Resource requests are mapped by the RequestMapper to an applicationId that\r
points into to this section (or to the defaults here).\r
-->\r
- <ApplicationDefaults policyId="default"\r
- entityID="https://sp.example.org/shibboleth"\r
- REMOTE_USER="eppn persistent-id targeted-id"\r
- signing="false" encryption="false">\r
+ <ApplicationDefaults entityID="https://sp.example.org/shibboleth"\r
+ REMOTE_USER="eppn persistent-id targeted-id"\r
+ signing="false" encryption="false">\r
\r
<!--\r
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.\r
\r
<!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->\r
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"\r
- relayState="cookie" entityID="https://idp.example.org/shibboleth">\r
+ relayState="cookie" entityID="https://idp.example.org/shibboleth">\r
+ \r
<SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>\r
<SessionInitiator type="Shib1" acsIndex="5"/>\r
<!--\r
-->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
- <ApplicationDefaults policyId="default"
- entityID="https://sp.example.org/shibboleth"
- REMOTE_USER="eppn persistent-id targeted-id">
+ <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
+ REMOTE_USER="eppn persistent-id targeted-id">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
- handlerURL="/Shibboleth.sso" handlerSSL="false">
+ handlerURL="/Shibboleth.sso" handlerSSL="false">
<!--
SessionInitiators handle session requests and relay them to a Discovery page,
<!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
- relayState="cookie" entityID="https://idp.example.org/shibboleth">
+ relayState="cookie" entityID="https://idp.example.org/shibboleth">
+
<SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
<!--
Resource requests are mapped by the RequestMapper to an applicationId that\r
points into to this section (or to the defaults here).\r
-->\r
- <ApplicationDefaults policyId="default"\r
- entityID="https://sp.example.org/shibboleth"\r
- REMOTE_USER="eppn persistent-id targeted-id">\r
+ <ApplicationDefaults entityID="https://sp.example.org/shibboleth"\r
+ REMOTE_USER="eppn persistent-id targeted-id">\r
\r
<!--\r
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.\r
\r
<!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->\r
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"\r
- relayState="cookie" entityID="https://idp.example.org/shibboleth">\r
+ relayState="cookie" entityID="https://idp.example.org/shibboleth">\r
+ \r
<SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>\r
<SessionInitiator type="Shib1" acsIndex="5"/>\r
<!--\r
</sequence>
<attribute name="id" type="conf:string" fixed="default"/>
<attribute name="entityID" type="anyURI" use="required"/>
- <attribute name="policyId" type="conf:string" use="required"/>
+ <attribute name="policyId" type="conf:string"/>
<attributeGroup ref="conf:ApplicationGroup"/>
<attributeGroup ref="conf:RelyingPartyGroup"/>
<anyAttribute namespace="##other" processContents="lax"/>
* @deprecated
* Returns the security policy settings for an identified policy.
*
- * @param id identifies the policy to return
+ * @param id identifies the policy to return, or nullptr for default
* @return a PropertySet
*/
virtual const PropertySet* getPolicySettings(const char* id) const=0;
* @deprecated
* Returns the security policy rules for an identified policy.
*
- * @param id identifies the policy to return
+ * @param id identifies the policy to return, or nullptr for default
* @return an array of policy rules
*/
virtual const std::vector<const opensaml::SecurityPolicyRule*>& getPolicyRules(const char* id) const=0;
DOMDocument* m_document;\r
vector<xstring> m_whitelist,m_blacklist;\r
map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > > m_policyMap;\r
+ map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator m_defaultPolicy;\r
\r
friend class SHIBSP_DLLLOCAL XMLSecurityPolicyProvider;\r
};\r
delete m_impl;\r
}\r
\r
- const PropertySet* getPolicySettings(const char* id) const {\r
+ const PropertySet* getPolicySettings(const char* id=nullptr) const {\r
+ if (!id || !*id)\r
+ return m_impl->m_defaultPolicy->second.first;\r
map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);\r
if (i != m_impl->m_policyMap.end())\r
return i->second.first;\r
throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));\r
}\r
\r
- const vector<const SecurityPolicyRule*>& getPolicyRules(const char* id) const {\r
+ const vector<const SecurityPolicyRule*>& getPolicyRules(const char* id=nullptr) const {\r
+ if (!id || !*id)\r
+ return m_impl->m_defaultPolicy->second.second;\r
map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);\r
if (i != m_impl->m_policyMap.end())\r
return i->second.second;\r
return new SecurityPolicy(application, role, (validate.first && validate.second), policyId);\r
}\r
\r
-XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log) : m_document(nullptr)\r
+XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log)\r
+ : m_document(nullptr), m_defaultPolicy(m_policyMap.end())\r
{\r
#ifdef _DEBUG\r
xmltooling::NDC ndc("XMLSecurityPolicyProviderImpl");\r
settings->load(e, nullptr, &filter);\r
rules.first = settings.release();\r
\r
+ // Set default policy if not set, or id is "default".\r
+ if (m_defaultPolicy == m_policyMap.end() || id == "default")\r
+ m_defaultPolicy = m_policyMap.find(id);\r
+\r
// Process PolicyRule elements.\r
const DOMElement* rule = XMLHelper::getFirstChildElement(e, PolicyRule);\r
while (rule) {\r
\r
e = XMLHelper::getNextSiblingElement(e, Policy);\r
}\r
+\r
+ if (m_defaultPolicy == m_policyMap.end())\r
+ throw ConfigurationException("XML SecurityPolicyProvider requires at least one Policy.");\r
}\r
\r
pair<bool,DOMElement*> XMLSecurityPolicyProvider::load(bool backup)\r
/**\r
* Returns the security policy settings for an identified policy.\r
*\r
- * @param id identifies the policy to return\r
+ * @param id identifies the policy to return, or nullptr for default\r
* @return a PropertySet\r
*/\r
- virtual const PropertySet* getPolicySettings(const char* id) const=0;\r
+ virtual const PropertySet* getPolicySettings(const char* id=nullptr) const=0;\r
\r
/**\r
* Returns the security policy rules for an identified policy.\r
*\r
- * @param id identifies the policy to return\r
+ * @param id identifies the policy to return, or nullptr for default\r
* @return an array of policy rules\r
*/\r
- virtual const std::vector<const opensaml::SecurityPolicyRule*>& getPolicyRules(const char* id) const=0;\r
+ virtual const std::vector<const opensaml::SecurityPolicyRule*>& getPolicyRules(const char* id=nullptr) const=0;\r
\r
/**\r
* Returns a set of XML Signature/Encryption algorithm identifiers to block.\r