using namespace shibtarget;
extern "C" module MODULE_VAR_EXPORT mod_shib;
-int shib_handler(request_rec* r, const IApplication* application, const IPropertySet* sessionProps, SHIRE& shire);
+int shib_handler(request_rec* r, const IApplication* application, SHIRE& shire);
namespace {
char* g_szSHIBConfig = NULL;
);
pair<bool,const char*> application_id=settings.first->getString("applicationId");
const IApplication* application=conf->getApplication(application_id.second);
- const IPropertySet* sessionProps=application ? application->getPropertySet("Sessions") : NULL;
- if (!application || !sessionProps) {
+ if (!application) {
ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,SH_AP_R(r),
- "shib_check_user: unable to map request to application session settings, check configuration");
+ "shib_check_user: unable to map request to application settings, check configuration");
return SERVER_ERROR;
}
// Get location of this application's assertion consumer service and see if this is it.
if (strstr(targeturl,shire.getShireURL(targeturl))) {
- return shib_handler(r,application,sessionProps,shire);
+ return shib_handler(r,application,shire);
}
// We can short circuit the handler if we run this...
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_check_user: session check for %s",targeturl);
- pair<bool,const char*> shib_cookie=sessionProps->getString("cookieName");
- if (!shib_cookie.first) {
- ap_log_rerror(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,SH_AP_R(r),
- "shib_check_user: no cookieName set for %s",
- application_id.second);
- return SERVER_ERROR;
- }
+ pair<const char*,const char*> shib_cookie=shire.getCookieNameProps(); // always returns *something*
// We're in charge, so check for cookie.
const char* session_id=NULL;
if (cookies) {
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_check_user: cookies found: %s",cookies);
- if (session_id=strstr(cookies,shib_cookie.second)) {
+ if (session_id=strstr(cookies,shib_cookie.first)) {
// Yep, we found a cookie -- pull it out (our session_id)
- session_id+=strlen(shib_cookie.second) + 1; /* Skip over the '=' */
+ session_id+=strlen(shib_cookie.first) + 1; /* Skip over the '=' */
char* cookiebuf = ap_pstrdup(r->pool,session_id);
char* cookieend = strchr(cookiebuf,';');
if (cookieend)
);
pair<bool,const char*> application_id=settings.first->getString("applicationId");
const IApplication* application=conf->getApplication(application_id.second);
- const IPropertySet* sessionProps=application ? application->getPropertySet("Sessions") : NULL;
- if (!application || !sessionProps) {
+ if (!application) {
ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,SH_AP_R(r),
- "shib_post_handler: unable to map request to application session settings, check configuration");
+ "shib_post_handler: unable to map request to application settings, check configuration");
return SERVER_ERROR;
}
// Declare SHIRE object for this request.
SHIRE shire(application);
- return shib_handler(r, application, sessionProps, shire);
+ return shib_handler(r, application, shire);
}
-int shib_handler(request_rec* r, const IApplication* application, const IPropertySet* sessionProps, SHIRE& shire)
+int shib_handler(request_rec* r, const IApplication* application, SHIRE& shire)
{
// Prime the pump...
const char* targeturl = ap_construct_url(r->pool,r->unparsed_uri,r);
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_handler() running");
- pair<bool,const char*> shib_cookie=sessionProps->getString("cookieName");
- pair<bool,const char*> shib_cookie_props=sessionProps->getString("cookieProps");
- if (!shib_cookie.first) {
- ap_log_rerror(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,SH_AP_R(r),
- "shib_handler: no cookieName set for %s", application->getId());
+ const IPropertySet* sessionProps=application->getPropertySet("Sessions");
+ if (!sessionProps) {
+ ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,SH_AP_R(r),
+ "shib_post_handler: unable to map request to application session settings, check configuration");
return SERVER_ERROR;
}
+ pair<const char*,const char*> shib_cookie=shire.getCookieNameProps(); // always returns something
+
ShibMLP markupProcessor;
markupProcessor.insert("requestURL", targeturl);
"shib_handler() POST process succeeded. New session: %s", cookie.c_str());
// We've got a good session, set the cookie...
- char* val = ap_psprintf(r->pool,"%s=%s%s",shib_cookie.second,cookie.c_str(),
- shib_cookie_props.first ? shib_cookie_props.second : "; path=/");
+ char* val = ap_psprintf(r->pool,"%s=%s%s",shib_cookie.first,cookie.c_str(),shib_cookie.second);
ap_table_setn(r->err_headers_out, "Set-Cookie", val);
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_handler() setting cookie: %s", val);
IRequestMapper::Settings settings=map_request(pfc,pn,mapper,site.c_str(),targeturl);
pair<bool,const char*> application_id=settings.first->getString("applicationId");
const IApplication* application=conf->getApplication(application_id.second);
- const IPropertySet* sessionProps=application ? application->getPropertySet("Sessions") : NULL;
- if (!application || !sessionProps)
- return WriteClientError(pfc,"Unable to map request to application session settings, check configuration.");
+ if (!application)
+ return WriteClientError(pfc,"Unable to map request to application settings, check configuration.");
// Declare SHIRE object for this request.
SHIRE shire(application);
// Now check the policy for this request.
pair<bool,bool> requireSession=settings.first->getBool("requireSession");
- pair<bool,const char*> shib_cookie=sessionProps->getString("cookieName");
- if (!shib_cookie.first)
- return WriteClientError(pfc,"No session cookie name defined for this application, check configuration.");
+ pair<const char*,const char*> shib_cookie=shire.getCookieNameProps();
// Check for session cookie.
const char* session_id=NULL;
GetHeader(pn,pfc,"Cookie:",buf,128,false);
Category::getInstance("isapi_shib.HttpFilterProc").debug("cookie header is {%s}",(const char*)buf);
- if (!buf.empty() && (session_id=strstr(buf,shib_cookie.second))) {
- session_id+=strlen(shib_cookie.second) + 1; /* Skip over the '=' */
+ if (!buf.empty() && (session_id=strstr(buf,shib_cookie.first))) {
+ session_id+=strlen(shib_cookie.first) + 1; /* Skip over the '=' */
char* cookieend=strchr(session_id,';');
if (cookieend)
*cookieend = '\0'; /* Ignore anyting after a ; */
if (!strstr(targeturl.c_str(),shire.getShireURL(targeturl.c_str())))
return WriteClientError(lpECB,"The request's application and associated shireURL setting are inconsistent.");;
- pair<bool,const char*> shib_cookie=sessionProps->getString("cookieName");
- pair<bool,const char*> shib_cookie_props=sessionProps->getString("cookieProps");
- if (!shib_cookie.first)
- return WriteClientError(lpECB,"No session cookie name defined for this application, check configuration.");
+ pair<const char*,const char*> shib_cookie=shire.getCookieNameProps();
// Make sure this is SSL, if it should be
pair<bool,bool> shireSSL=sessionProps->getBool("shireSSL");
delete status;
// We've got a good session, set the cookie and redirect to target.
- cookie = string("Set-Cookie: ") + shib_cookie.second + '=' + cookie +
- (shib_cookie_props.first ? shib_cookie_props.second : "; path=/") + "\r\n"
+ cookie = string("Set-Cookie: ") + shib_cookie.first + '=' + cookie + shib_cookie.second + "\r\n"
"Location: " + elements.second + "\r\n"
"Expires: 01-Jan-1997 12:00:00 GMT\r\n"
"Cache-Control: private,no-store,no-cache\r\n"
delete m_parser;
}
-const char* SHIRE::getShireURL(const char* resource)
+pair<const char*,const char*> SHIRE::getCookieNameProps() const
+{
+ static const char* defProps="; path=/";
+ static const char* defName="_shibsession_";
+
+ const IPropertySet* props=m_app->getPropertySet("Sessions");
+ if (props) {
+ pair<bool,const char*> p=props->getString("cookieProps");
+ if (!p.first)
+ p.second=defProps;
+ if (!m_cookieName.empty())
+ return pair<const char*,const char*>(m_cookieName.c_str(),p.second);
+ pair<bool,const char*> p2=props->getString("cookieName");
+ if (p2.first) {
+ m_cookieName=p2.second;
+ return pair<const char*,const char*>(p2.second,p.second);
+ }
+ m_cookieName=defName;
+ m_cookieName+=m_app->getId();
+ return pair<const char*,const char*>(m_cookieName.c_str(),p.second);
+ }
+ m_cookieName=defName;
+ m_cookieName+=m_app->getId();
+ return pair<const char*,const char*>(m_cookieName.c_str(),defProps);
+}
+
+const char* SHIRE::getShireURL(const char* resource) const
{
if (!m_shireURL.empty())
return m_shireURL.c_str();
return m_shireURL.c_str();
}
-const char* SHIRE::getAuthnRequest(const char* resource)
+const char* SHIRE::getAuthnRequest(const char* resource) const
{
if (!m_authnRequest.empty())
return m_authnRequest.c_str();
return m_authnRequest.c_str();
}
-const char* SHIRE::getLazyAuthnRequest(const char* query_string)
+const char* SHIRE::getLazyAuthnRequest(const char* query_string) const
{
CgiParse parser(query_string,strlen(query_string));
const char* target=parser.get_value("target");
return getAuthnRequest(target);
}
-pair<const char*,const char*> SHIRE::getFormSubmission(const char* post, unsigned int len)
+pair<const char*,const char*> SHIRE::getFormSubmission(const char* post, unsigned int len) const
{
m_parser = new CgiParse(post,len);
return pair<const char*,const char*>(m_parser->get_value("SAMLResponse"),m_parser->get_value("TARGET"));
}
-RPCError* SHIRE::sessionIsValid(const char* session_id, const char* ip)
+RPCError* SHIRE::sessionIsValid(const char* session_id, const char* ip) const
{
saml::NDC ndc("sessionIsValid");
Category& log = Category::getInstance("shibtarget.SHIRE");
return retval;
}
-RPCError* SHIRE::sessionCreate(const char* response, const char* ip, string& cookie)
+RPCError* SHIRE::sessionCreate(const char* response, const char* ip, string& cookie) const
{
saml::NDC ndc("sessionCreate");
Category& log = Category::getInstance("shibtarget.SHIRE");
public:
SHIRE(const IApplication* app) : m_app(app), m_parser(NULL) {}
~SHIRE();
-
+
+ // Get the session cookie name and properties for the application
+ std::pair<const char*,const char*> getCookieNameProps() const;
+
// Find the default assertion consumer service for the resource
- const char* getShireURL(const char* resource);
+ const char* getShireURL(const char* resource) const;
// Generate a Shib 1.x AuthnRequest redirect URL for the resource
- const char* getAuthnRequest(const char* resource);
+ const char* getAuthnRequest(const char* resource) const;
// Process a lazy session setup request and turn it into an AuthnRequest
- const char* getLazyAuthnRequest(const char* query_string);
+ const char* getLazyAuthnRequest(const char* query_string) const;
// Process a POST profile submission, and return (SAMLResponse,TARGET) pair.
- std::pair<const char*,const char*> getFormSubmission(const char* post, unsigned int len);
+ std::pair<const char*,const char*> getFormSubmission(const char* post, unsigned int len) const;
- RPCError* sessionCreate(const char* response, const char* ip, std::string &cookie);
- RPCError* sessionIsValid(const char* session_id, const char* ip);
+ RPCError* sessionCreate(const char* response, const char* ip, std::string &cookie) const;
+ RPCError* sessionIsValid(const char* session_id, const char* ip) const;
private:
const IApplication* m_app;
- std::string m_shireURL;
- std::string m_authnRequest;
- CgiParse* m_parser;
+ mutable std::string m_cookieName;
+ mutable std::string m_shireURL;
+ mutable std::string m_authnRequest;
+ mutable CgiParse* m_parser;
};
class SHIBTARGET_EXPORTS RM