configs\native.logger.in = configs\native.logger.in
configs\partialLogout.html = configs\partialLogout.html
configs\postTemplate.html = configs\postTemplate.html
+ configs\security-policy.xml = configs\security-policy.xml
configs\sessionError.html = configs\sessionError.html
configs\shibboleth2.xml = configs\shibboleth2.xml
configs\shibd-debian.in = configs\shibd-debian.in
shibboleth2.xml \
attribute-map.xml \
attribute-policy.xml \
+ security-policy.xml \
example-metadata.xml \
console.logger \
syslog.logger \
--- /dev/null
+<SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">\r
+\r
+ <!-- Each policy defines a set of rules to use to secure messages. -->\r
+\r
+ <!--\r
+ The predefined policy enforces replay/freshness, standard\r
+ condition processing, and permits signing and client TLS.\r
+ -->\r
+ <Policy id="default" validate="false">\r
+ <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>\r
+ <PolicyRule type="Conditions">\r
+ <PolicyRule type="Audience"/>\r
+ <!-- Enable Delegation rule to permit delegated access. -->\r
+ <!-- <PolicyRule type="Delegation"/> -->\r
+ </PolicyRule>\r
+ <PolicyRule type="ClientCertAuth" errorFatal="true"/>\r
+ <PolicyRule type="XMLSigning" errorFatal="true"/>\r
+ <PolicyRule type="SimpleSigning" errorFatal="true"/>\r
+ </Policy>\r
+\r
+ <!--\r
+ This policy is a place-holder for use of assertions in metadata\r
+ as a way of attaching signed information about particular IdPs.\r
+ -->\r
+ <Policy id="entity-attributes">\r
+ <PolicyRule type="Conditions"/>\r
+ <PolicyRule type="XMLSigning" errorFatal="true"/>\r
+ </Policy>\r
+ \r
+ <!-- Disables known weak algorithms. -->\r
+ <AlgorithmBlacklist>\r
+ http://www.w3.org/2001/04/xmldsig-more#md5\r
+ http://www.w3.org/2001/04/xmldsig-more#rsa-md5\r
+ </AlgorithmBlacklist>\r
+\r
+</SecurityPolicies>\r
</ApplicationDefaults>
- <!-- Each policy defines a set of rules to use to secure messages. -->
- <SecurityPolicies>
- <!--
- The predefined policy enforces replay/freshness, standard
- condition processing, and permits signing and client TLS.
- -->
- <Policy id="default" validate="false">
- <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
- <PolicyRule type="Conditions">
- <PolicyRule type="Audience"/>
- <!-- Enable Delegation rule to permit delegated access. -->
- <!-- <PolicyRule type="Delegation"/> -->
- </PolicyRule>
- <PolicyRule type="ClientCertAuth" errorFatal="true"/>
- <PolicyRule type="XMLSigning" errorFatal="true"/>
- <PolicyRule type="SimpleSigning" errorFatal="true"/>
- </Policy>
-
- <!-- Disables known weak algorithms. -->
- <AlgorithmBlacklist>
- http://www.w3.org/2001/04/xmldsig-more#md5
- http://www.w3.org/2001/04/xmldsig-more#rsa-md5
- </AlgorithmBlacklist>
- </SecurityPolicies>
+ <!-- Policies that determine how to process and authenticate runtime messages. -->
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
</SPConfig>
#include "binding/SOAPClient.h"
#include "metadata/MetadataProviderCriteria.h"
#include "security/SecurityPolicy.h"
+#include "security/SecurityPolicyProvider.h"
#include "util/SPConstants.h"
#include <saml/exceptions.h>
// Locate policy key.
const char* policyId = m_policyId.empty() ? application.getString("policyId").second : m_policyId.c_str();
- // Access policy properties.
- const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId);
- pair<bool,bool> validate = settings->getBool("validate");
-
- shibsp::SecurityPolicy policy(application, nullptr, validate.first && validate.second, policyId);
- policy.getAudiences().push_back(relyingParty->getXMLString("entityID").second);
+ // Set up policy and SOAP client.
+ auto_ptr<SecurityPolicy> policy(
+ application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, nullptr, policyId)
+ );
+ policy->getAudiences().push_back(relyingParty->getXMLString("entityID").second);
MetadataCredentialCriteria mcc(*AA);
- shibsp::SOAPClient soaper(policy);
+ shibsp::SOAPClient soaper(*policy.get());
auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
saml1p::Response* response=nullptr;
try {
// We're going to insist that the assertion issuer is the same as the peer.
// Reset the policy's message bits and extract them from the assertion.
- policy.reset(true);
- policy.setMessageID(newtoken->getAssertionID());
- policy.setIssueInstant(newtoken->getIssueInstantEpoch());
- policy.setIssuer(newtoken->getIssuer());
- policy.evaluate(*newtoken);
+ policy->reset(true);
+ policy->setMessageID(newtoken->getAssertionID());
+ policy->setIssueInstant(newtoken->getIssueInstantEpoch());
+ policy->setIssuer(newtoken->getIssuer());
+ policy->evaluate(*newtoken);
// Now we can check the security status of the policy.
- if (!policy.isAuthenticated())
+ if (!policy->isAuthenticated())
throw SecurityPolicyException("Security of SAML 1.x query result not established.");
}
catch (exception& ex) {
const Application& application = ctx.getApplication();
const PropertySet* relyingParty = application.getRelyingParty(ctx.getEntityDescriptor());
+ pair<bool,bool> signedAssertions = relyingParty->getBool("requireSignedAssertions");
+ pair<bool,const char*> encryption = relyingParty->getString("encryption");
// Locate policy key.
const char* policyId = m_policyId.empty() ? application.getString("policyId").second : m_policyId.c_str();
- // Access policy properties.
- const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId);
- pair<bool,bool> validate = settings->getBool("validate");
-
- pair<bool,bool> signedAssertions = relyingParty->getBool("requireSignedAssertions");
- pair<bool,const char*> encryption = relyingParty->getString("encryption");
-
- shibsp::SecurityPolicy policy(application, nullptr, validate.first && validate.second, policyId);
- policy.getAudiences().push_back(relyingParty->getXMLString("entityID").second);
+ // Set up policy and SOAP client.
+ auto_ptr<SecurityPolicy> policy(
+ application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, nullptr, policyId)
+ );
+ policy->getAudiences().push_back(relyingParty->getXMLString("entityID").second);
MetadataCredentialCriteria mcc(*AA);
- shibsp::SOAPClient soaper(policy);
+ shibsp::SOAPClient soaper(*policy.get());
auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
saml2p::StatusResponseType* srt=nullptr;
try {
// We're going to insist that the assertion issuer is the same as the peer.
// Reset the policy's message bits and extract them from the assertion.
- policy.reset(true);
- policy.setMessageID(newtoken->getID());
- policy.setIssueInstant(newtoken->getIssueInstantEpoch());
- policy.setIssuer(newtoken->getIssuer());
- policy.evaluate(*newtoken);
+ policy->reset(true);
+ policy->setMessageID(newtoken->getID());
+ policy->setIssueInstant(newtoken->getIssueInstantEpoch());
+ policy->setIssuer(newtoken->getIssuer());
+ policy->evaluate(*newtoken);
// Now we can check the security status of the policy.
- if (!policy.isAuthenticated())
+ if (!policy->isAuthenticated())
throw SecurityPolicyException("Security of SAML 2.0 query result not established.");
if (m_subjectMatch) {
#include "binding/SOAPClient.h"
#include "metadata/MetadataProviderCriteria.h"
#include "security/SecurityPolicy.h"
+#include "security/SecurityPolicyProvider.h"
#include "util/SPConstants.h"
#include <saml/exceptions.h>
}
const PropertySet* relyingParty = application.getRelyingParty(mdresult.first);
+ pair<bool,bool> signedAssertions = relyingParty->getBool("requireSignedAssertions");
+ pair<bool,const char*> encryption = relyingParty->getString("encryption");
// Locate policy key.
const char* policyId = m_policyId.empty() ? application.getString("policyId").second : m_policyId.c_str();
- // Access policy properties.
- const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId);
- pair<bool,bool> validate = settings->getBool("validate");
-
- pair<bool,bool> signedAssertions = relyingParty->getBool("requireSignedAssertions");
- pair<bool,const char*> encryption = relyingParty->getString("encryption");
-
- shibsp::SecurityPolicy policy(application, nullptr, validate.first && validate.second, policyId);
+ // Set up policy and SOAP client.
+ auto_ptr<SecurityPolicy> policy(
+ application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, nullptr, policyId)
+ );
if (m_metadata)
- policy.setMetadataProvider(m_metadata);
+ policy->setMetadataProvider(m_metadata);
if (m_trust)
- policy.setTrustEngine(m_trust);
- policy.getAudiences().push_back(relyingParty->getXMLString("entityID").second);
+ policy->setTrustEngine(m_trust);
+ policy->getAudiences().push_back(relyingParty->getXMLString("entityID").second);
MetadataCredentialCriteria mcc(*AA);
- shibsp::SOAPClient soaper(policy);
+ shibsp::SOAPClient soaper(*policy.get());
auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
saml2p::StatusResponseType* srt=nullptr;
auto_ptr<EncryptedID> encrypted(EncryptedIDBuilder::buildEncryptedID());
encrypted->encrypt(
*name,
- *(policy.getMetadataProvider()),
+ *(policy->getMetadataProvider()),
mcc,
false,
relyingParty->getXMLString("encryptionAlg").second
try {
// We're going to insist that the assertion issuer is the same as the peer.
// Reset the policy's message bits and extract them from the assertion.
- policy.reset(true);
- policy.setMessageID(newtoken->getID());
- policy.setIssueInstant(newtoken->getIssueInstantEpoch());
- policy.setIssuer(newtoken->getIssuer());
- policy.evaluate(*newtoken);
+ policy->reset(true);
+ policy->setMessageID(newtoken->getID());
+ policy->setIssueInstant(newtoken->getIssueInstantEpoch());
+ policy->setIssuer(newtoken->getIssuer());
+ policy->evaluate(*newtoken);
// Now we can check the security status of the policy.
- if (!policy.isAuthenticated())
+ if (!policy->isAuthenticated())
throw SecurityPolicyException("Security of SAML 2.0 query result not established.");
if (m_subjectMatch) {
#ifndef SHIBSP_LITE
# include "security/SecurityPolicy.h"
+# include "security/SecurityPolicyProvider.h"
# include <saml/exceptions.h>
# include <saml/SAMLConfig.h>
# include <saml/binding/ArtifactMap.h>
if (!policyId.first)
policyId = application.getString("policyId"); // unqualified in Application(s) element
- // Access policy properties.
- const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId.second);
- pair<bool,bool> validate = settings->getBool("validate");
-
// Lock metadata for use by policy.
Locker metadataLocker(application.getMetadataProvider());
// Create the policy.
- shibsp::SecurityPolicy policy(application, &m_role, validate.first && validate.second);
+ auto_ptr<SecurityPolicy> policy(
+ application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, &m_role, policyId.second)
+ );
// Decode the message and verify that it's a secured ArtifactResolve request.
string relayState;
- auto_ptr<XMLObject> msg(m_decoder->decode(relayState, httpRequest, policy));
+ auto_ptr<XMLObject> msg(m_decoder->decode(relayState, httpRequest, *policy.get()));
if (!msg.get())
throw BindingException("Failed to decode a SAML request.");
const ArtifactResolve* req = dynamic_cast<const ArtifactResolve*>(msg.get());
if (!req)
throw FatalProfileException("Decoded message was not a samlp::ArtifactResolve request.");
- const EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : nullptr;
+ const EntityDescriptor* entity = policy->getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr;
try {
auto_ptr_char artifact(req->getArtifact() ? req->getArtifact()->getArtifact() : nullptr);
if (!artifact.get() || !*artifact.get())
return emptyResponse(application, *req, httpResponse, entity);
- auto_ptr_char issuer(policy.getIssuer() ? policy.getIssuer()->getName() : nullptr);
+ auto_ptr_char issuer(policy->getIssuer() ? policy->getIssuer()->getName() : nullptr);
m_log.info("resolving artifact (%s) for (%s)", artifact.get(), issuer.get() ? issuer.get() : "unknown");
auto_ptr<SAMLArtifact> artobj(SAMLArtifact::parse(artifact.get()));
auto_ptr<XMLObject> payload(artmap->retrieveContent(artobj.get(), issuer.get()));
- if (!policy.isAuthenticated()) {
+ if (!policy->isAuthenticated()) {
m_log.error("request for artifact was unauthenticated, purging the artifact mapping");
return emptyResponse(application, *req, httpResponse, entity);
}
resp->setPayload(payload.release());
long ret = sendMessage(
- *m_encoder, resp.get(), relayState.c_str(), nullptr, policy.getIssuerMetadata(), application, httpResponse, "signResponses"
+ *m_encoder, resp.get(), relayState.c_str(), nullptr, policy->getIssuerMetadata(), application, httpResponse, "signResponses"
);
resp.release(); // freed by encoder
return make_pair(true,ret);
#ifndef SHIBSP_LITE
# include "SessionCacheEx.h"
# include "security/SecurityPolicy.h"
+# include "security/SecurityPolicyProvider.h"
# include "metadata/MetadataProviderCriteria.h"
# include "util/TemplateParameters.h"
# include <fstream>
if (!policyId.first)
policyId = application.getString("policyId"); // unqualified in Application(s) element
- // Access policy properties.
- const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId.second);
- pair<bool,bool> validate = settings->getBool("validate");
-
// Lock metadata for use by policy.
Locker metadataLocker(application.getMetadataProvider());
// Create the policy.
- shibsp::SecurityPolicy policy(application, &m_role, validate.first && validate.second, policyId.second);
+ auto_ptr<SecurityPolicy> policy(
+ application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, &m_role, policyId.second)
+ );
// Decode the message.
string relayState;
- auto_ptr<XMLObject> msg(m_decoder->decode(relayState, request, policy));
+ auto_ptr<XMLObject> msg(m_decoder->decode(relayState, request, *policy.get()));
const LogoutRequest* logoutRequest = dynamic_cast<LogoutRequest*>(msg.get());
if (logoutRequest) {
- if (!policy.isAuthenticated())
+ if (!policy->isAuthenticated())
throw SecurityPolicyException("Security of LogoutRequest not established.");
// Message from IdP to logout one or more sessions.
logoutRequest->getID(),
StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "No active session found in request.",
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
true
else {
Locker credlocker(cr);
auto_ptr<MetadataCredentialCriteria> mcc(
- policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : nullptr
+ policy->getIssuerMetadata() ? new MetadataCredentialCriteria(*policy->getIssuerMetadata()) : nullptr
);
try {
auto_ptr<XMLObject> decryptedID(
encname->decrypt(
*cr,
- application.getRelyingParty(policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : nullptr)->getXMLString("entityID").second,
+ application.getRelyingParty(
+ policy->getIssuerMetadata() ?
+ dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) :
+ nullptr)->getXMLString("entityID").second,
mcc.get()
)
);
logoutRequest->getID(),
StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "NameID not found in request.",
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
// Suck indexes out of the request for next steps.
set<string> indexes;
- EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : nullptr;
+ EntityDescriptor* entity = policy->getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr;
const vector<SessionIndex*> sindexes = logoutRequest->getSessionIndexs();
for (vector<SessionIndex*>::const_iterator i = sindexes.begin(); i != sindexes.end(); ++i) {
auto_ptr_char sindex((*i)->getSessionIndex());
logoutRequest->getID(),
StatusCode::REQUESTER, StatusCode::REQUEST_DENIED, "Active session did not match logout request.",
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
true
logoutRequest->getID(),
StatusCode::RESPONDER, nullptr, ex.what(),
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
(worked1 && worked2) ? nullptr : StatusCode::PARTIAL_LOGOUT,
nullptr,
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
// A LogoutResponse completes an SP-initiated logout sequence.
const LogoutResponse* logoutResponse = dynamic_cast<LogoutResponse*>(msg.get());
if (logoutResponse) {
- if (!policy.isAuthenticated()) {
+ if (!policy->isAuthenticated()) {
SecurityPolicyException ex("Security of LogoutResponse not established.");
- if (policy.getIssuerMetadata())
- annotateException(&ex, policy.getIssuerMetadata()); // throws it
+ if (policy->getIssuerMetadata())
+ annotateException(&ex, policy->getIssuerMetadata()); // throws it
ex.raise();
}
- checkError(logoutResponse, policy.getIssuerMetadata()); // throws if Status doesn't look good...
+ checkError(logoutResponse, policy->getIssuerMetadata()); // throws if Status doesn't look good...
// If relay state is set, recover the original return URL.
if (!relayState.empty())
}
FatalProfileException ex("Incoming message was not a samlp:LogoutRequest or samlp:LogoutResponse.");
- if (policy.getIssuerMetadata())
- annotateException(&ex, policy.getIssuerMetadata()); // throws it
+ if (policy->getIssuerMetadata())
+ annotateException(&ex, policy->getIssuerMetadata()); // throws it
ex.raise();
return make_pair(false,0L); // never happen, satisfies compiler
#else
#ifndef SHIBSP_LITE
# include "SessionCache.h"
# include "security/SecurityPolicy.h"
+# include "security/SecurityPolicyProvider.h"
# include "util/TemplateParameters.h"
# include <fstream>
# include <saml/exceptions.h>
if (!policyId.first)
policyId = application.getString("policyId"); // unqualified in Application(s) element
- // Access policy properties.
- const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId.second);
- pair<bool,bool> validate = settings->getBool("validate");
-
// Lock metadata for use by policy.
Locker metadataLocker(application.getMetadataProvider());
// Create the policy.
- shibsp::SecurityPolicy policy(application, &m_role, validate.first && validate.second, policyId.second);
+ auto_ptr<SecurityPolicy> policy(
+ application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, &m_role, policyId.second)
+ );
// Decode the message.
string relayState;
- auto_ptr<XMLObject> msg(m_decoder->decode(relayState, request, policy));
+ auto_ptr<XMLObject> msg(m_decoder->decode(relayState, request, *policy.get()));
const ManageNameIDRequest* mgmtRequest = dynamic_cast<ManageNameIDRequest*>(msg.get());
if (mgmtRequest) {
- if (!policy.isAuthenticated())
+ if (!policy->isAuthenticated())
throw SecurityPolicyException("Security of ManageNameIDRequest not established.");
// Message from IdP to change or terminate a NameID.
mgmtRequest->getID(),
StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "No active session found in request.",
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
true
);
}
- EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : nullptr;
+ EntityDescriptor* entity = policy->getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr;
bool ownedName = false;
NameID* nameid = mgmtRequest->getNameID();
else {
Locker credlocker(cr);
auto_ptr<MetadataCredentialCriteria> mcc(
- policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : nullptr
+ policy->getIssuerMetadata() ? new MetadataCredentialCriteria(*policy->getIssuerMetadata()) : nullptr
);
try {
- auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()));
+ auto_ptr<XMLObject> decryptedID(
+ encname->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get())
+ );
nameid = dynamic_cast<NameID*>(decryptedID.get());
if (nameid) {
ownedName = true;
mgmtRequest->getID(),
StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "NameID not found in request.",
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
mgmtRequest->getID(),
StatusCode::REQUESTER, StatusCode::REQUEST_DENIED, "Active session did not match NameID mgmt request.",
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
true
else {
Locker credlocker(cr);
auto_ptr<MetadataCredentialCriteria> mcc(
- policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : nullptr
+ policy->getIssuerMetadata() ? new MetadataCredentialCriteria(*policy->getIssuerMetadata()) : nullptr
);
try {
- auto_ptr<XMLObject> decryptedID(encnewid->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()));
+ auto_ptr<XMLObject> decryptedID(
+ encnewid->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get())
+ );
newid = dynamic_cast<NewID*>(decryptedID.get());
if (newid) {
ownedNewID = true;
mgmtRequest->getID(),
StatusCode::REQUESTER, nullptr, "NewID not found in request.",
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
nullptr,
nullptr,
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
*/
FatalProfileException ex("Incoming message was not a samlp:ManageNameIDRequest.");
- if (policy.getIssuerMetadata())
- annotateException(&ex, policy.getIssuerMetadata()); // throws it
+ if (policy->getIssuerMetadata())
+ annotateException(&ex, policy->getIssuerMetadata()); // throws it
ex.raise();
return make_pair(false,0L); // never happen, satisfies compiler
#else
{\r
}\r
\r
-opensaml::SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy(\r
+SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy(\r
const Application& application, const xmltooling::QName* role, const char* policyId\r
) const\r
{\r
};\r
\r
namespace opensaml {\r
- class SAML_API SecurityPolicy;\r
class SAML_API SecurityPolicyRule;\r
};\r
\r
\r
class SHIBSP_API Application;\r
class SHIBSP_API PropertySet;\r
+ class SHIBSP_API SecurityPolicy;\r
\r
/**\r
* Interface to a source of security policy settings and rules.\r
* @param policyId identifies policy, defaults to the application's default\r
* @return a new policy instance, which the caller is responsible for freeing\r
*/\r
- virtual opensaml::SecurityPolicy* createSecurityPolicy(\r
+ virtual SecurityPolicy* createSecurityPolicy(\r
const Application& application, const xmltooling::QName* role, const char* policyId=nullptr\r
) const;\r
};\r