIDServiceManager.newPlugin(bindprop.get(),make_pair(child, getId()));
651 auto_ptr_char type(child->getAttributeNS(NULL,_type));
652 if (!type.get() || !*(type.get())) {
653 log.warn("Handler element has no type attribute, skipping it...");
654 child = XMLHelper::getNextSiblingElement(child);
657 handler=conf.HandlerManager.newPlugin(type.get(),make_pair(child, getId()));
660 m_handlers.push_back(handler);
662 // Insert into location map.
663 location=handler->getString("Location");
664 if (location.first && *location.second == '/')
665 m_handlerMap[location.second]=handler;
666 else if (location.first)
667 m_handlerMap[string("/") + location.second]=handler;
670 catch (exception& ex) {
671 log.error("caught exception processing handler element: %s", ex.what());
674 child = XMLHelper::getNextSiblingElement(child);
678 DOMNodeList* nlist=e->getElementsByTagNameNS(shibspconstants::SHIB2SPCONFIG_NS,Notify);
679 for (XMLSize_t i=0; nlist && i<nlist->getLength(); i++) {
680 if (nlist->item(i)->getParentNode()->isSameNode(e)) {
681 const XMLCh* channel = static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,Channel);
682 auto_ptr_char loc(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,Location));
683 if (loc.get() && *loc.get()) {
684 if (channel && *channel == chLatin_f)
685 m_frontLogout.push_back(loc.get());
687 m_backLogout.push_back(loc.get());
693 nlist=e->getElementsByTagNameNS(samlconstants::SAML20_NS,Audience::LOCAL_NAME);
694 for (XMLSize_t i=0; nlist && i<nlist->getLength(); i++)
695 if (nlist->item(i)->getParentNode()->isSameNode(e) && nlist->item(i)->hasChildNodes())
696 m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());
698 // Always include our own entityID as an audience.
699 m_audiences.push_back(getXMLString("entityID").second);
701 if (conf.isEnabled(SPConfig::Metadata)) {
702 child = XMLHelper::getFirstChildElement(e,_MetadataProvider);
704 auto_ptr_char type(child->getAttributeNS(NULL,_type));
705 log.info("building MetadataProvider of type %s...",type.get());
707 auto_ptr<MetadataProvider> mp(samlConf.MetadataProviderManager.newPlugin(type.get(),child));
709 m_metadata = mp.release();
711 catch (exception& ex) {
712 log.crit("error building/initializing MetadataProvider: %s", ex.what());
717 if (conf.isEnabled(SPConfig::Trust)) {
718 child = XMLHelper::getFirstChildElement(e,_TrustEngine);
720 auto_ptr_char type(child->getAttributeNS(NULL,_type));
721 log.info("building TrustEngine of type %s...",type.get());
723 m_trust = xmlConf.TrustEngineManager.newPlugin(type.get(),child);
725 catch (exception& ex) {
726 log.crit("error building TrustEngine: %s", ex.what());
731 if (conf.isEnabled(SPConfig::AttributeResolution)) {
732 child = XMLHelper::getFirstChildElement(e,_AttributeExtractor);
734 auto_ptr_char type(child->getAttributeNS(NULL,_type));
735 log.info("building AttributeExtractor of type %s...",type.get());
737 m_attrExtractor = conf.AttributeExtractorManager.newPlugin(type.get(),child);
739 catch (exception& ex) {
740 log.crit("error building AttributeExtractor: %s", ex.what());
744 child = XMLHelper::getFirstChildElement(e,_AttributeFilter);
746 auto_ptr_char type(child->getAttributeNS(NULL,_type));
747 log.info("building AttributeFilter of type %s...",type.get());
749 m_attrFilter = conf.AttributeFilterManager.newPlugin(type.get(),child);
751 catch (exception& ex) {
752 log.crit("error building AttributeFilter: %s", ex.what());
756 child = XMLHelper::getFirstChildElement(e,_AttributeResolver);
758 auto_ptr_char type(child->getAttributeNS(NULL,_type));
759 log.info("building AttributeResolver of type %s...",type.get());
761 m_attrResolver = conf.AttributeResolverManager.newPlugin(type.get(),child);
763 catch (exception& ex) {
764 log.crit("error building AttributeResolver: %s", ex.what());
768 if (m_unsetHeaders.empty()) {
769 vector<string> unsetHeaders;
770 if (m_attrExtractor) {
771 Locker extlock(m_attrExtractor);
772 m_attrExtractor->getAttributeIds(unsetHeaders);
774 if (m_attrResolver) {
775 Locker reslock(m_attrResolver);
776 m_attrResolver->getAttributeIds(unsetHeaders);
778 if (unsetHeaders.empty()) {
780 m_unsetHeaders.insert(m_unsetHeaders.end(), m_base->m_unsetHeaders.begin(), m_base->m_unsetHeaders.end());
782 m_unsetHeaders.push_back(pair<string,string>("Shib-Application-ID","HTTP_SHIB_APPLICATION_ID"));
785 for (vector<string>::const_iterator hdr = unsetHeaders.begin(); hdr!=unsetHeaders.end(); ++hdr) {
786 string transformed("HTTP_");
787 const char* pch = hdr->c_str();
789 transformed += (isalnum(*pch) ? toupper(*pch) : '_');
792 m_unsetHeaders.push_back(pair<string,string>(*hdr,transformed));
794 m_unsetHeaders.push_back(pair<string,string>("Shib-Application-ID","HTTP_SHIB_APPLICATION_ID"));
799 if (conf.isEnabled(SPConfig::Credentials)) {
800 child = XMLHelper::getFirstChildElement(e,_CredentialResolver);
802 auto_ptr_char type(child->getAttributeNS(NULL,_type));
803 log.info("building CredentialResolver of type %s...",type.get());
805 m_credResolver = xmlConf.CredentialResolverManager.newPlugin(type.get(),child);
807 catch (exception& ex) {
808 log.crit("error building CredentialResolver: %s", ex.what());
813 // Finally, load relying parties.
814 child = XMLHelper::getFirstChildElement(e,DefaultRelyingParty);
816 m_partyDefault=new DOMPropertySet();
817 m_partyDefault->load(child,log,this);
818 child = XMLHelper::getFirstChildElement(child,RelyingParty);
820 auto_ptr<DOMPropertySet> rp(new DOMPropertySet());
821 rp->load(child,log,this);
822 rp->setParent(m_partyDefault);
823 m_partyMap[child->getAttributeNS(NULL,saml2::Attribute::NAME_ATTRIB_NAME)]=rp.release();
824 child = XMLHelper::getNextSiblingElement(child,RelyingParty);
829 // In process only, we need a shared lock around accessing the header clearing list.
830 if (!conf.isEnabled(SPConfig::OutOfProcess)) {
831 m_unsetLock = RWLock::create();
833 else if (!conf.isEnabled(SPConfig::InProcess)) {
834 ListenerService* listener = sp->getListenerService(false);
836 string addr=string(getId()) + "::getHeaders::Application";
837 listener->regListener(addr.c_str(),this);
840 log.info("no ListenerService available, Application remoting disabled");
855 void XMLApplication::cleanup()
857 ListenerService* listener=getServiceProvider().getListenerService(false);
858 if (listener && SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess) && !SPConfig::getConfig().isEnabled(SPConfig::InProcess)) {
859 string addr=string(getId()) + "::getHeaders::Application";
860 listener->unregListener(addr.c_str(),this);
864 for_each(m_handlers.begin(),m_handlers.end(),xmltooling::cleanup<Handler>());
867 delete m_partyDefault;
868 m_partyDefault = NULL;
870 for_each(m_partyMap.begin(),m_partyMap.end(),cleanup_pair<xstring,PropertySet>());
872 for_each(m_partyMap.begin(),m_partyMap.end(),cleanup_pair<const XMLCh*,PropertySet>());
875 delete m_credResolver;
876 m_credResolver = NULL;
877 delete m_attrResolver;
878 m_attrResolver = NULL;
881 delete m_attrExtractor;
882 m_attrExtractor = NULL;
890 short XMLApplication::acceptNode(const DOMNode* node) const
892 const XMLCh* name=node->getLocalName();
893 if (XMLString::equals(name,_Application) ||
894 XMLString::equals(name,_Audience) ||
895 XMLString::equals(name,Notify) ||
896 XMLString::equals(name,_AssertionConsumerService) ||
897 XMLString::equals(name,_ArtifactResolutionService) ||
898 XMLString::equals(name,_LogoutInitiator) ||
899 XMLString::equals(name,_ManageNameIDService) ||
900 XMLString::equals(name,_SessionInitiator) ||
901 XMLString::equals(name,_SingleLogoutService) ||
902 XMLString::equals(name,DefaultRelyingParty) ||
903 XMLString::equals(name,RelyingParty) ||
904 XMLString::equals(name,_MetadataProvider) ||
905 XMLString::equals(name,_TrustEngine) ||
906 XMLString::equals(name,_CredentialResolver) ||
907 XMLString::equals(name,_AttributeFilter) ||
908 XMLString::equals(name,_AttributeExtractor) ||
909 XMLString::equals(name,_AttributeResolver))
910 return FILTER_REJECT;
912 return FILTER_ACCEPT;
917 const PropertySet* XMLApplication::getRelyingParty(const EntityDescriptor* provider) const
919 if (!m_partyDefault && m_base)
920 return m_base->getRelyingParty(provider);
922 return m_partyDefault;
925 map<xstring,PropertySet*>::const_iterator i=m_partyMap.find(provider->getEntityID());
926 if (i!=m_partyMap.end())
928 const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());
930 if (group->getName()) {
931 i=m_partyMap.find(group->getName());
932 if (i!=m_partyMap.end())
935 group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());
938 map<const XMLCh*,PropertySet*>::const_iterator i=m_partyMap.begin();
939 for (; i!=m_partyMap.end(); i++) {
940 if (XMLString::equals(i->first,provider->getEntityID()))
942 const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());
944 if (XMLString::equals(i->first,group->getName()))
946 group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());
950 return m_partyDefault;
955 string XMLApplication::getNotificationURL(const char* resource, bool front, unsigned int index) const
957 const vector<string>& locs = front ? m_frontLogout : m_backLogout;
959 return m_base ? m_base->getNotificationURL(resource, front, index) : string();
960 else if (index >= locs.size())
963 #ifdef HAVE_STRCASECMP
964 if (!resource || (strncasecmp(resource,"http://",7) && strncasecmp(resource,"https://",8)))
966 if (!resource || (strnicmp(resource,"http://",7) && strnicmp(resource,"https://",8)))
968 throw ConfigurationException("Request URL was not absolute.");
970 const char* handler=locs[index].c_str();
972 // Should never happen...
973 if (!handler || (*handler!='/' && strncmp(handler,"http:",5) && strncmp(handler,"https:",6)))
974 throw ConfigurationException(
975 "Invalid Location property ($1) in Notify element for Application ($2)",
976 params(2, handler ? handler : "null", getId())
979 // The "Location" property can be in one of three formats:
981 // 1) a full URI: http://host/foo/bar
982 // 2) a hostless URI: http:///foo/bar
983 // 3) a relative path: /foo/bar
985 // # Protocol Host Path
986 // 1 handler handler handler
987 // 2 handler resource handler
988 // 3 resource resource handler
990 const char* path = NULL;
992 // Decide whether to use the handler or the resource for the "protocol"
994 if (*handler != '/') {
1002 // break apart the "protocol" string into protocol, host, and "the rest"
1003 const char* colon=strchr(prot,':');
1005 const char* slash=strchr(colon,'/');
1009 // Compute the actual protocol and store.
1010 string notifyURL(prot, colon-prot);
1012 // create the "host" from either the colon/slash or from the target string
1013 // If prot == handler then we're in either #1 or #2, else #3.
1014 // If slash == colon then we're in #2.
1015 if (prot != handler || slash == colon) {
1016 colon = strchr(resource, ':');
1017 colon += 3; // Get past the ://
1018 slash = strchr(colon, '/');
1020 string host(colon, (slash ? slash-colon : strlen(colon)));
1023 notifyURL += host + path;
1027 const SessionInitiator* XMLApplication::getDefaultSessionInitiator() const
1029 if (m_sessionInitDefault) return m_sessionInitDefault;
1030 return m_base ? m_base->getDefaultSessionInitiator() : NULL;
1033 const SessionInitiator* XMLApplication::getSessionInitiatorById(const char* id) const
1035 map<string,const SessionInitiator*>::const_iterator i=m_sessionInitMap.find(id);
1036 if (i!=m_sessionInitMap.end()) return i->second;
1037 return m_base ? m_base->getSessionInitiatorById(id) : NULL;
1040 const Handler* XMLApplication::getDefaultAssertionConsumerService() const
1042 if (m_acsDefault) return m_acsDefault;
1043 return m_base ? m_base->getDefaultAssertionConsumerService() : NULL;
1046 const Handler* XMLApplication::getAssertionConsumerServiceByIndex(unsigned short index) const
1048 map<unsigned int,const Handler*>::const_iterator i=m_acsIndexMap.find(index);
1049 if (i!=m_acsIndexMap.end()) return i->second;
1050 return m_base ? m_base->getAssertionConsumerServiceByIndex(index) : NULL;
1053 const vector<const Handler*>& XMLApplication::getAssertionConsumerServicesByBinding(const XMLCh* binding) const
1055 #ifdef HAVE_GOOD_STL
1056 ACSBindingMap::const_iterator i=m_acsBindingMap.find(binding);
1058 auto_ptr_char temp(binding);
1059 ACSBindingMap::const_iterator i=m_acsBindingMap.find(temp.get());
1061 if (i!=m_acsBindingMap.end())
1063 return m_base ? m_base->getAssertionConsumerServicesByBinding(binding) : g_noHandlers;
1066 const Handler* XMLApplication::getHandler(const char* path) const
1069 map<string,const Handler*>::const_iterator i=m_handlerMap.find(wrap.substr(0,wrap.find('?')));
1070 if (i!=m_handlerMap.end())
1072 return m_base ? m_base->getHandler(path) : NULL;
1075 void XMLApplication::clearAttributeHeaders(SPRequest& request) const
1077 if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess)) {
1078 for (vector< pair<string,string> >::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i)
1079 request.clearHeader(i->first.c_str(), i->second.c_str());
1083 m_unsetLock->rdlock();
1084 if (m_unsetHeaders.empty()) {
1085 // No headers yet, so we have to request them from the remote half.
1086 m_unsetLock->unlock();
1087 m_unsetLock->wrlock();
1088 if (m_unsetHeaders.empty()) {
1089 SharedLock wrlock(m_unsetLock, false);
1090 string addr=string(getId()) + "::getHeaders::Application";
1091 DDF out,in = DDF(addr.c_str());
1092 DDFJanitor jin(in),jout(out);
1093 out = getServiceProvider().getListenerService()->send(in);
1095 DDF header = out.first();
1096 while (header.isstring()) {
1097 m_unsetHeaders.push_back(pair<string,string>(header.name(),header.string()));
1098 header = out.next();
1103 m_unsetLock->unlock();
1105 m_unsetLock->rdlock();
1108 // Now holding read lock.
1109 SharedLock unsetLock(m_unsetLock, false);
1110 for (vector< pair<string,string> >::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i)
1111 request.clearHeader(i->first.c_str(), i->second.c_str());
1114 short XMLConfigImpl::acceptNode(const DOMNode* node) const
1116 if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS))
1117 return FILTER_ACCEPT;
1118 const XMLCh* name=node->getLocalName();
1119 if (XMLString::equals(name,Applications) ||
1120 XMLString::equals(name,_ArtifactMap) ||
1121 XMLString::equals(name,_Extensions) ||
1122 XMLString::equals(name,Implementation) ||
1123 XMLString::equals(name,Listener) ||
1124 XMLString::equals(name,MemoryListener) ||
1125 XMLString::equals(name,Policy) ||
1126 XMLString::equals(name,_RequestMapper) ||
1127 XMLString::equals(name,_ReplayCache) ||
1128 XMLString::equals(name,_SessionCache) ||
1129 XMLString::equals(name,_StorageService) ||
1130 XMLString::equals(name,TCPListener) ||
1131 XMLString::equals(name,UnixListener))
1132 return FILTER_REJECT;
1134 return FILTER_ACCEPT;
1137 void XMLConfigImpl::doExtensions(const DOMElement* e, const char* label, Category& log)
1139 const DOMElement* exts=XMLHelper::getFirstChildElement(e,_Extensions);
1141 exts=XMLHelper::getFirstChildElement(exts,Library);
1143 auto_ptr_char path(exts->getAttributeNS(NULL,_path));
1146 XMLToolingConfig::getConfig().load_library(path.get(),(void*)exts);
1147 log.debug("loaded %s extension library (%s)", label, path.get());
1150 catch (exception& e) {
1151 const XMLCh* fatal=exts->getAttributeNS(NULL,_fatal);
1152 if (fatal && (*fatal==chLatin_t || *fatal==chDigit_1)) {
1153 log.fatal("unable to load mandatory %s extension library %s: %s", label, path.get(), e.what());
1157 log.crit("unable to load optional %s extension library %s: %s", label, path.get(), e.what());
1160 exts=XMLHelper::getNextSiblingElement(exts,Library);
1165 XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer, Category& log)
1166 : m_requestMapper(NULL), m_outer(outer), m_document(NULL)
1169 xmltooling::NDC ndc("XMLConfigImpl");
1173 SPConfig& conf=SPConfig::getConfig();
1175 SAMLConfig& samlConf=SAMLConfig::getConfig();
1177 XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig();
1178 const DOMElement* SHAR=XMLHelper::getFirstChildElement(e,OutOfProcess);
1179 const DOMElement* SHIRE=XMLHelper::getFirstChildElement(e,InProcess);
1181 // Initialize log4cpp manually in order to redirect log messages as soon as possible.
1182 if (conf.isEnabled(SPConfig::Logging)) {
1183 const XMLCh* logconf=NULL;
1184 if (conf.isEnabled(SPConfig::OutOfProcess))
1185 logconf=SHAR->getAttributeNS(NULL,logger);
1186 else if (conf.isEnabled(SPConfig::InProcess))
1187 logconf=SHIRE->getAttributeNS(NULL,logger);
1188 if (!logconf || !*logconf)
1189 logconf=e->getAttributeNS(NULL,logger);
1190 if (logconf && *logconf) {
1191 auto_ptr_char logpath(logconf);
1192 log.debug("loading new logging configuration from (%s), check log destination for status of configuration",logpath.get());
1193 XMLToolingConfig::getConfig().log_config(logpath.get());
1198 m_outer->m_tranLog = new TransactionLog();
1202 // First load any property sets.
1205 const DOMElement* child;
1208 // Much of the processing can only occur on the first instantiation.
1211 pair<bool,unsigned int> skew=getUnsignedInt("clockSkew");
1213 xmlConf.clock_skew_secs=skew.second;
1216 doExtensions(e, "global", log);
1217 if (conf.isEnabled(SPConfig::OutOfProcess))
1218 doExtensions(SHAR, "out of process", log);
1220 if (conf.isEnabled(SPConfig::InProcess))
1221 doExtensions(SHIRE, "in process", log);
1223 // Instantiate the ListenerService and SessionCache objects.
1224 if (conf.isEnabled(SPConfig::Listener)) {
1225 child=XMLHelper::getFirstChildElement(SHAR,UnixListener);
1227 plugtype=UNIX_LISTENER_SERVICE;
1229 child=XMLHelper::getFirstChildElement(SHAR,TCPListener);
1231 plugtype=TCP_LISTENER_SERVICE;
1233 child=XMLHelper::getFirstChildElement(SHAR,MemoryListener);
1235 plugtype=MEMORY_LISTENER_SERVICE;
1237 child=XMLHelper::getFirstChildElement(SHAR,Listener);
1239 auto_ptr_char type(child->getAttributeNS(NULL,_type));
1241 plugtype=type.get();
1247 log.info("building ListenerService of type %s...", plugtype.c_str());
1248 m_outer->m_listener = conf.ListenerServiceManager.newPlugin(plugtype.c_str(),child);
1251 log.fatal("can't build ListenerService, missing conf:Listener element?");
1252 throw ConfigurationException("Can't build ListenerService, missing conf:Listener element?");
1256 if (m_outer->m_listener && conf.isEnabled(SPConfig::OutOfProcess) && !conf.isEnabled(SPConfig::InProcess)) {
1257 m_outer->m_listener->regListener("set::RelayState",m_outer->m_listener);
1258 m_outer->m_listener->regListener("get::RelayState",m_outer->m_listener);
1261 if (conf.isEnabled(SPConfig::Caching)) {
1262 if (conf.isEnabled(SPConfig::OutOfProcess)) {
1264 // First build any StorageServices.
1266 child=XMLHelper::getFirstChildElement(SHAR,_StorageService);
1268 auto_ptr_char id(child->getAttributeNS(NULL,_id));
1269 auto_ptr_char type(child->getAttributeNS(NULL,_type));
1271 log.info("building StorageService (%s) of type %s...", id.get(), type.get());
1272 m_outer->m_storage[id.get()] = xmlConf.StorageServiceManager.newPlugin(type.get(),child);
1273 if (!strcmp(type.get(),MEMORY_STORAGE_SERVICE))
1276 catch (exception& ex) {
1277 log.crit("failed to instantiate StorageService (%s): %s", id.get(), ex.what());
1279 child=XMLHelper::getNextSiblingElement(child,_StorageService);
1282 child=XMLHelper::getFirstChildElement(SHAR,_SessionCache);
1284 auto_ptr_char type(child->getAttributeNS(NULL,_type));
1285 log.info("building SessionCache of type %s...",type.get());
1286 m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(type.get(),child);
1289 log.warn("SessionCache unspecified, building SessionCache of type %s...",STORAGESERVICE_SESSION_CACHE);
1290 if (inmemID.empty()) {
1292 log.info("no StorageServices configured, providing in-memory version for session cache");
1293 m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);
1295 child = e->getOwnerDocument()->createElementNS(NULL,_SessionCache);
1296 auto_ptr_XMLCh ssid(inmemID.c_str());
1297 const_cast<DOMElement*>(child)->setAttributeNS(NULL,_StorageService,ssid.get());
1298 m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(STORAGESERVICE_SESSION_CACHE,child);
1302 StorageService* replaySS=NULL;
1303 child=XMLHelper::getFirstChildElement(SHAR,_ReplayCache);
1305 auto_ptr_char ssid(child->getAttributeNS(NULL,_StorageService));
1306 if (ssid.get() && *ssid.get()) {
1307 if (m_outer->m_storage.count(ssid.get()))
1308 replaySS = m_outer->m_storage[ssid.get()];
1310 log.info("building ReplayCache on top of StorageService (%s)...", ssid.get());
1312 log.crit("unable to locate StorageService (%s) in configuration", ssid.get());
1316 log.info("building ReplayCache using in-memory StorageService...");
1317 if (inmemID.empty()) {
1319 log.info("no StorageServices configured, providing in-memory version for legacy config");
1320 m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);
1322 replaySS = m_outer->m_storage[inmemID];
1324 xmlConf.setReplayCache(new ReplayCache(replaySS));
1327 child=XMLHelper::getFirstChildElement(SHAR,_ArtifactMap);
1329 auto_ptr_char ssid(child->getAttributeNS(NULL,_StorageService));
1330 if (ssid.get() && *ssid.get() && m_outer->m_storage.count(ssid.get())) {
1331 log.info("building ArtifactMap on top of StorageService (%s)...", ssid.get());
1332 samlConf.setArtifactMap(new ArtifactMap(child, m_outer->m_storage[ssid.get()]));
1335 if (samlConf.getArtifactMap()==NULL) {
1336 log.info("building in-memory ArtifactMap...");
1337 samlConf.setArtifactMap(new ArtifactMap(child));
1342 child=XMLHelper::getFirstChildElement(SHIRE,_SessionCache);
1344 auto_ptr_char type(child->getAttributeNS(NULL,_type));
1345 log.info("building SessionCache of type %s...",type.get());
1346 m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(type.get(),child);
1349 log.warn("SessionCache unspecified, building SessionCache of type %s...",REMOTED_SESSION_CACHE);
1350 m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(REMOTED_SESSION_CACHE,child);
1354 } // end of first-time-only stuff
1356 // Back to the fully dynamic stuff...next up is the RequestMapper.
1357 if (conf.isEnabled(SPConfig::RequestMapping)) {
1358 child=XMLHelper::getFirstChildElement(SHIRE,_RequestMapper);
1360 auto_ptr_char type(child->getAttributeNS(NULL,_type));
1361 log.info("building RequestMapper of type %s...",type.get());
1362 m_requestMapper=conf.RequestMapperManager.newPlugin(type.get(),child);
1367 // Load security policies.
1368 child = XMLHelper::getLastChildElement(e,SecurityPolicies);
1370 PolicyNodeFilter filter;
1371 child = XMLHelper::getFirstChildElement(child,Policy);
1373 auto_ptr_char id(child->getAttributeNS(NULL,_id));
1374 pair< PropertySet*,vector<const SecurityPolicyRule*> >& rules = m_policyMap[id.get()];
1376 auto_ptr<DOMPropertySet> settings(new DOMPropertySet());
1377 settings->load(child, log, &filter);
1378 rules.first = settings.release();
1379 const DOMElement* rule = XMLHelper::getFirstChildElement(child,Rule);
1381 auto_ptr_char type(rule->getAttributeNS(NULL,_type));
1383 rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(type.get(),rule));
1385 catch (exception& ex) {
1386 log.crit("error instantiating policy rule (%s) in policy (%s): %s", type.get(), id.get(), ex.what());
1388 rule = XMLHelper::getNextSiblingElement(rule,Rule);
1390 child = XMLHelper::getNextSiblingElement(child,Policy);
1395 // Load the default application. This actually has a fixed ID of "default". ;-)
1396 child=XMLHelper::getLastChildElement(e,Applications);
1398 log.fatal("can't build default Application object, missing conf:Applications element?");
1399 throw ConfigurationException("can't build default Application object, missing conf:Applications element?");
1401 XMLApplication* defapp=new XMLApplication(m_outer,child);
1402 m_appmap[defapp->getId()]=defapp;
1404 // Load any overrides.
1405 child = XMLHelper::getFirstChildElement(child,_Application);
1407 auto_ptr<XMLApplication> iapp(new XMLApplication(m_outer,child,defapp));
1408 if (m_appmap.count(iapp->getId()))
1409 log.crit("found conf:Application element with duplicate id attribute (%s), skipping it", iapp->getId());
1411 m_appmap[iapp->getId()]=iapp.release();
1413 child = XMLHelper::getNextSiblingElement(child,_Application);
1416 catch (exception&) {
1428 XMLConfigImpl::~XMLConfigImpl()
1433 void XMLConfigImpl::cleanup()
1435 for_each(m_appmap.begin(),m_appmap.end(),cleanup_pair<string,Application>());
1438 for (map< string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::iterator i=m_policyMap.begin(); i!=m_policyMap.end(); ++i) {
1439 delete i->second.first;
1440 for_each(i->second.second.begin(), i->second.second.end(), xmltooling::cleanup<SecurityPolicyRule>());
1442 m_policyMap.clear();
1444 delete m_requestMapper;
1445 m_requestMapper = NULL;
1447 m_document->release();
1451 void XMLConfig::receive(DDF& in, ostream& out)
1454 if (!strcmp(in.name(), "get::RelayState")) {
1455 const char* id = in["id"].string();
1456 const char* key = in["key"].string();
1458 throw ListenerException("Required parameters missing for RelayState recovery.");
1461 StorageService* storage = getStorageService(id);
1463 if (storage->readString("RelayState",key,&relayState)>0) {
1464 if (in["clear"].integer())
1465 storage->deleteString("RelayState",key);
1469 Category::getInstance(SHIBSP_LOGCAT".ServiceProvider").error(
1470 "Storage-backed RelayState with invalid StorageService ID (%s)", id
1474 // Repack for return to caller.
1475 DDF ret=DDF(NULL).string(relayState.c_str());
1476 DDFJanitor jret(ret);
1479 else if (!strcmp(in.name(), "set::RelayState")) {
1480 const char* id = in["id"].string();
1481 const char* value = in["value"].string();
1483 throw ListenerException("Required parameters missing for RelayState creation.");
1486 StorageService* storage = getStorageService(id);
1488 SAMLConfig::getConfig().generateRandomBytes(rsKey,20);
1489 rsKey = SAMLArtifact::toHex(rsKey);
1490 storage->createString("RelayState", rsKey.c_str(), value, time(NULL) + 600);
1493 Category::getInstance(SHIBSP_LOGCAT".ServiceProvider").error(
1494 "Storage-backed RelayState with invalid StorageService ID (%s)", id
1498 // Repack for return to caller.
1499 DDF ret=DDF(NULL).string(rsKey.c_str());
1500 DDFJanitor jret(ret);
1506 pair<bool,DOMElement*> XMLConfig::load()
1508 // Load from source using base class.
1509 pair<bool,DOMElement*> raw = ReloadableXMLFile::load();
1511 // If we own it, wrap it.
1512 XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : NULL);
1514 XMLConfigImpl* impl = new XMLConfigImpl(raw.second,(m_impl==NULL),this,m_log);
1516 // If we held the document, transfer it to the impl. If we didn't, it's a no-op.
1517 impl->setDocument(docjanitor.release());
1522 return make_pair(false,(DOMElement*)NULL);