attribute/filtering/AnyMatchFunctor.cpp \
attribute/filtering/NotMatchFunctor.cpp \
attribute/filtering/OrMatchFunctor.cpp \
+ attribute/filtering/AttributeIssuerStringFunctor.cpp \
+ attribute/filtering/AttributeRequesterStringFunctor.cpp \
+ attribute/filtering/AuthenticationMethodStringFunctor.cpp \
attribute/resolver/impl/ChainingAttributeResolver.cpp \
attribute/resolver/impl/QueryAttributeResolver.cpp \
attribute/resolver/impl/XMLAttributeExtractor.cpp \
*
* @param app reference to Application
* @param role metadata role of attribute issuer, if any
+ * @param authncontext_class method/category of authentication event, if known
+ * @param authncontext_decl specifics of authentication event, if known
*/
- BasicFilteringContext(const Application& app, const opensaml::saml2md::RoleDescriptor* role)
- : m_app(app), m_role(role), m_issuer(NULL) {
+ BasicFilteringContext(
+ const Application& app,
+ const opensaml::saml2md::RoleDescriptor* role=NULL,
+ const char* authncontext_class=NULL,
+ const char* authncontext_decl=NULL
+ ) : m_app(app), m_role(role), m_issuer(NULL), m_class(authncontext_class), m_decl(authncontext_decl) {
if (role)
m_issuer = dynamic_cast<opensaml::saml2md::EntityDescriptor*>(role->getParent())->getEntityID();
}
const Application& getApplication() const {
return m_app;
}
+ const char* getAuthnContextClassRef() const {
+ return m_class;
+ }
+ const char* getAuthnContextDeclRef() const {
+ return m_decl;
+ }
const XMLCh* getAttributeRequester() const {
return m_app.getXMLString("entityID").second;
}
const Application& m_app;
const opensaml::saml2md::RoleDescriptor* m_role;
const XMLCh* m_issuer;
+ const char* m_class;
+ const char* m_decl;
};
};
virtual const Application& getApplication() const=0;
/**
+ * Returns a URI containing an AuthnContextClassRef associated with the subject.
+ *
+ * <p>SAML 1.x AuthenticationMethods will be returned as class references.
+ *
+ * @return a URI identifying the authentication context class
+ */
+ virtual const char* getAuthnContextClassRef() const=0;
+
+ /**
+ * Returns a URI containing an AuthnContextDeclRef associated with the subject.
+ *
+ * @return a URI identifying the authentication context declaration
+ */
+ virtual const char* getAuthnContextDeclRef() const=0;
+
+ /**
* Gets the ID of the requester of the attributes, if known.
*
* @return requester of the attributes, or NULL
public:
virtual ~MatchFunctor() {}
- /**\r
- * Evaluates this matching criteria. This evaluation is used when a filtering engine determines policy\r
- * applicability.\r
- * \r
- * @param filterContext current filtering context\r
- * @return true if the criteria for this matching function are met\r
- * @throws AttributeFilteringException thrown if the function can not be evaluated\r
- */\r
- virtual bool evaluatePolicyRequirement(const FilteringContext& filterContext) const=0;\r
-\r
- /**\r
- * Evaluates this matching criteria. This evaluation is used when a filtering engine is filtering attribute\r
- * values.\r
- * \r
- * @param filterContext the current filtering context\r
- * @param attribute the attribute being evaluated\r
- * @param index the index of the attribute value being evaluated\r
- * @return true if the criteria for this matching function are met\r
- * @throws AttributeFilteringException thrown if the function can not be evaluated\r
- */\r
- virtual bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const=0;\r
+ /**
+ * Evaluates this matching criteria. This evaluation is used when a filtering engine determines policy
+ * applicability.
+ *
+ * @param filterContext current filtering context
+ * @return true if the criteria for this matching function are met
+ * @throws AttributeFilteringException thrown if the function can not be evaluated
+ */
+ virtual bool evaluatePolicyRequirement(const FilteringContext& filterContext) const=0;
+
+ /**
+ * Evaluates this matching criteria. This evaluation is used when a filtering engine is filtering attribute
+ * values.
+ *
+ * @param filterContext the current filtering context
+ * @param attribute the attribute being evaluated
+ * @param index the index of the attribute value being evaluated
+ * @return true if the criteria for this matching function are met
+ * @throws AttributeFilteringException thrown if the function can not be evaluated
+ */
+ virtual bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const=0;
};
/** Always evaluates to true. */
/** Negating MatchFunctor. */
extern SHIBSP_API xmltooling::QName NotMatchFunctorType;
+ /** Matches the requesting entity's name. */
+ extern SHIBSP_API xmltooling::QName AttributeRequesterStringType;
+
+ /** Matches the issuing entity's name. */
+ extern SHIBSP_API xmltooling::QName AttributeIssuerStringType;
+
+ /** Matches the principal's authentication method/class or context reference. */
+ extern SHIBSP_API xmltooling::QName AuthenticationMethodStringType;
+
/**
* Registers MatchFunctor classes into the runtime.
*/
vector<const MatchFunctor*> m_functors;
};
- MatchFunctor* SHIBSP_DLLLOCAL AndFunctorFactory(const pair<const FilterPolicyContext*,const DOMElement*>& p)
+ MatchFunctor* SHIBSP_DLLLOCAL AndMatchFunctorFactory(const pair<const FilterPolicyContext*,const DOMElement*>& p)
{
return new AndMatchFunctor(p);
}
}
};
- MatchFunctor* SHIBSP_DLLLOCAL AnyFunctorFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)
+ MatchFunctor* SHIBSP_DLLLOCAL AnyMatchFunctorFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)
{
return new AnyMatchFunctor();
}
--- /dev/null
+/*
+ * Copyright 2001-2007 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AttributeIssuerStringFunctor.cpp
+ *
+ * A match function that matches the attribute issuer's name against the specified value.
+ */
+
+#include "internal.h"
+#include "exceptions.h"
+#include "attribute/filtering/FilteringContext.h"
+#include "attribute/filtering/FilterPolicyContext.h"
+
+namespace shibsp {
+
+ static const XMLCh value[] = UNICODE_LITERAL_5(v,a,l,u,e);
+
+ /**
+ * A match function that matches the attribute issuer's name against the specified value.
+ */
+ class SHIBSP_DLLLOCAL AttributeIssuerStringFunctor : public MatchFunctor
+ {
+ const XMLCh* m_value;
+ public:
+ AttributeIssuerStringFunctor(const DOMElement* e) {
+ m_value = e ? e->getAttributeNS(NULL,value) : NULL;
+ if (!m_value || !*m_value)
+ throw ConfigurationException("AttributeIssuerString MatchFunctor requires non-empty value attribute.");
+ }
+
+ bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
+ return XMLString::equals(m_value, filterContext.getAttributeIssuer());
+ }
+
+ bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {
+ return XMLString::equals(m_value, filterContext.getAttributeIssuer());
+ }
+ };
+
+ MatchFunctor* SHIBSP_DLLLOCAL AttributeIssuerStringFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)
+ {
+ return new AttributeIssuerStringFunctor(p.second);
+ }
+
+};
--- /dev/null
+/*
+ * Copyright 2001-2007 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AttributeRequesterStringFunctor.cpp
+ *
+ * A match function that matches the attribute requester's name against the specified value.
+ */
+
+#include "internal.h"
+#include "exceptions.h"
+#include "attribute/filtering/FilteringContext.h"
+#include "attribute/filtering/FilterPolicyContext.h"
+
+namespace shibsp {
+
+ static const XMLCh value[] = UNICODE_LITERAL_5(v,a,l,u,e);
+
+ /**
+ * A match function that matches the attribute requester's name against the specified value.
+ */
+ class SHIBSP_DLLLOCAL AttributeRequesterStringFunctor : public MatchFunctor
+ {
+ const XMLCh* m_value;
+ public:
+ AttributeRequesterStringFunctor(const DOMElement* e) {
+ m_value = e ? e->getAttributeNS(NULL,value) : NULL;
+ if (!m_value || !*m_value)
+ throw ConfigurationException("AttributeRequesterString MatchFunctor requires non-empty value attribute.");
+ }
+
+ bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
+ return XMLString::equals(m_value, filterContext.getAttributeRequester());
+ }
+
+ bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {
+ return XMLString::equals(m_value, filterContext.getAttributeRequester());
+ }
+ };
+
+ MatchFunctor* SHIBSP_DLLLOCAL AttributeRequesterStringFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)
+ {
+ return new AttributeRequesterStringFunctor(p.second);
+ }
+
+};
--- /dev/null
+/*
+ * Copyright 2001-2007 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AuthenticationMethodStringFunctor.cpp
+ *
+ * Match functor that compares the user's authentication method against a given string.
+ */
+
+#include "internal.h"
+#include "exceptions.h"
+#include "attribute/filtering/FilteringContext.h"
+#include "attribute/filtering/FilterPolicyContext.h"
+
+namespace shibsp {
+
+ static const XMLCh value[] = UNICODE_LITERAL_5(v,a,l,u,e);
+
+ /**
+ * Match functor that compares the user's authentication method against a given string.
+ */
+ class SHIBSP_DLLLOCAL AuthenticationMethodStringFunctor : public MatchFunctor
+ {
+ xmltooling::auto_ptr_char m_value;
+ public:
+ AuthenticationMethodStringFunctor(const DOMElement* e) : m_value(e ? e->getAttributeNS(NULL,value) : NULL) {
+ if (!m_value.get() || !*m_value.get())
+ throw ConfigurationException("AuthenticationMethodString MatchFunctor requires non-empty value attribute.");
+ }
+
+ bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
+ return XMLString::equals(m_value.get(), filterContext.getAuthnContextClassRef()) ||
+ XMLString::equals(m_value.get(), filterContext.getAuthnContextDeclRef());
+ }
+
+ bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {
+ return XMLString::equals(m_value.get(), filterContext.getAuthnContextClassRef()) ||
+ XMLString::equals(m_value.get(), filterContext.getAuthnContextDeclRef());
+ }
+ };
+
+ MatchFunctor* SHIBSP_DLLLOCAL AuthenticationMethodStringFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)
+ {
+ return new AuthenticationMethodStringFunctor(p.second);
+ }
+
+};
using namespace xmltooling;
using namespace std;
+#define DECL_FACTORY(name) \
+ SHIBSP_DLLLOCAL PluginManager< MatchFunctor,QName,pair<const FilterPolicyContext*,const DOMElement*> >::Factory name##Factory
+
+#define DECL_BASIC_QNAME(name,lit) \
+ QName shibsp::name##Type(shibspconstants::SHIB2ATTRIBUTEFILTER_MF_BASIC_NS, lit)
+
+#define REGISTER_FACTORY(name) \
+ mgr.registerFactory(name##Type, name##Factory)
+
namespace shibsp {
- SHIBSP_DLLLOCAL PluginManager< MatchFunctor,QName,pair<const FilterPolicyContext*,const DOMElement*> >::Factory AnyFunctorFactory;
- SHIBSP_DLLLOCAL PluginManager< MatchFunctor,QName,pair<const FilterPolicyContext*,const DOMElement*> >::Factory AndFunctorFactory;
- SHIBSP_DLLLOCAL PluginManager< MatchFunctor,QName,pair<const FilterPolicyContext*,const DOMElement*> >::Factory OrFunctorFactory;
- SHIBSP_DLLLOCAL PluginManager< MatchFunctor,QName,pair<const FilterPolicyContext*,const DOMElement*> >::Factory NotFunctorFactory;
-
- static const XMLCh ANY[] = UNICODE_LITERAL_3(A,N,Y);
- static const XMLCh AND[] = UNICODE_LITERAL_3(A,N,D);
- static const XMLCh OR[] = UNICODE_LITERAL_2(O,R);
- static const XMLCh NOT[] = UNICODE_LITERAL_3(N,O,T);
+ DECL_FACTORY(AnyMatchFunctor);
+ DECL_FACTORY(AndMatchFunctor);
+ DECL_FACTORY(OrMatchFunctor);
+ DECL_FACTORY(NotMatchFunctor);
+ DECL_FACTORY(AttributeRequesterString);
+ DECL_FACTORY(AttributeIssuerString);
+ DECL_FACTORY(AuthenticationMethodString);
+
+ static const XMLCh ANY[] = UNICODE_LITERAL_3(A,N,Y);
+ static const XMLCh AND[] = UNICODE_LITERAL_3(A,N,D);
+ static const XMLCh OR[] = UNICODE_LITERAL_2(O,R);
+ static const XMLCh NOT[] = UNICODE_LITERAL_3(N,O,T);
+ static const XMLCh AttributeRequesterString[] = UNICODE_LITERAL_24(A,t,t,r,i,b,u,t,e,R,e,q,u,e,s,t,e,r,S,t,r,i,n,g);
+ static const XMLCh AttributeIssuerString[] = UNICODE_LITERAL_21(A,t,t,r,i,b,u,t,e,I,s,s,u,e,r,S,t,r,i,n,g);
+ static const XMLCh AuthenticationMethodString[] = UNICODE_LITERAL_26(A,u,t,h,e,n,t,i,c,a,t,i,o,n,M,e,t,h,o,d,S,t,r,i,n,g);
};
-QName shibsp::AnyMatchFunctorType(shibspconstants::SHIB2ATTRIBUTEFILTER_MF_BASIC_NS, ANY);
-QName shibsp::AndMatchFunctorType(shibspconstants::SHIB2ATTRIBUTEFILTER_MF_BASIC_NS, AND);
-QName shibsp::OrMatchFunctorType(shibspconstants::SHIB2ATTRIBUTEFILTER_MF_BASIC_NS, OR);
-QName shibsp::NotMatchFunctorType(shibspconstants::SHIB2ATTRIBUTEFILTER_MF_BASIC_NS, NOT);
+DECL_BASIC_QNAME(AnyMatchFunctor, ANY);
+DECL_BASIC_QNAME(AndMatchFunctor, AND);
+DECL_BASIC_QNAME(OrMatchFunctor, OR);
+DECL_BASIC_QNAME(NotMatchFunctor, NOT);
+DECL_BASIC_QNAME(AttributeRequesterString, AttributeRequesterString);
+DECL_BASIC_QNAME(AttributeIssuerString, AttributeIssuerString);
+DECL_BASIC_QNAME(AuthenticationMethodString, AuthenticationMethodString);
void SHIBSP_API shibsp::registerMatchFunctors()
{
- SPConfig& conf = SPConfig::getConfig();
- conf.MatchFunctorManager.registerFactory(AnyMatchFunctorType, AnyFunctorFactory);
- conf.MatchFunctorManager.registerFactory(AndMatchFunctorType, AndFunctorFactory);
- conf.MatchFunctorManager.registerFactory(OrMatchFunctorType, OrFunctorFactory);
- conf.MatchFunctorManager.registerFactory(NotMatchFunctorType, NotFunctorFactory);
+ PluginManager< MatchFunctor,QName,pair<const FilterPolicyContext*,const DOMElement*> >& mgr =
+ SPConfig::getConfig().MatchFunctorManager;
+ REGISTER_FACTORY(AnyMatchFunctor);
+ REGISTER_FACTORY(AndMatchFunctor);
+ REGISTER_FACTORY(OrMatchFunctor);
+ REGISTER_FACTORY(NotMatchFunctor);
+ REGISTER_FACTORY(AttributeRequesterString);
+ REGISTER_FACTORY(AttributeIssuerString);
+ REGISTER_FACTORY(AuthenticationMethodString);
}
public:
NotMatchFunctor(const pair<const FilterPolicyContext*,const DOMElement*>& p);
- bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {\r
- if (m_functor)\r
- return !(m_functor->evaluatePolicyRequirement(filterContext));\r
- return false;\r
- }\r
-\r
- bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {\r
- if (m_functor)\r
- return !(m_functor->evaluatePermitValue(filterContext, attribute, index));\r
- return false;\r
- }\r
+ bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
+ if (m_functor)
+ return !(m_functor->evaluatePolicyRequirement(filterContext));
+ return false;
+ }
+
+ bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {
+ if (m_functor)
+ return !(m_functor->evaluatePermitValue(filterContext, attribute, index));
+ return false;
+ }
private:
MatchFunctor* buildFunctor(const DOMElement* e, const FilterPolicyContext* functorMap);
const MatchFunctor* m_functor;
};
- MatchFunctor* SHIBSP_DLLLOCAL NotFunctorFactory(const pair<const FilterPolicyContext*,const DOMElement*>& p)
+ MatchFunctor* SHIBSP_DLLLOCAL NotMatchFunctorFactory(const pair<const FilterPolicyContext*,const DOMElement*>& p)
{
return new NotMatchFunctor(p);
}
vector<const MatchFunctor*> m_functors;
};
- MatchFunctor* SHIBSP_DLLLOCAL OrFunctorFactory(const pair<const FilterPolicyContext*,const DOMElement*>& p)
+ MatchFunctor* SHIBSP_DLLLOCAL OrMatchFunctorFactory(const pair<const FilterPolicyContext*,const DOMElement*>& p)
{
return new OrMatchFunctor(p);
}
* @param application reference to Application that owns the eventual Session
* @param issuer issuing metadata of assertion issuer, if known
* @param nameid principal identifier, normalized to SAML 2, if any
+ * @param authncontext_class method/category of authentication event, if known
+ * @param authncontext_decl specifics of authentication event, if known
* @param tokens assertions initiating the session, if any
* @param attributes map of previously resolved attributes, if any
* @return newly created ResolutionContext, owned by caller
const Application& application,
const opensaml::saml2md::EntityDescriptor* issuer,
const opensaml::saml2::NameID* nameid,
+ const char* authncontext_class=NULL,
+ const char* authncontext_decl=NULL,
const std::vector<const opensaml::Assertion*>* tokens=NULL,
const std::multimap<std::string,Attribute*>* attributes=NULL
) const=0;
const Application& application,
const EntityDescriptor* issuer,
const NameID* nameid,
+ const char* authncontext_class=NULL,
+ const char* authncontext_decl=NULL,
const vector<const opensaml::Assertion*>* tokens=NULL,
const multimap<string,shibsp::Attribute*>* attributes=NULL
) const {
auto_ptr<ChainingContext> chain(new ChainingContext());
for (vector<AttributeResolver*>::const_iterator i=m_resolvers.begin(); i!=m_resolvers.end(); ++i)
- chain->m_contexts.push_back((*i)->createResolutionContext(application, issuer, nameid, tokens, attributes));
+ chain->m_contexts.push_back(
+ (*i)->createResolutionContext(application, issuer, nameid, authncontext_class, authncontext_decl, tokens, attributes)
+ );
return chain.release();
}
{
public:
QueryContext(const Application& application, const Session& session)
- : m_query(true), m_app(application), m_session(&session), m_metadata(NULL), m_entity(NULL), m_nameid(session.getNameID()) {
+ : m_query(true), m_app(application), m_session(&session), m_metadata(NULL), m_entity(NULL), m_nameid(NULL) {
}
QueryContext(
const Application& application,
const EntityDescriptor* issuer,
const NameID* nameid,
+ const char* authncontext_class=NULL,
+ const char* authncontext_decl=NULL,
const vector<const opensaml::Assertion*>* tokens=NULL,
const multimap<string,Attribute*>* attributes=NULL
- ) : m_query(true), m_app(application), m_session(NULL), m_metadata(NULL), m_entity(issuer), m_nameid(nameid) {
+ ) : m_query(true), m_app(application), m_session(NULL), m_metadata(NULL), m_entity(issuer),
+ m_nameid(nameid), m_class(authncontext_class), m_decl(authncontext_decl) {
if (tokens) {
for (vector<const opensaml::Assertion*>::const_iterator t = tokens->begin(); t!=tokens->end(); ++t) {
return NULL;
}
const NameID* getNameID() const {
- return m_nameid;
+ return m_session ? m_session->getNameID() : m_nameid;
+ }
+ const char* getClassRef() const {
+ return m_session ? m_session->getAuthnContextClassRef() : m_class;
+ }
+ const char* getDeclRef() const {
+ return m_session ? m_session->getAuthnContextDeclRef() : m_decl;
}
const Session* getSession() const {
return m_session;
- }
+ }
multimap<string,shibsp::Attribute*>& getResolvedAttributes() {
return m_attributes;
}
mutable MetadataProvider* m_metadata;
mutable const EntityDescriptor* m_entity;
const NameID* m_nameid;
+ const char* m_class;
+ const char* m_decl;
multimap<string,shibsp::Attribute*> m_attributes;
vector<opensaml::Assertion*> m_assertions;
};
const Application& application,
const EntityDescriptor* issuer,
const NameID* nameid,
+ const char* authncontext_class=NULL,
+ const char* authncontext_decl=NULL,
const vector<const opensaml::Assertion*>* tokens=NULL,
const multimap<string,shibsp::Attribute*>* attributes=NULL
) const {
- return new QueryContext(application,issuer,nameid,tokens,attributes);
+ return new QueryContext(application,issuer,nameid,authncontext_class,authncontext_decl,tokens,attributes);
}
ResolutionContext* createResolutionContext(const Application& application, const Session& session) const {
AttributeFilter* filter = ctx.getApplication().getAttributeFilter();
if (filter) {
- BasicFilteringContext fc(ctx.getApplication(), AA);
+ BasicFilteringContext fc(ctx.getApplication(), AA, ctx.getClassRef(), ctx.getDeclRef());
Locker filtlocker(filter);
filter->filterAttributes(fc, ctx.getResolvedAttributes());
}
AttributeFilter* filter = ctx.getApplication().getAttributeFilter();
if (filter) {
- BasicFilteringContext fc(ctx.getApplication(), AA);
+ BasicFilteringContext fc(ctx.getApplication(), AA, ctx.getClassRef(), ctx.getDeclRef());
Locker filtlocker(filter);
filter->filterAttributes(fc, ctx.getResolvedAttributes());
}
* @param application reference to application receiving message
* @param issuer source of SSO tokens
* @param nameid identifier of principal
+ * @param authncontext_class method/category of authentication event, if known
+ * @param authncontext_decl specifics of authentication event, if known
* @param tokens available assertions, if any
* @param attributes attributes already extracted, if any
*/
const Application& application,
const opensaml::saml2md::EntityDescriptor* issuer=NULL,
const opensaml::saml2::NameID* nameid=NULL,
+ const char* authncontext_class=NULL,
+ const char* authncontext_decl=NULL,
const std::vector<const opensaml::Assertion*>* tokens=NULL,
const std::multimap<std::string,Attribute*>* attributes=NULL
) const;
const Application& application,
const saml2md::EntityDescriptor* issuer,
const saml2::NameID* nameid,
+ const char* authncontext_class,
+ const char* authncontext_decl,
const vector<const Assertion*>* tokens,
const multimap<string,Attribute*>* attributes
) const
Locker locker(resolver);
auto_ptr<ResolutionContext> ctx(
- resolver->createResolutionContext(application, issuer, nameid, tokens, attributes)
+ resolver->createResolutionContext(application, issuer, nameid, authncontext_class, authncontext_decl, tokens, attributes)
);
resolver->resolveAttributes(*ctx.get());
return ctx.release();
nameid->setNameQualifier(n->getNameQualifier());
}
+ // Now we have to extract the authentication details for session setup.
+
+ // Session expiration for SAML 1.x is purely SP-driven, and the method is mapped to a ctx class.
+ const PropertySet* sessionProps = application.getPropertySet("Sessions");
+ pair<bool,unsigned int> lifetime = sessionProps ? sessionProps->getUnsignedInt("lifetime") : make_pair(true,28800);
+ if (!lifetime.first)
+ lifetime.second = 28800;
+ auto_ptr_char authnInstant(
+ ssoStatement->getAuthenticationInstant() ? ssoStatement->getAuthenticationInstant()->getRawData() : NULL
+ );
+ auto_ptr_char authnMethod(ssoStatement->getAuthenticationMethod());
+
const EntityDescriptor* issuerMetadata =
policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
auto_ptr<ResolutionContext> ctx(
- resolveAttributes(application, issuerMetadata, nameid.get(), &tokens, &resolvedAttributes)
+ resolveAttributes(application, issuerMetadata, nameid.get(), authnMethod.get(), NULL, &tokens, &resolvedAttributes)
);
if (ctx.get()) {
// Now merge in bad tokens for caching.
tokens.insert(tokens.end(), badtokens.begin(), badtokens.end());
- // Now we have to extract the authentication details for session setup.
-
- // Session expiration for SAML 1.x is purely SP-driven, and the method is mapped to a ctx class.
- const PropertySet* sessionProps = application.getPropertySet("Sessions");
- pair<bool,unsigned int> lifetime = sessionProps ? sessionProps->getUnsignedInt("lifetime") : make_pair(true,28800);
- if (!lifetime.first)
- lifetime.second = 28800;
- auto_ptr_char authnInstant(
- ssoStatement->getAuthenticationInstant() ? ssoStatement->getAuthenticationInstant()->getRawData() : NULL
- );
- auto_ptr_char authnMethod(ssoStatement->getAuthenticationMethod());
-
try {
string key = application.getServiceProvider().getSessionCache()->insert(
lifetime.second ? now + lifetime.second : 0,
}
try {
- const EntityDescriptor* issuerMetadata =
- policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
- auto_ptr<ResolutionContext> ctx(
- resolveAttributes(application, issuerMetadata, ssoName, &tokens, &resolvedAttributes)
- );
-
- if (ctx.get()) {
- // Copy over any new tokens, but leave them in the context for cleanup.
- tokens.insert(tokens.end(), ctx->getResolvedAssertions().begin(), ctx->getResolvedAssertions().end());
-
- // Copy over new attributes, and transfer ownership.
- resolvedAttributes.insert(ctx->getResolvedAttributes().begin(), ctx->getResolvedAttributes().end());
- ctx->getResolvedAttributes().clear();
- }
-
- // Now merge in bad tokens for caching.
- tokens.insert(tokens.end(), badtokens.begin(), badtokens.end());
-
// Now we have to extract the authentication details for session setup.
// Session expiration for SAML 2.0 is jointly IdP- and SP-driven.
auto_ptr_char index(ssoStatement->getSessionIndex());
auto_ptr_char authnInstant(ssoStatement->getAuthnInstant() ? ssoStatement->getAuthnInstant()->getRawData() : NULL);
+ const EntityDescriptor* issuerMetadata =
+ policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
+ auto_ptr<ResolutionContext> ctx(
+ resolveAttributes(application, issuerMetadata, ssoName, authnClass.get(), authnDecl.get(), &tokens, &resolvedAttributes)
+ );
+
+ if (ctx.get()) {
+ // Copy over any new tokens, but leave them in the context for cleanup.
+ tokens.insert(tokens.end(), ctx->getResolvedAssertions().begin(), ctx->getResolvedAssertions().end());
+
+ // Copy over new attributes, and transfer ownership.
+ resolvedAttributes.insert(ctx->getResolvedAttributes().begin(), ctx->getResolvedAttributes().end());
+ ctx->getResolvedAttributes().clear();
+ }
+
+ // Now merge in bad tokens for caching.
+ tokens.insert(tokens.end(), badtokens.begin(), badtokens.end());
+
string key = application.getServiceProvider().getSessionCache()->insert(
sessionExp,
application,
>\r
</File>\r
<File\r
+ RelativePath=".\attribute\filtering\impl\AttributeIssuerStringFunctor.cpp"\r
+ >\r
+ </File>\r
+ <File\r
+ RelativePath=".\attribute\filtering\impl\AttributeRequesterStringFunctor.cpp"\r
+ >\r
+ </File>\r
+ <File\r
+ RelativePath=".\attribute\filtering\impl\AuthenticationMethodStringFunctor.cpp"\r
+ >\r
+ </File>\r
+ <File\r
RelativePath=".\attribute\filtering\impl\ChainingAttributeFilter.cpp"\r
>\r
</File>\r