https://bugs.internet2.edu/jira/browse/SSPCPP-263

git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/branches/REL_2@3243 cb58f699-b61c-0410-a6fe-9272a202ed29

diff --git a/Shibboleth.sln b/Shibboleth.sln
index c799c03..9e6cd25 100644 (file)
--- a/Shibboleth.sln
+++ b/Shibboleth.sln
@@ -157,16 +157,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Misc", "Misc", "{31B171C1-E
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Doc", "Doc", "{6ED5E3E7-1B0E-43FB-A8D1-77A0FCAE9AC8}"
        ProjectSection(SolutionItems) = preProject
-               doc\CREDITS.txt = doc\CREDITS.txt
                doc\FASTCGI.LICENSE = doc\FASTCGI.LICENSE
-               doc\LICENSE.txt = doc\LICENSE.txt
-               doc\LOG4CPP.LICENSE = doc\LOG4CPP.LICENSE
-               doc\logo.jpg = doc\logo.jpg
-               doc\main.css = doc\main.css
                doc\Makefile.am = doc\Makefile.am
-               doc\NOTICE.txt = doc\NOTICE.txt
-               doc\OPENSSL.LICENSE = doc\OPENSSL.LICENSE
-               doc\README.txt = doc\README.txt
                doc\RELEASE.txt = doc\RELEASE.txt
        EndProjectSection
 EndProject

diff --git a/adfs/adfs.cpp b/adfs/adfs.cpp
index 006c3bd..f724540 100644 (file)
--- a/adfs/adfs.cpp
+++ b/adfs/adfs.cpp
@@ -326,45 +326,42 @@ pair<bool,long> ADFSSessionInitiator::run(SPRequest& request, string& entityID,
         return make_pair(false,0L);
 
     string target;
-    const Handler* ACS=NULL;
-    const char* option;
+    pair<bool,const char*> prop;
     pair<bool,const char*> acClass;
+    const Handler* ACS=NULL;
     const Application& app=request.getApplication();
 
     if (isHandler) {
-        option=request.getParameter("acsIndex");
-        if (option) {
-            ACS = app.getAssertionConsumerServiceByIndex(atoi(option));
+        prop.second = request.getParameter("acsIndex");
+        if (prop.second && *prop.second) {
+            ACS = app.getAssertionConsumerServiceByIndex(atoi(prop.second));
             if (!ACS)
                 request.log(SPRequest::SPWarn, "invalid acsIndex specified in request, using acsIndex property");
         }
 
-        option = request.getParameter("target");
-        if (option)
-            target = option;
+        prop = getString("target", request);
+        if (prop.first)
+            target = prop.second;
 
         // Since we're passing the ACS by value, we need to compute the return URL,
         // so we'll need the target resource for real.
-        recoverRelayState(request.getApplication(), request, request, target, false);
+        recoverRelayState(app, request, request, target, false);
 
-        if (acClass.second = request.getParameter("authnContextClassRef"))
-            acClass.first = true;
-        else
-            acClass = getString("authnContextClassRef");
+        acClass = getString("authnContextClassRef", request);
     }
     else {
-        // We're running as a "virtual handler" from within the filter.
-        // The target resource is the current one and everything else is defaulted.
-        target=request.getRequestURL();
+        // Check for a hardwired target value in the map or handler.
+        prop = getString("target", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
+        if (prop.first)
+            target = prop.second;
+        else
+            target = request.getRequestURL();
 
-        const PropertySet* settings = request.getRequestSettings().first;
-        acClass = settings->getString("authnContextClassRef");
-        if (!acClass.first)
-            acClass = getString("authnContextClassRef");
+        acClass = getString("authnContextClassRef", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
     }
 
     if (!ACS) {
-        pair<bool,unsigned int> index = getUnsignedInt("acsIndex");
+        pair<bool,unsigned int> index = getUnsignedInt("acsIndex", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
         if (index.first) {
             ACS = app.getAssertionConsumerServiceByIndex(index.second);
             if (!ACS)
@@ -392,16 +389,17 @@ pair<bool,long> ADFSSessionInitiator::run(SPRequest& request, string& entityID,
     // Since we're not passing by index, we need to fully compute the return URL.
     // Compute the ACS URL. We add the ACS location to the base handlerURL.
     string ACSloc=request.getHandlerURL(target.c_str());
-    pair<bool,const char*> loc=ACS->getString("Location");
-    if (loc.first) ACSloc+=loc.second;
+    prop = ACS->getString("Location");
+    if (prop.first)
+        ACSloc += prop.second;
 
     if (isHandler) {
         // We may already have RelayState set if we looped back here,
-        // but just in case target is a resource, we reset it back.
-        target.erase();
-        option = request.getParameter("target");
-        if (option)
-            target = option;
+        // but we've turned it back into a resource by this point, so if there's
+        // a target on the URL, reset to that value.
+        prop.second = request.getParameter("target");
+        if (prop.second && *prop.second)
+            target = prop.second;
     }
 
     m_log.debug("attempting to initiate session using ADFS with provider (%s)", entityID.c_str());

diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd
index 315b6ba..24497e5 100644 (file)
--- a/schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/schemas/shibboleth-2.0-native-sp-config.xsd
@@ -10,724 +10,727 @@
        blockDefault="substitution"
        version="2.4">
 
-       <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/>
-       <import namespace="urn:oasis:names:tc:SAML:2.0:protocol" schemaLocation="saml-schema-protocol-2.0.xsd"/>
-       <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
-
-       <annotation>
-               <documentation>
-               2.0 schema for XML-based configuration of Shibboleth Native SP instances.
-               First appearing in Shibboleth 2.0 release.
-               </documentation>
-       </annotation>
-
-       <simpleType name="string">
-               <restriction base="string">
-                       <minLength value="1"/>
-               </restriction>
-       </simpleType>
-
-       <simpleType name="listOfStrings">
-               <list itemType="conf:string"/>
-       </simpleType>
-
-       <simpleType name="listOfURIs">
-               <list itemType="anyURI"/>
-       </simpleType>
-
-       <simpleType name="bindingBoolean">
-               <restriction base="string">
-                       <enumeration value="true"/>
-                       <enumeration value="false"/>
-                       <enumeration value="front"/>
-                       <enumeration value="back"/>
-               </restriction>
-       </simpleType>
-       
-       <complexType name="PluggableType">
-               <sequence>
-                       <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
-               </sequence>
-               <attribute name="type" type="conf:string" use="required"/>
-               <anyAttribute namespace="##any" processContents="skip"/>
-       </complexType>
-
-       <element name="SPConfig">
-               <complexType>
-                       <annotation>
-                               <documentation>Root of configuration</documentation>
-                       </annotation>
-                       <sequence>
-                               <element ref="conf:Extensions" minOccurs="0"/>
-                               <element ref="conf:OutOfProcess"/>
-                               <element ref="conf:InProcess"/>
-                <choice minOccurs="0">
-                    <element name="UnixListener">
-                        <complexType>
-                            <attribute name="address" type="conf:string" use="required"/>
-                            <attribute name="stackSize" type="unsignedInt"/>
-                        </complexType>
-                    </element>
-                    <element name="TCPListener">
-                        <complexType>
-                            <attribute name="address" type="conf:string" use="required"/>
-                            <attribute name="port" type="unsignedInt" use="required"/>
-                            <attribute name="acl" type="conf:listOfStrings"/>
-                            <attribute name="stackSize" type="unsignedInt"/>
-                        </complexType>
-                    </element>
-                    <element name="Listener" type="conf:PluggableType"/>
-                </choice>
-                <element ref="conf:StorageService" minOccurs="0" maxOccurs="unbounded"/>
-                <element ref="conf:SessionCache" minOccurs="0"/>
-                <element ref="conf:ReplayCache" minOccurs="0"/>
-                <element ref="conf:ArtifactMap" minOccurs="0"/>
-                <element name="RequestMapper" type="conf:PluggableType" minOccurs="0"/>
-                               <element ref="conf:ApplicationDefaults"/>
-                               <element ref="conf:SecurityPolicies"/>
-                <element ref="conf:TransportOption" minOccurs="0" maxOccurs="unbounded"/>
-                       </sequence>
-                       <attribute name="logger" type="anyURI"/>
-                       <attribute name="clockSkew" type="unsignedInt"/>
-            <attribute name="unsafeChars" type="conf:string"/>
-            <attribute name="allowedSchemes" type="conf:listOfStrings"/>
-                       <anyAttribute namespace="##other" processContents="lax"/>
-               </complexType>
-       </element>
-
-       <element name="Extensions">
-               <annotation>
-                       <documentation>Container for extension libraries and custom configuration</documentation>
-               </annotation>
-               <complexType>
-                       <sequence>
-                               <element name="Library" minOccurs="0" maxOccurs="unbounded">
-                                       <complexType>
-                                               <sequence>
-                                                       <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
-                                               </sequence>
-                                               <attribute name="path" type="anyURI" use="required"/>
-                                               <attribute name="fatal" type="boolean"/>
-                                               <anyAttribute namespace="##any" processContents="skip"/>
-                                       </complexType>
-                               </element>
-                               <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-                       </sequence>
-               </complexType>
-       </element>
-
-       <element name="StorageService">
-               <annotation>
-                       <documentation>References StorageService plugins</documentation>
-               </annotation>
-               <complexType>
-                       <complexContent>
-                               <restriction base="conf:PluggableType">
-                                       <sequence>
-                                               <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
-                                       </sequence>
-                                       <attribute name="id" type="ID" use="required"/>
-                                       <attribute name="cleanupInterval" type="unsignedInt"/>
-                                       <anyAttribute namespace="##any" processContents="skip"/>
-                               </restriction>
-                       </complexContent>
-               </complexType>
-       </element>
-
-       <element name="SessionCache">
-               <annotation>
-                       <documentation>References SessionCache plugins</documentation>
-               </annotation>
-               <complexType>
-                       <complexContent>
-                               <restriction base="conf:PluggableType">
-                                       <sequence>
-                                               <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
-                                       </sequence>
-                                       <attribute name="StorageService" type="IDREF"/>
-                                       <attribute name="cacheTimeout" type="unsignedInt"/>
-                                       <anyAttribute namespace="##any" processContents="skip"/>
-                               </restriction>
-                       </complexContent>
-               </complexType>
-       </element>
-       
-       <element name="ReplayCache">
-               <annotation>
-                       <documentation>Ties ReplayCache to a custom StorageService</documentation>
-               </annotation>
-               <complexType>
-                       <sequence/>
-                       <attribute name="StorageService" type="IDREF" use="required"/>
-               </complexType>
-       </element>
-       
-       <element name="ArtifactMap">
-               <annotation>
-                       <documentation>Customizes an ArtifactMap</documentation>
-               </annotation>
-               <complexType>
-                       <sequence/>
-                       <attribute name="StorageService" type="IDREF"/>
-                       <attribute name="context" type="conf:string"/>
-                       <attribute name="artifactTTL" type="unsignedInt"/>
-               </complexType>
-       </element>
-       
-       <element name="OutOfProcess">
-               <annotation>
-                       <documentation>Container for out-of-process (shibd) configuration</documentation>
-               </annotation>
-               <complexType>
-                       <sequence>
-                               <element ref="conf:Extensions" minOccurs="0"/>
-                               <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-                       </sequence>
-                       <attribute name="logger" type="anyURI"/>
-                   <attribute name="catchAll" type="boolean"/>
-                       <anyAttribute namespace="##other" processContents="lax"/>
-               </complexType>
-       </element>
-
-       <element name="InProcess">
-               <annotation>
-                       <documentation>
-                       Container for configuration of locally integrated or platform-specific
-                       features (e.g. web server filters)
-                       </documentation>
-               </annotation>
-               <complexType>
-                       <sequence>
-                               <element ref="conf:Extensions" minOccurs="0"/>
-                               <element ref="conf:ISAPI" minOccurs="0"/>
-                               <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-                       </sequence>
-                       <attribute name="logger" type="anyURI"/>
-                       <attribute name="unsetHeaderValue" type="conf:string"/>
-                       <attribute name="checkSpoofing" type="boolean"/>
-                       <attribute name="spoofKey" type="conf:string"/>
-                       <attribute name="catchAll" type="boolean"/>
-                       <anyAttribute namespace="##other" processContents="lax"/>
-               </complexType>
-       </element>
-       
-       <element name="ISAPI">
-               <complexType>
-                       <sequence>
-                               <element name="Site" maxOccurs="unbounded">
-                                       <complexType>
-                                               <sequence>
-                                                       <element name="Alias" type="string" minOccurs="0" maxOccurs="unbounded"/>
-                                               </sequence>
-                                               <attribute name="id" type="unsignedInt" use="required"/>
-                                               <attribute name="name" type="conf:string" use="required"/>
-                                               <attribute name="port" type="unsignedInt"/>
-                                               <attribute name="sslport" type="unsignedInt"/>
-                                               <attribute name="scheme" type="conf:string"/>
-                                       </complexType>
-                               </element>
-                               <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-                       </sequence>
-                       <attribute name="normalizeRequest" type="boolean"/>
-                       <attribute name="safeHeaderNames" type="boolean"/>
-                       <anyAttribute namespace="##other" processContents="lax"/>
-               </complexType>
-       </element>
-
-       <element name="AccessControl" type="conf:UniOperatorType">
-               <annotation>
-                       <documentation>
-                       A simple example access policy language extension that supersedes Apache .htaccess
-                       </documentation>
-               </annotation>
-       </element>
-       <element name="OR" type="conf:MultiOperatorType"/>
-       <element name="AND" type="conf:MultiOperatorType"/>
-       <element name="NOT" type="conf:UniOperatorType"/>
-       <complexType name="UniOperatorType">
-               <choice>
-                       <element ref="conf:AND"/>
-                       <element ref="conf:OR"/>
-                       <element ref="conf:NOT"/>
-                       <element ref="conf:Rule"/>
-                   <element ref="conf:RuleRegex"/>
-               </choice>
-       </complexType>
-       <complexType name="MultiOperatorType">
-               <choice minOccurs="2" maxOccurs="unbounded">
-                       <element ref="conf:AND"/>
-                       <element ref="conf:OR"/>
-                       <element ref="conf:NOT"/>
-                       <element ref="conf:Rule"/>
-                   <element ref="conf:RuleRegex"/>
-               </choice>
-       </complexType>
-       <element name="Rule">
-               <complexType>
-                       <simpleContent>
-                               <extension base="conf:listOfStrings">
-                                       <attribute name="require" type="conf:string" use="required"/>
-                                   <attribute name="list" type="boolean"/>
-                               </extension>
-                       </simpleContent>
-               </complexType>
-       </element>
-    <element name="RuleRegex">
-        <complexType>
-            <simpleContent>
-                <extension base="conf:string">
-                    <attribute name="require" type="conf:string" use="required"/>
-                    <attribute name="ignoreCase" type="boolean"/>
-                </extension>
-            </simpleContent>
-        </complexType>
-    </element>
-       
-       <attributeGroup name="ContentSettings">
-               <attribute name="authType" type="conf:string"/>
-               <attribute name="requireSession" type="boolean"/>
-               <attribute name="requireSessionWith" type="conf:string"/>
-               <attribute name="exportAssertion" type="boolean"/>
-               <attribute name="redirectToSSL" type="unsignedInt"/>
-               <attribute name="entityID" type="anyURI"/>
-        <attribute name="discoveryURL" type="anyURI"/>
-               <attribute name="isPassive" type="boolean"/>
-        <attribute name="returnOnError" type="boolean"/>
-               <attribute name="forceAuthn" type="boolean"/>
-               <attribute name="authnContextClassRef" type="anyURI"/>
-               <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
-        <attribute name="NameIDFormat" type="anyURI"/>
-        <attribute name="SPNameQualifier" type="conf:string"/>
-        <attribute name="redirectErrors" type="anyURI"/>
-               <attribute name="sessionError" type="anyURI"/>
-               <attribute name="metadataError" type="anyURI"/>
-               <attribute name="accessError" type="anyURI"/>
-               <attribute name="sslError" type="anyURI"/>
-        <attribute name="REMOTE_ADDR" type="conf:string"/>
-               <anyAttribute namespace="##other" processContents="lax"/>
-       </attributeGroup>
-       <element name="AccessControlProvider" type="conf:PluggableType"/>
-       <element name="htaccess" type="conf:PluggableType"/>
-
-    <element name="RequestMap">
-               <annotation>
-                       <documentation>
-                       Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
-                       </documentation>
-               </annotation>
-        <complexType>
+  <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/>
+  <import namespace="urn:oasis:names:tc:SAML:2.0:protocol" schemaLocation="saml-schema-protocol-2.0.xsd"/>
+  <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
+
+  <annotation>
+    <documentation>
+      2.0 schema for XML-based configuration of Shibboleth Native SP instances.
+      First appearing in Shibboleth 2.0 release.
+    </documentation>
+  </annotation>
+
+  <simpleType name="string">
+    <restriction base="string">
+      <minLength value="1"/>
+    </restriction>
+  </simpleType>
+
+  <simpleType name="listOfStrings">
+    <list itemType="conf:string"/>
+  </simpleType>
+
+  <simpleType name="listOfURIs">
+    <list itemType="anyURI"/>
+  </simpleType>
+
+  <simpleType name="bindingBoolean">
+    <restriction base="string">
+      <enumeration value="true"/>
+      <enumeration value="false"/>
+      <enumeration value="front"/>
+      <enumeration value="back"/>
+    </restriction>
+  </simpleType>
+
+  <complexType name="PluggableType">
+    <sequence>
+      <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
+    </sequence>
+    <attribute name="type" type="conf:string" use="required"/>
+    <anyAttribute namespace="##any" processContents="skip"/>
+  </complexType>
+
+  <element name="SPConfig">
+    <complexType>
+      <annotation>
+        <documentation>Root of configuration</documentation>
+      </annotation>
+      <sequence>
+        <element ref="conf:Extensions" minOccurs="0"/>
+        <element ref="conf:OutOfProcess"/>
+        <element ref="conf:InProcess"/>
+        <choice minOccurs="0">
+          <element name="UnixListener">
+            <complexType>
+              <attribute name="address" type="conf:string" use="required"/>
+              <attribute name="stackSize" type="unsignedInt"/>
+            </complexType>
+          </element>
+          <element name="TCPListener">
+            <complexType>
+              <attribute name="address" type="conf:string" use="required"/>
+              <attribute name="port" type="unsignedInt" use="required"/>
+              <attribute name="acl" type="conf:listOfStrings"/>
+              <attribute name="stackSize" type="unsignedInt"/>
+            </complexType>
+          </element>
+          <element name="Listener" type="conf:PluggableType"/>
+        </choice>
+        <element ref="conf:StorageService" minOccurs="0" maxOccurs="unbounded"/>
+        <element ref="conf:SessionCache" minOccurs="0"/>
+        <element ref="conf:ReplayCache" minOccurs="0"/>
+        <element ref="conf:ArtifactMap" minOccurs="0"/>
+        <element name="RequestMapper" type="conf:PluggableType" minOccurs="0"/>
+        <element ref="conf:ApplicationDefaults"/>
+        <element ref="conf:SecurityPolicies"/>
+        <element ref="conf:TransportOption" minOccurs="0" maxOccurs="unbounded"/>
+      </sequence>
+      <attribute name="logger" type="anyURI"/>
+      <attribute name="clockSkew" type="unsignedInt"/>
+      <attribute name="unsafeChars" type="conf:string"/>
+      <attribute name="allowedSchemes" type="conf:listOfStrings"/>
+      <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+  </element>
+
+  <element name="Extensions">
+    <annotation>
+      <documentation>Container for extension libraries and custom configuration</documentation>
+    </annotation>
+    <complexType>
+      <sequence>
+        <element name="Library" minOccurs="0" maxOccurs="unbounded">
+          <complexType>
+            <sequence>
+              <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
+            </sequence>
+            <attribute name="path" type="anyURI" use="required"/>
+            <attribute name="fatal" type="boolean"/>
+            <anyAttribute namespace="##any" processContents="skip"/>
+          </complexType>
+        </element>
+        <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+      </sequence>
+    </complexType>
+  </element>
+
+  <element name="StorageService">
+    <annotation>
+      <documentation>References StorageService plugins</documentation>
+    </annotation>
+    <complexType>
+      <complexContent>
+        <restriction base="conf:PluggableType">
+          <sequence>
+            <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
+          </sequence>
+          <attribute name="id" type="ID" use="required"/>
+          <attribute name="cleanupInterval" type="unsignedInt"/>
+          <anyAttribute namespace="##any" processContents="skip"/>
+        </restriction>
+      </complexContent>
+    </complexType>
+  </element>
+
+  <element name="SessionCache">
+    <annotation>
+      <documentation>References SessionCache plugins</documentation>
+    </annotation>
+    <complexType>
+      <complexContent>
+        <restriction base="conf:PluggableType">
+          <sequence>
+            <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
+          </sequence>
+          <attribute name="StorageService" type="IDREF"/>
+          <attribute name="cacheTimeout" type="unsignedInt"/>
+          <anyAttribute namespace="##any" processContents="skip"/>
+        </restriction>
+      </complexContent>
+    </complexType>
+  </element>
+
+  <element name="ReplayCache">
+    <annotation>
+      <documentation>Ties ReplayCache to a custom StorageService</documentation>
+    </annotation>
+    <complexType>
+      <sequence/>
+      <attribute name="StorageService" type="IDREF" use="required"/>
+    </complexType>
+  </element>
+
+  <element name="ArtifactMap">
+    <annotation>
+      <documentation>Customizes an ArtifactMap</documentation>
+    </annotation>
+    <complexType>
+      <sequence/>
+      <attribute name="StorageService" type="IDREF"/>
+      <attribute name="context" type="conf:string"/>
+      <attribute name="artifactTTL" type="unsignedInt"/>
+    </complexType>
+  </element>
+
+  <element name="OutOfProcess">
+    <annotation>
+      <documentation>Container for out-of-process (shibd) configuration</documentation>
+    </annotation>
+    <complexType>
+      <sequence>
+        <element ref="conf:Extensions" minOccurs="0"/>
+        <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+      </sequence>
+      <attribute name="logger" type="anyURI"/>
+      <attribute name="catchAll" type="boolean"/>
+      <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+  </element>
+
+  <element name="InProcess">
+    <annotation>
+      <documentation>
+        Container for configuration of locally integrated or platform-specific
+        features (e.g. web server filters)
+      </documentation>
+    </annotation>
+    <complexType>
+      <sequence>
+        <element ref="conf:Extensions" minOccurs="0"/>
+        <element ref="conf:ISAPI" minOccurs="0"/>
+        <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+      </sequence>
+      <attribute name="logger" type="anyURI"/>
+      <attribute name="unsetHeaderValue" type="conf:string"/>
+      <attribute name="checkSpoofing" type="boolean"/>
+      <attribute name="spoofKey" type="conf:string"/>
+      <attribute name="catchAll" type="boolean"/>
+      <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+  </element>
+
+  <element name="ISAPI">
+    <complexType>
+      <sequence>
+        <element name="Site" maxOccurs="unbounded">
+          <complexType>
             <sequence>
-               <choice minOccurs="0">
-                       <element ref="conf:htaccess"/>
-                                       <element ref="conf:AccessControl"/>
-                       <element ref="conf:AccessControlProvider"/>
-                   </choice>
-               <choice minOccurs="0" maxOccurs="unbounded">
-                                       <element ref="conf:Host"/>
-                       <element ref="conf:HostRegex"/>
-               </choice>
+              <element name="Alias" type="string" minOccurs="0" maxOccurs="unbounded"/>
             </sequence>
-            <attribute name="applicationId" type="conf:string" fixed="default"/>
-               <attributeGroup ref="conf:ContentSettings"/>
-        </complexType>
-    </element>
-
-    <element name="Host">
-       <complexType>
-               <sequence>
-               <choice minOccurs="0">
-                       <element ref="conf:htaccess"/>
-                                       <element ref="conf:AccessControl"/>
-                       <element ref="conf:AccessControlProvider"/>
-                   </choice>
-                       <choice minOccurs="0" maxOccurs="unbounded">
-                               <element ref="conf:Path"/>
-                               <element ref="conf:PathRegex"/>
-                               <element ref="conf:Query"/>
-                       </choice>
-               </sequence>
-               <attribute name="scheme">
-                           <simpleType>
-                               <restriction base="conf:string">
-                                   <enumeration value="http"/>
-                                   <enumeration value="https"/>
-                                   <enumeration value="ftp"/>
-                                   <enumeration value="ldap"/>
-                                   <enumeration value="ldaps"/>
-                               </restriction>
-                           </simpleType>
-               </attribute>
-               <attribute name="name" type="conf:string" use="required"/>
-               <attribute name="port" type="unsignedInt"/>
-                       <attribute name="applicationId" type="conf:string"/>
-               <attributeGroup ref="conf:ContentSettings"/>
-       </complexType>
-    </element>
-       
-       <element name="HostRegex">
-               <complexType>
-                       <sequence>
-                               <choice minOccurs="0">
-                                       <element ref="conf:htaccess"/>
-                                       <element ref="conf:AccessControl"/>
-                                       <element ref="conf:AccessControlProvider"/>
-                               </choice>
-                               <choice minOccurs="0" maxOccurs="unbounded">
-                                       <element ref="conf:Path"/>
-                                       <element ref="conf:PathRegex"/>
-                                       <element ref="conf:Query"/>
-                               </choice>
-                       </sequence>
-                       <attribute name="regex" type="conf:string" use="required"/>
-                       <attribute name="ignoreCase" type="boolean"/>
-                       <attribute name="applicationId" type="conf:string"/>
-                       <attributeGroup ref="conf:ContentSettings"/>
-               </complexType>
-       </element>
-
-    <element name="Path">
-        <complexType>
-               <sequence>
-               <choice minOccurs="0">
-                       <element ref="conf:htaccess"/>
-                                       <element ref="conf:AccessControl"/>
-                       <element ref="conf:AccessControlProvider"/>
-                   </choice>
-                       <choice minOccurs="0" maxOccurs="unbounded">
-                               <element ref="conf:Path"/>
-                               <element ref="conf:PathRegex"/>
-                               <element ref="conf:Query"/>
-                       </choice>
-               </sequence>
-                       <attribute name="name" type="conf:string" use="required"/>
-                       <attribute name="applicationId" type="conf:string"/>
-                       <attributeGroup ref="conf:ContentSettings"/>
-        </complexType>
-    </element>
-
-       <element name="PathRegex">
-               <complexType>
-                       <sequence>
-                               <choice minOccurs="0">
-                                       <element ref="conf:htaccess"/>
-                                       <element ref="conf:AccessControl"/>
-                                       <element ref="conf:AccessControlProvider"/>
-                               </choice>
-                               <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
-                       </sequence>
-                       <attribute name="regex" type="conf:string" use="required"/>
-                       <attribute name="ignoreCase" type="boolean"/>
-                       <attribute name="applicationId" type="conf:string"/>
-                       <attributeGroup ref="conf:ContentSettings"/>
-               </complexType>
-       </element>
-       
-       <element name="Query">
-               <complexType>
-                       <sequence>
-                               <choice minOccurs="0">
-                                       <element ref="conf:htaccess"/>
-                                       <element ref="conf:AccessControl"/>
-                                       <element ref="conf:AccessControlProvider"/>
-                               </choice>
-                               <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
-                       </sequence>
-                       <attribute name="name" type="conf:string" use="required"/>
-                       <attribute name="regex" type="conf:string"/>
-                       <attributeGroup ref="conf:ContentSettings"/>
-               </complexType>
-       </element>
-       
-       <element name="ApplicationDefaults">
-               <annotation>
-                       <documentation>Container for default settings and application-specific overrides</documentation>
-               </annotation>
-               <complexType>
-                       <sequence>
-                               <element ref="conf:Sessions"/>
-                               <element ref="conf:Errors" minOccurs="0"/>
-                               <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
-                               <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
-                               <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
-                <element name="MetadataProvider" type="conf:PluggableType"/>
-                               <element name="TrustEngine" type="conf:PluggableType"/>
-                               <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
-                               <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
-                               <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
-                               <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
-                               <element ref="conf:ApplicationOverride" minOccurs="0" maxOccurs="unbounded"/>
-                       </sequence>
-                       <attribute name="id" type="conf:string" fixed="default"/>
-                       <attribute name="entityID" type="anyURI" use="required"/>
-                       <attribute name="policyId" type="conf:string" use="required"/>
-                       <attributeGroup ref="conf:ApplicationGroup"/>
-                   <attributeGroup ref="conf:RelyingPartyGroup"/>
-                       <anyAttribute namespace="##other" processContents="lax"/>
-               </complexType>
-       </element>
-       
-       <element name="ApplicationOverride">
-               <annotation>
-                       <documentation>Container for application-specific overrides</documentation>
-               </annotation>
-               <complexType>
-                       <sequence>
-                               <element ref="conf:Sessions" minOccurs="0"/>
-                               <element ref="conf:Errors" minOccurs="0"/>
-                               <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
-                               <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
-                               <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
-                               <element name="MetadataProvider" type="conf:PluggableType" minOccurs="0"/>
-                               <element name="TrustEngine" type="conf:PluggableType" minOccurs="0"/>
-                               <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
-                               <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
-                               <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
-                               <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
-                       </sequence>
-                       <attribute name="id" type="conf:string" use="required"/>
-                       <attribute name="entityID" type="anyURI"/>
-                       <attribute name="policyId" type="conf:string"/>
-                       <attributeGroup ref="conf:ApplicationGroup"/>
-                   <attributeGroup ref="conf:RelyingPartyGroup"/>
-                       <anyAttribute namespace="##other" processContents="lax"/>
-               </complexType>
-       </element>
-
-       <attributeGroup name="ApplicationGroup">
-               <attribute name="homeURL" type="anyURI"/>
-               <attribute name="REMOTE_USER" type="conf:listOfStrings"/>
-               <attribute name="unsetHeaders" type="conf:listOfStrings"/>
-               <attribute name="metadataAttributePrefix" type="conf:string"/>
-           <attribute name="attributePrefix" type="conf:string"/>
-       </attributeGroup>
-
-    <attributeGroup name="RelyingPartyGroup">
-        <attribute name="authType" type="conf:string"/>
-        <attribute name="authUsername" type="conf:string"/>
-        <attribute name="authPassword" type="conf:string"/>
-        <attribute name="signing" type="conf:bindingBoolean"/>
-        <attribute name="signingAlg" type="anyURI"/>
-        <attribute name="digestAlg" type="anyURI"/>
-        <attribute name="encryption" type="conf:bindingBoolean"/>
-        <attribute name="encryptionAlg" type="anyURI"/>
-        <attribute name="keyName" type="conf:string"/>
-        <attribute name="artifactEndpointIndex" type="unsignedShort"/>
-        <attribute name="chunkedEncoding" type="boolean"/>
-        <attribute name="connectTimeout" type="unsignedShort"/>
-        <attribute name="timeout" type="unsignedShort"/>
-        <attribute name="requireConfidentiality" type="boolean"/>
-        <attribute name="requireTransportAuth" type="boolean"/>
-        <attribute name="requireSignedAssertions" type="boolean"/>
-    </attributeGroup>
-    
-       <element name="Sessions">
-               <annotation>
-                       <documentation>Container for specifying protocol handlers and session policy</documentation>
-               </annotation>
-               <complexType>
-                       <choice minOccurs="0" maxOccurs="unbounded">
-                               <element ref="conf:SessionInitiator"/>
-                               <element ref="conf:LogoutInitiator"/>
-                               <element ref="md:AssertionConsumerService"/>
-                               <element ref="md:ArtifactResolutionService"/>
-                               <element ref="md:SingleLogoutService"/>
-                               <element ref="md:ManageNameIDService"/>
-                               <element name="Handler">
-                                       <complexType>
-                                               <complexContent>
-                                                       <restriction base="conf:PluggableType">
-                                                               <sequence>
-                                                                       <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
-                                                               </sequence>
-                                                               <attribute name="Location" type="anyURI" use="required"/>
-                                                           <attribute name="acl" type="conf:listOfStrings"/>
-                                                               <anyAttribute namespace="##any" processContents="skip"/>
-                                                       </restriction>
-                                               </complexContent>
-                                       </complexType>
-                               </element>
-                       </choice>
-                       <attribute name="handlerURL" type="anyURI" use="required"/>
-                       <attribute name="handlerSSL" type="boolean"/>
-                       <attribute name="exportLocation" type="conf:string"/>
-                       <attribute name="exportACL" type="conf:listOfStrings"/>
-                       <attribute name="cookieName" type="conf:string"/>
-                       <attribute name="cookieProps" type="conf:string"/>
-            <attribute name="cookieLifetime" type="unsignedInt"/>
-                       <attribute name="idpHistory" type="boolean"/>
-                       <attribute name="idpHistoryDays" type="unsignedInt"/>
-                       <attribute name="lifetime" type="unsignedInt"/>
-                       <attribute name="timeout" type="unsignedInt"/>
-                   <attribute name="maxTimeSinceAuthn" type="unsignedInt"/>
-                       <attribute name="checkAddress" type="boolean"/>
-                       <attribute name="consistentAddress" type="boolean"/>
-                       <attribute name="postData" type="conf:string"/>
-            <attribute name="postLimit" type="positiveInteger"/>
-                       <attribute name="postTemplate" type="conf:string"/>
-            <attribute name="postExpire" type="boolean"/>
-                       <anyAttribute namespace="##other" processContents="lax"/>
-               </complexType>
-       </element>
-
-       <attribute name="policyId" type="conf:string">
-               <annotation>
-                       <documentation>Used to reference Policy elements from profile endpoints.</documentation>
-               </annotation>
-       </attribute>
-
-       <element name="SessionInitiator">
-               <annotation>
-                       <documentation>Used to specify handlers that can issue AuthnRequests or perform discovery</documentation>
-               </annotation>
-               <complexType>
-                       <complexContent>
-                               <restriction base="conf:PluggableType">
-                                       <sequence>
-                                               <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
-                                       </sequence>
-                                       <attribute name="Location" type="anyURI"/>
-                                       <attribute name="id" type="conf:string"/>
-                                       <attribute name="isDefault" type="boolean"/>
-                                       <attribute name="relayState" type="conf:string"/>
-                                       <attribute name="entityIDParam" type="conf:string"/>
-                                       <attribute name="entityID" type="anyURI"/>
-                                       <attribute name="URL" type="anyURI"/>
-                                       <attribute name="outgoingBindings" type="conf:listOfURIs"/>
-                                       <attribute name="template" type="anyURI"/>
-                                       <attribute name="postArtifact" type="boolean"/>
-                                       <attribute name="acsByIndex" type="boolean"/>
-                    <attribute name="acsIndex" type="unsignedShort"/>
-                                       <attribute name="defaultACSIndex" type="unsignedShort"/>   <!-- deprecated -->
-                    <attribute name="isPassive" type="boolean"/>
-                    <attribute name="returnOnError" type="boolean"/>
-                    <attribute name="forceAuthn" type="boolean"/>
-                    <attribute name="authnContextClassRef" type="anyURI"/>
-                    <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
-                    <attribute name="NameIDFormat" type="anyURI"/>
-                    <attribute name="SPNameQualifier" type="conf:string"/>
-                    <attribute name="requestDelegation" type="boolean"/>
-                                       <anyAttribute namespace="##any" processContents="skip"/>
-                               </restriction>
-                       </complexContent>
-               </complexType>
-       </element>
-
-       <element name="LogoutInitiator">
-               <annotation>
-                       <documentation>Used to specify handlers that can issue LogoutRequests</documentation>
-               </annotation>
-               <complexType>
-                       <complexContent>
-                               <restriction base="conf:PluggableType">
-                                       <sequence>
-                                               <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
-                                       </sequence>
-                                       <attribute name="Location" type="anyURI"/>
-                                   <attribute name="relayState" type="conf:string"/>
-                                       <attribute name="outgoingBindings" type="conf:listOfURIs"/>
-                                       <attribute name="template" type="anyURI"/>
-                                       <attribute name="postArtifact" type="boolean"/>
-                                       <anyAttribute namespace="##any" processContents="skip"/>
-                               </restriction>
-                       </complexContent>
-               </complexType>
-       </element>
-       
-       <element name="Errors">
-               <annotation>
-                       <documentation>Container for error templates and associated details</documentation>
-               </annotation>
-               <complexType>
-                       <sequence>
-                               <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
-                       </sequence>
-            <attribute name="redirectErrors" type="anyURI"/>
-                       <attribute name="session" type="anyURI"/>
-                       <attribute name="metadata" type="anyURI"/>
-                       <attribute name="access" type="anyURI"/>
-                       <attribute name="ssl" type="anyURI"/>
-            <attribute name="localLogout" type="anyURI"/>
-            <attribute name="globalLogout" type="anyURI"/>
-            <attribute name="partialLogout" type="anyURI"/>
-                       <attribute name="supportContact" type="conf:string"/>
-                       <attribute name="logoLocation" type="anyURI"/>
-                       <attribute name="styleSheet" type="anyURI"/>
-                       <anyAttribute namespace="##any" processContents="skip"/>
-               </complexType>
-       </element>
-
-    <element name="RelyingParty">
-        <annotation>
-            <documentation>Container for specifying settings to use with particular peers</documentation>
-        </annotation>
-        <complexType>
-            <sequence/>
-            <attribute name="Name" type="conf:string" use="required"/>
-            <attributeGroup ref="conf:RelyingPartyGroup"/>
-            <attribute name="entityID" type="anyURI"/>
-            <anyAttribute namespace="##other" processContents="lax"/>
-        </complexType>
-    </element>
-    
-       <element name="Notify">
-               <annotation>
-                       <documentation>Used to specify locations to receive application notifications</documentation>
-               </annotation>
-               <complexType>
-                       <sequence/>
-                       <attribute name="Channel" use="required">
-                               <simpleType>
-                                       <restriction base="string">
-                                               <enumeration value="front"/>
-                                               <enumeration value="back"/>
-                                       </restriction>
-                               </simpleType>
-                       </attribute>
-                       <attribute name="Location" type="anyURI" use="required"/>
-                       <anyAttribute namespace="##any" processContents="skip"/>
-               </complexType>
-       </element>
-       
-       <element name="SecurityPolicies">
-               <annotation>
-                       <documentation>Container for specifying sets of policy rules to apply to incoming messages</documentation>
-               </annotation>
-               <complexType>
-                       <sequence>
-                               <element name="Policy" minOccurs="1" maxOccurs="unbounded">
-                                       <annotation>
-                                               <documentation>Specifies a set of SecurityPolicyRule plugins</documentation>
-                                       </annotation>
-                                       <complexType>
-                                               <choice>
-                                                       <element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
-                            <element name="PolicyRule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
-                                               </choice>
-                                               <attribute name="id" type="conf:string" use="required"/>
-                                               <attribute name="validate" type="boolean"/>
-                                               <anyAttribute namespace="##any" processContents="skip"/>
-                                       </complexType>
-                               </element>
-                <choice minOccurs="0">
-                    <element name="AlgorithmWhitelist" type="conf:listOfURIs"/>
-                    <element name="AlgorithmBlacklist" type="conf:listOfURIs"/>
-                </choice>
-                       </sequence>
-               </complexType>
-       </element>
-
-       <element name="TransportOption">
-               <annotation>
-                       <documentation>Implementation-specific option to pass to SOAPTransport provider.</documentation>
-               </annotation>
-               <complexType>
-                       <simpleContent>
-                               <extension base="anySimpleType">
-                                       <attribute name="provider" type="conf:string" use="required"/>
-                                       <attribute name="option" type="conf:string" use="required"/>
-                               </extension>
-                       </simpleContent>
-               </complexType>
-       </element>
-       
+            <attribute name="id" type="unsignedInt" use="required"/>
+            <attribute name="name" type="conf:string" use="required"/>
+            <attribute name="port" type="unsignedInt"/>
+            <attribute name="sslport" type="unsignedInt"/>
+            <attribute name="scheme" type="conf:string"/>
+          </complexType>
+        </element>
+        <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+      </sequence>
+      <attribute name="normalizeRequest" type="boolean"/>
+      <attribute name="safeHeaderNames" type="boolean"/>
+      <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+  </element>
+
+  <element name="AccessControl" type="conf:UniOperatorType">
+    <annotation>
+      <documentation>
+        A simple example access policy language extension that supersedes Apache .htaccess
+      </documentation>
+    </annotation>
+  </element>
+  <element name="OR" type="conf:MultiOperatorType"/>
+  <element name="AND" type="conf:MultiOperatorType"/>
+  <element name="NOT" type="conf:UniOperatorType"/>
+  <complexType name="UniOperatorType">
+    <choice>
+      <element ref="conf:AND"/>
+      <element ref="conf:OR"/>
+      <element ref="conf:NOT"/>
+      <element ref="conf:Rule"/>
+      <element ref="conf:RuleRegex"/>
+    </choice>
+  </complexType>
+  <complexType name="MultiOperatorType">
+    <choice minOccurs="2" maxOccurs="unbounded">
+      <element ref="conf:AND"/>
+      <element ref="conf:OR"/>
+      <element ref="conf:NOT"/>
+      <element ref="conf:Rule"/>
+      <element ref="conf:RuleRegex"/>
+    </choice>
+  </complexType>
+  <element name="Rule">
+    <complexType>
+      <simpleContent>
+        <extension base="conf:listOfStrings">
+          <attribute name="require" type="conf:string" use="required"/>
+          <attribute name="list" type="boolean"/>
+        </extension>
+      </simpleContent>
+    </complexType>
+  </element>
+  <element name="RuleRegex">
+    <complexType>
+      <simpleContent>
+        <extension base="conf:string">
+          <attribute name="require" type="conf:string" use="required"/>
+          <attribute name="ignoreCase" type="boolean"/>
+        </extension>
+      </simpleContent>
+    </complexType>
+  </element>
+
+  <attributeGroup name="ContentSettings">
+    <attribute name="authType" type="conf:string"/>
+    <attribute name="requireSession" type="boolean"/>
+    <attribute name="requireSessionWith" type="conf:string"/>
+    <attribute name="exportAssertion" type="boolean"/>
+    <attribute name="redirectToSSL" type="unsignedInt"/>
+    <attribute name="entityID" type="anyURI"/>
+    <attribute name="discoveryURL" type="anyURI"/>
+    <attribute name="isPassive" type="boolean"/>
+    <attribute name="returnOnError" type="boolean"/>
+    <attribute name="forceAuthn" type="boolean"/>
+    <attribute name="authnContextClassRef" type="anyURI"/>
+    <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
+    <attribute name="NameIDFormat" type="anyURI"/>
+    <attribute name="SPNameQualifier" type="conf:string"/>
+    <attribute name="redirectErrors" type="anyURI"/>
+    <attribute name="sessionError" type="anyURI"/>
+    <attribute name="metadataError" type="anyURI"/>
+    <attribute name="accessError" type="anyURI"/>
+    <attribute name="sslError" type="anyURI"/>
+    <attribute name="target" type="anyURI"/>
+    <attribute name="acsIndex" type="unsignedShort"/>
+    <attribute name="REMOTE_ADDR" type="conf:string"/>
+    <anyAttribute namespace="##other" processContents="lax"/>
+  </attributeGroup>
+  <element name="AccessControlProvider" type="conf:PluggableType"/>
+  <element name="htaccess" type="conf:PluggableType"/>
+
+  <element name="RequestMap">
+    <annotation>
+      <documentation>
+        Built-in request mapping syntax, decomposes URLs into Host/Path/Path/...
+      </documentation>
+    </annotation>
+    <complexType>
+      <sequence>
+        <choice minOccurs="0">
+          <element ref="conf:htaccess"/>
+          <element ref="conf:AccessControl"/>
+          <element ref="conf:AccessControlProvider"/>
+        </choice>
+        <choice minOccurs="0" maxOccurs="unbounded">
+          <element ref="conf:Host"/>
+          <element ref="conf:HostRegex"/>
+        </choice>
+      </sequence>
+      <attribute name="applicationId" type="conf:string" fixed="default"/>
+      <attributeGroup ref="conf:ContentSettings"/>
+    </complexType>
+  </element>
+
+  <element name="Host">
+    <complexType>
+      <sequence>
+        <choice minOccurs="0">
+          <element ref="conf:htaccess"/>
+          <element ref="conf:AccessControl"/>
+          <element ref="conf:AccessControlProvider"/>
+        </choice>
+        <choice minOccurs="0" maxOccurs="unbounded">
+          <element ref="conf:Path"/>
+          <element ref="conf:PathRegex"/>
+          <element ref="conf:Query"/>
+        </choice>
+      </sequence>
+      <attribute name="scheme">
+        <simpleType>
+          <restriction base="conf:string">
+            <enumeration value="http"/>
+            <enumeration value="https"/>
+            <enumeration value="ftp"/>
+            <enumeration value="ldap"/>
+            <enumeration value="ldaps"/>
+          </restriction>
+        </simpleType>
+      </attribute>
+      <attribute name="name" type="conf:string" use="required"/>
+      <attribute name="port" type="unsignedInt"/>
+      <attribute name="applicationId" type="conf:string"/>
+      <attributeGroup ref="conf:ContentSettings"/>
+    </complexType>
+  </element>
+
+  <element name="HostRegex">
+    <complexType>
+      <sequence>
+        <choice minOccurs="0">
+          <element ref="conf:htaccess"/>
+          <element ref="conf:AccessControl"/>
+          <element ref="conf:AccessControlProvider"/>
+        </choice>
+        <choice minOccurs="0" maxOccurs="unbounded">
+          <element ref="conf:Path"/>
+          <element ref="conf:PathRegex"/>
+          <element ref="conf:Query"/>
+        </choice>
+      </sequence>
+      <attribute name="regex" type="conf:string" use="required"/>
+      <attribute name="ignoreCase" type="boolean"/>
+      <attribute name="applicationId" type="conf:string"/>
+      <attributeGroup ref="conf:ContentSettings"/>
+    </complexType>
+  </element>
+
+  <element name="Path">
+    <complexType>
+      <sequence>
+        <choice minOccurs="0">
+          <element ref="conf:htaccess"/>
+          <element ref="conf:AccessControl"/>
+          <element ref="conf:AccessControlProvider"/>
+        </choice>
+        <choice minOccurs="0" maxOccurs="unbounded">
+          <element ref="conf:Path"/>
+          <element ref="conf:PathRegex"/>
+          <element ref="conf:Query"/>
+        </choice>
+      </sequence>
+      <attribute name="name" type="conf:string" use="required"/>
+      <attribute name="applicationId" type="conf:string"/>
+      <attributeGroup ref="conf:ContentSettings"/>
+    </complexType>
+  </element>
+
+  <element name="PathRegex">
+    <complexType>
+      <sequence>
+        <choice minOccurs="0">
+          <element ref="conf:htaccess"/>
+          <element ref="conf:AccessControl"/>
+          <element ref="conf:AccessControlProvider"/>
+        </choice>
+        <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
+      </sequence>
+      <attribute name="regex" type="conf:string" use="required"/>
+      <attribute name="ignoreCase" type="boolean"/>
+      <attribute name="applicationId" type="conf:string"/>
+      <attributeGroup ref="conf:ContentSettings"/>
+    </complexType>
+  </element>
+
+  <element name="Query">
+    <complexType>
+      <sequence>
+        <choice minOccurs="0">
+          <element ref="conf:htaccess"/>
+          <element ref="conf:AccessControl"/>
+          <element ref="conf:AccessControlProvider"/>
+        </choice>
+        <element ref="conf:Query" minOccurs="0" maxOccurs="unbounded"/>
+      </sequence>
+      <attribute name="name" type="conf:string" use="required"/>
+      <attribute name="regex" type="conf:string"/>
+      <attributeGroup ref="conf:ContentSettings"/>
+    </complexType>
+  </element>
+
+  <element name="ApplicationDefaults">
+    <annotation>
+      <documentation>Container for default settings and application-specific overrides</documentation>
+    </annotation>
+    <complexType>
+      <sequence>
+        <element ref="conf:Sessions"/>
+        <element ref="conf:Errors" minOccurs="0"/>
+        <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
+        <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
+        <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+        <element name="MetadataProvider" type="conf:PluggableType"/>
+        <element name="TrustEngine" type="conf:PluggableType"/>
+        <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
+        <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
+        <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
+        <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
+        <element ref="conf:ApplicationOverride" minOccurs="0" maxOccurs="unbounded"/>
+      </sequence>
+      <attribute name="id" type="conf:string" fixed="default"/>
+      <attribute name="entityID" type="anyURI" use="required"/>
+      <attribute name="policyId" type="conf:string" use="required"/>
+      <attributeGroup ref="conf:ApplicationGroup"/>
+      <attributeGroup ref="conf:RelyingPartyGroup"/>
+      <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+  </element>
+
+  <element name="ApplicationOverride">
+    <annotation>
+      <documentation>Container for application-specific overrides</documentation>
+    </annotation>
+    <complexType>
+      <sequence>
+        <element ref="conf:Sessions" minOccurs="0"/>
+        <element ref="conf:Errors" minOccurs="0"/>
+        <element ref="conf:RelyingParty" minOccurs="0" maxOccurs="unbounded"/>
+        <element ref="conf:Notify" minOccurs="0" maxOccurs="unbounded"/>
+        <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+        <element name="MetadataProvider" type="conf:PluggableType" minOccurs="0"/>
+        <element name="TrustEngine" type="conf:PluggableType" minOccurs="0"/>
+        <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
+        <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
+        <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
+        <element name="CredentialResolver" type="conf:PluggableType" minOccurs="0"/>
+      </sequence>
+      <attribute name="id" type="conf:string" use="required"/>
+      <attribute name="entityID" type="anyURI"/>
+      <attribute name="policyId" type="conf:string"/>
+      <attributeGroup ref="conf:ApplicationGroup"/>
+      <attributeGroup ref="conf:RelyingPartyGroup"/>
+      <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+  </element>
+
+  <attributeGroup name="ApplicationGroup">
+    <attribute name="homeURL" type="anyURI"/>
+    <attribute name="REMOTE_USER" type="conf:listOfStrings"/>
+    <attribute name="unsetHeaders" type="conf:listOfStrings"/>
+    <attribute name="metadataAttributePrefix" type="conf:string"/>
+    <attribute name="attributePrefix" type="conf:string"/>
+  </attributeGroup>
+
+  <attributeGroup name="RelyingPartyGroup">
+    <attribute name="authType" type="conf:string"/>
+    <attribute name="authUsername" type="conf:string"/>
+    <attribute name="authPassword" type="conf:string"/>
+    <attribute name="signing" type="conf:bindingBoolean"/>
+    <attribute name="signingAlg" type="anyURI"/>
+    <attribute name="digestAlg" type="anyURI"/>
+    <attribute name="encryption" type="conf:bindingBoolean"/>
+    <attribute name="encryptionAlg" type="anyURI"/>
+    <attribute name="keyName" type="conf:string"/>
+    <attribute name="artifactEndpointIndex" type="unsignedShort"/>
+    <attribute name="chunkedEncoding" type="boolean"/>
+    <attribute name="connectTimeout" type="unsignedShort"/>
+    <attribute name="timeout" type="unsignedShort"/>
+    <attribute name="requireConfidentiality" type="boolean"/>
+    <attribute name="requireTransportAuth" type="boolean"/>
+    <attribute name="requireSignedAssertions" type="boolean"/>
+  </attributeGroup>
+
+  <element name="Sessions">
+    <annotation>
+      <documentation>Container for specifying protocol handlers and session policy</documentation>
+    </annotation>
+    <complexType>
+      <choice minOccurs="0" maxOccurs="unbounded">
+        <element ref="conf:SessionInitiator"/>
+        <element ref="conf:LogoutInitiator"/>
+        <element ref="md:AssertionConsumerService"/>
+        <element ref="md:ArtifactResolutionService"/>
+        <element ref="md:SingleLogoutService"/>
+        <element ref="md:ManageNameIDService"/>
+        <element name="Handler">
+          <complexType>
+            <complexContent>
+              <restriction base="conf:PluggableType">
+                <sequence>
+                  <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
+                </sequence>
+                <attribute name="Location" type="anyURI" use="required"/>
+                <attribute name="acl" type="conf:listOfStrings"/>
+                <anyAttribute namespace="##any" processContents="skip"/>
+              </restriction>
+            </complexContent>
+          </complexType>
+        </element>
+      </choice>
+      <attribute name="handlerURL" type="anyURI" use="required"/>
+      <attribute name="handlerSSL" type="boolean"/>
+      <attribute name="exportLocation" type="conf:string"/>
+      <attribute name="exportACL" type="conf:listOfStrings"/>
+      <attribute name="cookieName" type="conf:string"/>
+      <attribute name="cookieProps" type="conf:string"/>
+      <attribute name="cookieLifetime" type="unsignedInt"/>
+      <attribute name="idpHistory" type="boolean"/>
+      <attribute name="idpHistoryDays" type="unsignedInt"/>
+      <attribute name="lifetime" type="unsignedInt"/>
+      <attribute name="timeout" type="unsignedInt"/>
+      <attribute name="maxTimeSinceAuthn" type="unsignedInt"/>
+      <attribute name="checkAddress" type="boolean"/>
+      <attribute name="consistentAddress" type="boolean"/>
+      <attribute name="postData" type="conf:string"/>
+      <attribute name="postLimit" type="positiveInteger"/>
+      <attribute name="postTemplate" type="conf:string"/>
+      <attribute name="postExpire" type="boolean"/>
+      <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+  </element>
+
+  <attribute name="policyId" type="conf:string">
+    <annotation>
+      <documentation>Used to reference Policy elements from profile endpoints.</documentation>
+    </annotation>
+  </attribute>
+
+  <element name="SessionInitiator">
+    <annotation>
+      <documentation>Used to specify handlers that can issue AuthnRequests or perform discovery</documentation>
+    </annotation>
+    <complexType>
+      <complexContent>
+        <restriction base="conf:PluggableType">
+          <sequence>
+            <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
+          </sequence>
+          <attribute name="Location" type="anyURI"/>
+          <attribute name="id" type="conf:string"/>
+          <attribute name="isDefault" type="boolean"/>
+          <attribute name="relayState" type="conf:string"/>
+          <attribute name="entityIDParam" type="conf:string"/>
+          <attribute name="entityID" type="anyURI"/>
+          <attribute name="URL" type="anyURI"/>
+          <attribute name="outgoingBindings" type="conf:listOfURIs"/>
+          <attribute name="template" type="anyURI"/>
+          <attribute name="postArtifact" type="boolean"/>
+          <attribute name="acsByIndex" type="boolean"/>
+          <attribute name="acsIndex" type="unsignedShort"/>
+          <attribute name="defaultACSIndex" type="unsignedShort"/>  <!-- deprecated -->
+          <attribute name="isPassive" type="boolean"/>
+          <attribute name="returnOnError" type="boolean"/>
+          <attribute name="forceAuthn" type="boolean"/>
+          <attribute name="authnContextClassRef" type="anyURI"/>
+          <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
+          <attribute name="NameIDFormat" type="anyURI"/>
+          <attribute name="SPNameQualifier" type="conf:string"/>
+          <attribute name="requestDelegation" type="boolean"/>
+          <attribute name="target" type="anyURI"/>
+          <anyAttribute namespace="##any" processContents="skip"/>
+        </restriction>
+      </complexContent>
+    </complexType>
+  </element>
+
+  <element name="LogoutInitiator">
+    <annotation>
+      <documentation>Used to specify handlers that can issue LogoutRequests</documentation>
+    </annotation>
+    <complexType>
+      <complexContent>
+        <restriction base="conf:PluggableType">
+          <sequence>
+            <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
+          </sequence>
+          <attribute name="Location" type="anyURI"/>
+          <attribute name="relayState" type="conf:string"/>
+          <attribute name="outgoingBindings" type="conf:listOfURIs"/>
+          <attribute name="template" type="anyURI"/>
+          <attribute name="postArtifact" type="boolean"/>
+          <anyAttribute namespace="##any" processContents="skip"/>
+        </restriction>
+      </complexContent>
+    </complexType>
+  </element>
+
+  <element name="Errors">
+    <annotation>
+      <documentation>Container for error templates and associated details</documentation>
+    </annotation>
+    <complexType>
+      <sequence>
+        <any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
+      </sequence>
+      <attribute name="redirectErrors" type="anyURI"/>
+      <attribute name="session" type="anyURI"/>
+      <attribute name="metadata" type="anyURI"/>
+      <attribute name="access" type="anyURI"/>
+      <attribute name="ssl" type="anyURI"/>
+      <attribute name="localLogout" type="anyURI"/>
+      <attribute name="globalLogout" type="anyURI"/>
+      <attribute name="partialLogout" type="anyURI"/>
+      <attribute name="supportContact" type="conf:string"/>
+      <attribute name="logoLocation" type="anyURI"/>
+      <attribute name="styleSheet" type="anyURI"/>
+      <anyAttribute namespace="##any" processContents="skip"/>
+    </complexType>
+  </element>
+
+  <element name="RelyingParty">
+    <annotation>
+      <documentation>Container for specifying settings to use with particular peers</documentation>
+    </annotation>
+    <complexType>
+      <sequence/>
+      <attribute name="Name" type="conf:string" use="required"/>
+      <attributeGroup ref="conf:RelyingPartyGroup"/>
+      <attribute name="entityID" type="anyURI"/>
+      <anyAttribute namespace="##other" processContents="lax"/>
+    </complexType>
+  </element>
+
+  <element name="Notify">
+    <annotation>
+      <documentation>Used to specify locations to receive application notifications</documentation>
+    </annotation>
+    <complexType>
+      <sequence/>
+      <attribute name="Channel" use="required">
+        <simpleType>
+          <restriction base="string">
+            <enumeration value="front"/>
+            <enumeration value="back"/>
+          </restriction>
+        </simpleType>
+      </attribute>
+      <attribute name="Location" type="anyURI" use="required"/>
+      <anyAttribute namespace="##any" processContents="skip"/>
+    </complexType>
+  </element>
+
+  <element name="SecurityPolicies">
+    <annotation>
+      <documentation>Container for specifying sets of policy rules to apply to incoming messages</documentation>
+    </annotation>
+    <complexType>
+      <sequence>
+        <element name="Policy" minOccurs="1" maxOccurs="unbounded">
+          <annotation>
+            <documentation>Specifies a set of SecurityPolicyRule plugins</documentation>
+          </annotation>
+          <complexType>
+            <choice>
+              <element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
+              <element name="PolicyRule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
+            </choice>
+            <attribute name="id" type="conf:string" use="required"/>
+            <attribute name="validate" type="boolean"/>
+            <anyAttribute namespace="##any" processContents="skip"/>
+          </complexType>
+        </element>
+        <choice minOccurs="0">
+          <element name="AlgorithmWhitelist" type="conf:listOfURIs"/>
+          <element name="AlgorithmBlacklist" type="conf:listOfURIs"/>
+        </choice>
+      </sequence>
+    </complexType>
+  </element>
+
+  <element name="TransportOption">
+    <annotation>
+      <documentation>Implementation-specific option to pass to SOAPTransport provider.</documentation>
+    </annotation>
+    <complexType>
+      <simpleContent>
+        <extension base="anySimpleType">
+          <attribute name="provider" type="conf:string" use="required"/>
+          <attribute name="option" type="conf:string" use="required"/>
+        </extension>
+      </simpleContent>
+    </complexType>
+  </element>
+
 </schema>

diff --git a/shibsp/AbstractSPRequest.cpp b/shibsp/AbstractSPRequest.cpp
index 249db33..eb0c320 100644 (file)
--- a/shibsp/AbstractSPRequest.cpp
+++ b/shibsp/AbstractSPRequest.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2009 Internet2
+ *  Copyright 2001-2010 Internet2
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -229,6 +229,21 @@ const char* AbstractSPRequest::getHandlerURL(const char* resource) const
     if (!m_handlerURL.empty() && resource && !strcmp(getRequestURL(),resource))
         return m_handlerURL.c_str();
 
+    string stackresource;
+    if (resource && *resource == '/') {
+        // Compute a URL to the root of the site and point resource at constructed string.
+        int port = getPort();
+        const char* scheme = getScheme();
+        stackresource = string(scheme) + "://" + getHostname();
+        if ((!strcmp(scheme,"http") && port!=80) || (!strcmp(scheme,"https") && port!=443)) {
+            ostringstream portstr;
+            portstr << port;
+            stackresource += ":" + portstr.str();
+        }
+        stackresource += resource;
+        resource = stackresource.c_str();
+    }
+
 #ifdef HAVE_STRCASECMP
     if (!resource || (strncasecmp(resource,"http://",7) && strncasecmp(resource,"https://",8)))
 #else

diff --git a/shibsp/handler/impl/AbstractHandler.cpp b/shibsp/handler/impl/AbstractHandler.cpp
index aa86b54..6e1a0ba 100644 (file)
--- a/shibsp/handler/impl/AbstractHandler.cpp
+++ b/shibsp/handler/impl/AbstractHandler.cpp
@@ -80,6 +80,23 @@ namespace shibsp {
     SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory StatusHandlerFactory;
     SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory SessionHandlerFactory;
 
+    void SHIBSP_DLLLOCAL absolutize(const HTTPRequest& request, string& url) {
+        if (url.empty())
+            url = '/';
+        if (url[0] == '/') {
+            // Compute a URL to the root of the site.
+            int port = request.getPort();
+            const char* scheme = request.getScheme();
+            string root = string(scheme) + "://" + request.getHostname();
+            if ((!strcmp(scheme,"http") && port!=80) || (!strcmp(scheme,"https") && port!=443)) {
+                ostringstream portstr;
+                portstr << port;
+                root += ":" + portstr.str();
+            }
+            url = root + url;
+        }
+    }
+
     void SHIBSP_DLLLOCAL generateRandomHex(std::string& buf, unsigned int len) {
         static char DIGITS[] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
         int r;
@@ -95,6 +112,8 @@ namespace shibsp {
             buf += (DIGITS[0x0F & b2]);
         }
     }
+
+
 };
 
 void SHIBSP_API shibsp::registerHandlers()
@@ -234,9 +253,10 @@ void Handler::recoverRelayState(
                     StorageService* storage = conf.getServiceProvider()->getStorageService(ssid.c_str());
                     if (storage) {
                         ssid = key;
-                        if (storage->readString("RelayState",ssid.c_str(),&relayState)>0) {
+                        if (storage->readString("RelayState",ssid.c_str(),&relayState) > 0) {
                             if (clear)
                                 storage->deleteString("RelayState",ssid.c_str());
+                            absolutize(request, relayState);
                             return;
                         }
                         else
@@ -263,6 +283,7 @@ void Handler::recoverRelayState(
                     }
                     else {
                         relayState = out.string();
+                        absolutize(request, relayState);
                         return;
                     }
                 }
@@ -290,6 +311,7 @@ void Handler::recoverRelayState(
                     exp += "; expires=Mon, 01 Jan 2001 00:00:00 GMT";
                     response.setCookie(relay_cookie.first.c_str(), exp.c_str());
                 }
+                absolutize(request, relayState);
                 return;
             }
         }
@@ -301,20 +323,12 @@ void Handler::recoverRelayState(
     if (relayState.empty() || relayState == "default" || relayState == "cookie") {
         pair<bool,const char*> homeURL=application.getString("homeURL");
         if (homeURL.first)
-            relayState=homeURL.second;
-        else {
-            // Compute a URL to the root of the site.
-            int port = request.getPort();
-            const char* scheme = request.getScheme();
-            relayState = string(scheme) + "://" + request.getHostname();
-            if ((!strcmp(scheme,"http") && port!=80) || (!strcmp(scheme,"https") && port!=443)) {
-                ostringstream portstr;
-                portstr << port;
-                relayState += ":" + portstr.str();
-            }
-            relayState += '/';
-        }
+            relayState = homeURL.second;
+        else
+            relayState = '/';
     }
+
+    absolutize(request, relayState);
 }
 
 AbstractHandler::AbstractHandler(

diff --git a/shibsp/handler/impl/FormSessionInitiator.cpp b/shibsp/handler/impl/FormSessionInitiator.cpp
index f419280..4dea39e 100644 (file)
--- a/shibsp/handler/impl/FormSessionInitiator.cpp
+++ b/shibsp/handler/impl/FormSessionInitiator.cpp
@@ -77,33 +77,39 @@ pair<bool,long> FormSessionInitiator::run(SPRequest& request, string& entityID,
         return make_pair(false,0L);
 
     string target;
-    const char* option;
+    pair<bool,const char*> prop;
     const Application& app=request.getApplication();
 
     if (isHandler) {
-        option = request.getParameter("target");
-        if (option)
-            target = option;
+        prop = getString("target", request);
+        if (prop.first)
+            target = prop.second;
         recoverRelayState(app, request, request, target, false);
     }
     else {
-        // We're running as a "virtual handler" from within the filter.
-        // The target resource is the current one.
-        target=request.getRequestURL();
+        // Check for a hardwired target value in the map or handler.
+        prop = getString("target", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
+        if (prop.first)
+            target = prop.second;
+        else
+            target = request.getRequestURL();
     }
 
     // Compute the return URL. We start with a self-referential link.
     string returnURL=request.getHandlerURL(target.c_str());
     pair<bool,const char*> thisloc = getString("Location");
-    if (thisloc.first) returnURL += thisloc.second;
+    if (thisloc.first)
+        returnURL += thisloc.second;
 
     if (isHandler) {
         // We may already have RelayState set if we looped back here,
-        // but just in case target is a resource, we reset it back.
-        option = request.getParameter("target");
-        if (option)
-            target = option;
+        // but we've turned it back into a resource by this point, so if there's
+        // a target on the URL, reset to that value.
+        prop.second = request.getParameter("target");
+        if (prop.second && *prop.second)
+            target = prop.second;
     }
+
     preserveRelayState(app, request, target);
 
     request.setContentType("text/html");

diff --git a/shibsp/handler/impl/SAML2SessionInitiator.cpp b/shibsp/handler/impl/SAML2SessionInitiator.cpp
index 02e2550..30e303c 100644 (file)
--- a/shibsp/handler/impl/SAML2SessionInitiator.cpp
+++ b/shibsp/handler/impl/SAML2SessionInitiator.cpp
@@ -235,9 +235,8 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, string& entityID,
         return make_pair(false,0L);
 
     string target;
-    string postData;
+    pair<bool,const char*> prop;
     const Handler* ACS=NULL;
-    const char* option;
     pair<bool,const char*> acClass, acComp, nidFormat, spQual;
     bool isPassive=false,forceAuthn=false;
     const Application& app=request.getApplication();
@@ -246,9 +245,9 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, string& entityID,
     pair<bool,bool> acsByIndex = ECP ? make_pair(true,false) : getBool("acsByIndex");
 
     if (isHandler) {
-        option=request.getParameter("acsIndex");
-        if (option) {
-            ACS = app.getAssertionConsumerServiceByIndex(atoi(option));
+        prop.second = request.getParameter("acsIndex");
+        if (prop.second && *prop.second) {
+            ACS = app.getAssertionConsumerServiceByIndex(atoi(prop.second));
             if (!ACS)
                 request.log(SPRequest::SPWarn, "invalid acsIndex specified in request, using acsIndex property");
             else if (ECP && !XMLString::equals(ACS->getString("Binding").second, samlconstants::SAML20_BINDING_PAOS)) {
@@ -257,82 +256,47 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, string& entityID,
             }
         }
 
-        option = request.getParameter("target");
-        if (option)
-            target = option;
+        prop = getString("target", request);
+        if (prop.first)
+            target = prop.second;
 
         // Always need to recover target URL to compute handler below.
-        recoverRelayState(request.getApplication(), request, request, target, false);
+        recoverRelayState(app, request, request, target, false);
+
+        pair<bool,bool> flag = getBool("isPassive", request);
+        isPassive = (flag.first && flag.second);
 
-        pair<bool,bool> flag;
-        option = request.getParameter("isPassive");
-        if (option) {
-            isPassive = (*option=='1' || *option=='t');
-        }
-        else {
-            flag = getBool("isPassive");
-            isPassive = (flag.first && flag.second);
-        }
         if (!isPassive) {
-            option = request.getParameter("forceAuthn");
-            if (option) {
-                forceAuthn = (*option=='1' || *option=='t');
-            }
-            else {
-                flag = getBool("forceAuthn");
-                forceAuthn = (flag.first && flag.second);
-            }
+            flag = getBool("forceAuthn", request);
+            forceAuthn = (flag.first && flag.second);
         }
 
-        if (acClass.second = request.getParameter("authnContextClassRef"))
-            acClass.first = true;
-        else
-            acClass = getString("authnContextClassRef");
-
-        if (acComp.second = request.getParameter("authnContextComparison"))
-            acComp.first = true;
-        else
-            acComp = getString("authnContextComparison");
-
-        if (nidFormat.second = request.getParameter("NameIDFormat"))
-            nidFormat.first = true;
-        else
-            nidFormat = getString("NameIDFormat");
-
-        if (spQual.second = request.getParameter("SPNameQualifier"))
-            spQual.first = true;
-        else
-            spQual = getString("SPNameQualifier");
+        // Populate via parameter, map, or property.
+        acClass = getString("authnContextClassRef", request);
+        acComp = getString("authnContextComparison", request);
+        nidFormat = getString("NameIDFormat", request);
+        spQual = getString("SPNameQualifier", request);
     }
     else {
-        // We're running as a "virtual handler" from within the filter.
-        // The target resource is the current one and everything else is defaulted.
-        target=request.getRequestURL();
-        const PropertySet* settings = request.getRequestSettings().first;
-
-        pair<bool,bool> flag = settings->getBool("isPassive");
-        if (!flag.first)
-            flag = getBool("isPassive");
+        // Check for a hardwired target value in the map or handler.
+        prop = getString("target", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
+        if (prop.first)
+            target = prop.second;
+        else
+            target = request.getRequestURL();
+
+        pair<bool,bool> flag = getBool("isPassive", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
         isPassive = flag.first && flag.second;
         if (!isPassive) {
-            flag = settings->getBool("forceAuthn");
-            if (!flag.first)
-                flag = getBool("forceAuthn");
+            flag = getBool("forceAuthn", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
             forceAuthn = flag.first && flag.second;
         }
 
-        acClass = settings->getString("authnContextClassRef");
-        if (!acClass.first)
-            acClass = getString("authnContextClassRef");
-        acComp = settings->getString("authnContextComparison");
-        if (!acComp.first)
-            acComp = getString("authnContextComparison");
-        nidFormat = settings->getString("NameIDFormat");
-        if (!nidFormat.first)
-            nidFormat = getString("NameIDFormat");
-        spQual = settings->getString("SPNameQualifier");
-        if (!spQual.first)
-            spQual = getString("SPNameQualifier");
+        // Populate via map or property.
+        acClass = getString("authnContextClassRef", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
+        acComp = getString("authnContextComparison", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
+        nidFormat = getString("NameIDFormat", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
+        spQual = getString("SPNameQualifier", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
     }
 
     if (ECP)
@@ -348,7 +312,7 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, string& entityID,
             ACS = handlers.front();
         }
         else {
-            pair<bool,unsigned int> index = getUnsignedInt("acsIndex");
+            pair<bool,unsigned int> index = getUnsignedInt("acsIndex", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
             if (index.first) {
                 ACS = app.getAssertionConsumerServiceByIndex(index.second);
                 if (!ACS)
@@ -381,7 +345,7 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, string& entityID,
     // to express the ACS, by index or value, and if by value, where.
     // We have to compute the handlerURL no matter what, because we may need to
     // flip the index to an SSL-version.
-    string ACSloc=request.getHandlerURL(target.c_str());
+    string ACSloc = request.getHandlerURL(target.c_str());
 
     SPConfig& conf = SPConfig::getConfig();
     if (conf.isEnabled(SPConfig::OutOfProcess)) {
@@ -389,11 +353,11 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, string& entityID,
             // Pass by Index.
             if (isHandler) {
                 // We may already have RelayState set if we looped back here,
-                // but just in case target is a resource, we reset it back.
-                target.erase();
-                option = request.getParameter("target");
-                if (option)
-                    target = option;
+                // but we've turned it back into a resource by this point, so if there's
+                // a target on the URL, reset to that value.
+                prop.second = request.getParameter("target");
+                if (prop.second && *prop.second)
+                    target = prop.second;
             }
 
             // Determine index to use.
@@ -425,16 +389,17 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, string& entityID,
 
         // Since we're not passing by index, we need to fully compute the return URL and binding.
         // Compute the ACS URL. We add the ACS location to the base handlerURL.
-        pair<bool,const char*> loc=ACS ? ACS->getString("Location") : pair<bool,const char*>(false,NULL);
-        if (loc.first) ACSloc+=loc.second;
+        prop = ACS ? ACS->getString("Location") : pair<bool,const char*>(false,NULL);
+        if (prop.first)
+            ACSloc += prop.second;
 
         if (isHandler) {
             // We may already have RelayState set if we looped back here,
-            // but just in case target is a resource, we reset it back.
-            target.erase();
-            option = request.getParameter("target");
-            if (option)
-                target = option;
+            // but we've turned it back into a resource by this point, so if there's
+            // a target on the URL, reset to that value.
+            prop.second = request.getParameter("target");
+            if (prop.second && *prop.second)
+                target = prop.second;
         }
 
         return doRequest(
@@ -489,24 +454,25 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, string& entityID,
     else {
         // Since we're not passing by index, we need to fully compute the return URL and binding.
         // Compute the ACS URL. We add the ACS location to the base handlerURL.
-        pair<bool,const char*> loc=ACS ? ACS->getString("Location") : pair<bool,const char*>(false,NULL);
-        if (loc.first) ACSloc+=loc.second;
+        prop = ACS ? ACS->getString("Location") : pair<bool,const char*>(false,NULL);
+        if (prop.first)
+            ACSloc += prop.second;
         in.addmember("acsLocation").string(ACSloc.c_str());
         if (ACS) {
-            loc = ACS->getString("Binding");
-            in.addmember("acsBinding").string(loc.second);
-            if (XMLString::equals(loc.second, samlconstants::SAML20_BINDING_HTTP_ARTIFACT))
+            prop = ACS->getString("Binding");
+            in.addmember("acsBinding").string(prop.second);
+            if (XMLString::equals(prop.second, samlconstants::SAML20_BINDING_HTTP_ARTIFACT))
                 in.addmember("artifact").integer(1);
         }
     }
 
     if (isHandler) {
         // We may already have RelayState set if we looped back here,
-        // but just in case target is a resource, we reset it back.
-        target.erase();
-        option = request.getParameter("target");
-        if (option)
-            target = option;
+        // but we've turned it back into a resource by this point, so if there's
+        // a target on the URL, reset to that value.
+        prop.second = request.getParameter("target");
+        if (prop.second && *prop.second)
+            target = prop.second;
     }
     if (!target.empty())
         in.addmember("RelayState").unsafe_string(target.c_str());

diff --git a/shibsp/handler/impl/SAMLDSSessionInitiator.cpp b/shibsp/handler/impl/SAMLDSSessionInitiator.cpp
index d95c05e..10de535 100644 (file)
--- a/shibsp/handler/impl/SAMLDSSessionInitiator.cpp
+++ b/shibsp/handler/impl/SAMLDSSessionInitiator.cpp
@@ -150,45 +150,42 @@ pair<bool,long> SAMLDSSessionInitiator::run(SPRequest& request, string& entityID
         return make_pair(false,0L);
 
     string target;
-    const char* option;
+    pair<bool,const char*> prop;
     bool isPassive=false;
     const Application& app=request.getApplication();
     pair<bool,const char*> discoveryURL = pair<bool,const char*>(true, m_url);
 
     if (isHandler) {
-        option = request.getParameter("SAMLDS");
-        if (option && !strcmp(option,"1")) {
+        prop.second = request.getParameter("SAMLDS");
+        if (prop.second && !strcmp(prop.second,"1")) {
             saml2md::MetadataException ex("No identity provider was selected by user.");
             ex.addProperty("statusCode", "urn:oasis:names:tc:SAML:2.0:status:Requester");
             ex.addProperty("statusCode2", "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP");
             ex.raise();
         }
 
-        option = request.getParameter("target");
-        if (option)
-            target = option;
-        recoverRelayState(request.getApplication(), request, request, target, false);
-
-        option = request.getParameter("isPassive");
-        if (option)
-            isPassive = (*option=='t' || *option=='1');
-        else {
-            pair<bool,bool> passopt = getBool("isPassive");
-            isPassive = passopt.first && passopt.second;
-        }
+        prop = getString("target", request);
+        if (prop.first)
+            target = prop.second;
+
+        recoverRelayState(app, request, request, target, false);
+
+        pair<bool,bool> passopt = getBool("isPassive", request);
+        isPassive = passopt.first && passopt.second;
 
-        option = request.getParameter("discoveryURL");
-        if (option)
-            discoveryURL.second = option;
+        prop.second = request.getParameter("discoveryURL");
+        if (prop.second && *prop.second)
+            discoveryURL.second = prop.second;
     }
     else {
-        // We're running as a "virtual handler" from within the filter.
-        // The target resource is the current one and everything else is
-        // defaulted or set by content policy.
-        target=request.getRequestURL();
-        pair<bool,bool> passopt = request.getRequestSettings().first->getBool("isPassive");
-        if (!passopt.first)
-            passopt = getBool("isPassive");
+        // Check for a hardwired target value in the map or handler.
+        prop = getString("target", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
+        if (prop.first)
+            target = prop.second;
+        else
+            target = request.getRequestURL();
+
+        pair<bool,bool> passopt = getBool("isPassive", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
         isPassive = passopt.first && passopt.second;
         discoveryURL = request.getRequestSettings().first->getString("discoveryURL");
     }
@@ -198,21 +195,23 @@ pair<bool,long> SAMLDSSessionInitiator::run(SPRequest& request, string& entityID
     m_log.debug("sending request to SAMLDS (%s)", discoveryURL.second);
 
     // Compute the return URL. We start with a self-referential link.
-    string returnURL=request.getHandlerURL(target.c_str());
-    pair<bool,const char*> thisloc = getString("Location");
-    if (thisloc.first) returnURL += thisloc.second;
+    string returnURL = request.getHandlerURL(target.c_str());
+    prop = getString("Location");
+    if (prop.first)
+        returnURL += prop.second;
     returnURL += "?SAMLDS=1"; // signals us not to loop if we get no answer back
 
     if (isHandler) {
         // We may already have RelayState set if we looped back here,
-        // but just in case target is a resource, we reset it back.
-        option = request.getParameter("target");
-        if (option)
-            target = option;
+        // but we've turned it back into a resource by this point, so if there's
+        // a target on the URL, reset to that value.
+        prop.second = request.getParameter("target");
+        if (prop.second && *prop.second)
+            target = prop.second;
     }
-    preserveRelayState(request.getApplication(), request, target);
+    preserveRelayState(app, request, target);
     if (!isHandler)
-        preservePostData(request.getApplication(), request, request, target.c_str());
+        preservePostData(app, request, request, target.c_str());
 
     const URLEncoder* urlenc = XMLToolingConfig::getConfig().getURLEncoder();
     if (isHandler) {
@@ -231,15 +230,15 @@ pair<bool,long> SAMLDSSessionInitiator::run(SPRequest& request, string& entityID
             }
             else {
                 // There's something in the query before target appears, so we have to find it.
-                thisloc.second = strstr(query,"&target=");
-                if (thisloc.second) {
+                prop.second = strstr(query, "&target=");
+                if (prop.second) {
                     // We found it, so first append everything up to it.
                     returnURL += '&';
-                    returnURL.append(query, thisloc.second - query);
-                    query = thisloc.second + 8; // move up just past the equals sign.
-                    thisloc.second = strchr(query, '&');
-                    if (thisloc.second)
-                        returnURL += thisloc.second;
+                    returnURL.append(query, prop.second - query);
+                    query = prop.second + 8; // move up just past the equals sign.
+                    prop.second = strchr(query, '&');
+                    if (prop.second)
+                        returnURL += prop.second;
                 }
                 else {
                     // No target in the existing query, so just append it as is.

diff --git a/shibsp/handler/impl/Shib1SessionInitiator.cpp b/shibsp/handler/impl/Shib1SessionInitiator.cpp
index 72f431b..cc2cd11 100644 (file)
--- a/shibsp/handler/impl/Shib1SessionInitiator.cpp
+++ b/shibsp/handler/impl/Shib1SessionInitiator.cpp
@@ -116,36 +116,38 @@ pair<bool,long> Shib1SessionInitiator::run(SPRequest& request, string& entityID,
         return make_pair(false,0L);
 
     string target;
-    string postData;
+    pair<bool,const char*> prop;
     const Handler* ACS=NULL;
-    const char* option;
-    const Application& app=request.getApplication();
+    const Application& app = request.getApplication();
 
     if (isHandler) {
-        option=request.getParameter("acsIndex");
-        if (option) {
-            ACS = app.getAssertionConsumerServiceByIndex(atoi(option));
+        prop.second = request.getParameter("acsIndex");
+        if (prop.second && *prop.second) {
+            ACS = app.getAssertionConsumerServiceByIndex(atoi(prop.second));
             if (!ACS)
                 request.log(SPRequest::SPWarn, "invalid acsIndex specified in request, using acsIndex property");
         }
 
-        option = request.getParameter("target");
-        if (option)
-            target = option;
+        prop = getString("target", request);
+        if (prop.first)
+            target = prop.second;
 
         // Since we're passing the ACS by value, we need to compute the return URL,
         // so we'll need the target resource for real.
-        recoverRelayState(request.getApplication(), request, request, target, false);
+        recoverRelayState(app, request, request, target, false);
     }
     else {
-        // We're running as a "virtual handler" from within the filter.
-        // The target resource is the current one and everything else is defaulted.
-        target=request.getRequestURL();
+        // Check for a hardwired target value in the map or handler.
+        prop = getString("target", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
+        if (prop.first)
+            target = prop.second;
+        else
+            target = request.getRequestURL();
     }
 
     // Since we're not passing by index, we need to fully compute the return URL.
     if (!ACS) {
-        pair<bool,unsigned int> index = getUnsignedInt("acsIndex");
+        pair<bool,unsigned int> index = getUnsignedInt("acsIndex", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
         if (index.first) {
             ACS = app.getAssertionConsumerServiceByIndex(index.second);
             if (!ACS)
@@ -171,17 +173,18 @@ pair<bool,long> Shib1SessionInitiator::run(SPRequest& request, string& entityID,
     }
 
     // Compute the ACS URL. We add the ACS location to the base handlerURL.
-    string ACSloc=request.getHandlerURL(target.c_str());
-    pair<bool,const char*> loc=ACS ? ACS->getString("Location") : pair<bool,const char*>(false,NULL);
-    if (loc.first) ACSloc+=loc.second;
+    string ACSloc = request.getHandlerURL(target.c_str());
+    prop = ACS ? ACS->getString("Location") : pair<bool,const char*>(false,NULL);
+    if (prop.first)
+        ACSloc += prop.second;
 
     if (isHandler) {
         // We may already have RelayState set if we looped back here,
-        // but just in case target is a resource, we reset it back.
-        target.erase();
-        option = request.getParameter("target");
-        if (option)
-            target = option;
+        // but we've turned it back into a resource by this point, so if there's
+        // a target on the URL, reset to that value.
+        prop.second = request.getParameter("target");
+        if (prop.second && *prop.second)
+            target = prop.second;
     }
 
     // Is the in-bound binding artifact?

diff --git a/shibsp/handler/impl/TransformSessionInitiator.cpp b/shibsp/handler/impl/TransformSessionInitiator.cpp
index 590dbad..3aa012c 100644 (file)
--- a/shibsp/handler/impl/TransformSessionInitiator.cpp
+++ b/shibsp/handler/impl/TransformSessionInitiator.cpp
@@ -163,7 +163,6 @@ pair<bool,long> TransformSessionInitiator::run(SPRequest& request, string& entit
     if (entityID.empty() || !checkCompatibility(request, isHandler))
         return make_pair(false,0L);
 
-    string target;
     const Application& app=request.getApplication();
 
     m_log.debug("attempting to transform input (%s) into a valid entityID", entityID.c_str());

diff --git a/shibsp/handler/impl/WAYFSessionInitiator.cpp b/shibsp/handler/impl/WAYFSessionInitiator.cpp
index e56f75e..86f9f45 100644 (file)
--- a/shibsp/handler/impl/WAYFSessionInitiator.cpp
+++ b/shibsp/handler/impl/WAYFSessionInitiator.cpp
@@ -86,39 +86,45 @@ pair<bool,long> WAYFSessionInitiator::run(SPRequest& request, string& entityID,
         return make_pair(false,0L);
 
     string target;
-    string postData;
-    const char* option;
+    pair<bool,const char*> prop;
     const Handler* ACS=NULL;
     const Application& app=request.getApplication();
     pair<bool,const char*> discoveryURL = pair<bool,const char*>(true, m_url);
 
     if (isHandler) {
-        option=request.getParameter("acsIndex");
-        if (option) {
-            ACS=app.getAssertionConsumerServiceByIndex(atoi(option));
+        prop.second = request.getParameter("acsIndex");
+        if (prop.second && *prop.second) {
+            ACS = app.getAssertionConsumerServiceByIndex(atoi(prop.second));
             if (!ACS)
                 request.log(SPRequest::SPWarn, "invalid acsIndex specified in request, using acsIndex property");
         }
 
-        option = request.getParameter("target");
-        if (option)
-            target = option;
+        prop = getString("target", request);
+        if (prop.first)
+            target = prop.second;
+
+        // Since we're passing the ACS by value, we need to compute the return URL,
+        // so we'll need the target resource for real.
         recoverRelayState(request.getApplication(), request, request, target, false);
 
-        option = request.getParameter("discoveryURL");
-        if (option)
-            discoveryURL.second = option;
+        prop.second = request.getParameter("discoveryURL");
+        if (prop.second && *prop.second)
+            discoveryURL.second = prop.second;
     }
     else {
-        // We're running as a "virtual handler" from within the filter.
-        // The target resource is the current one and everything else is defaulted.
-        target=request.getRequestURL();
+        // Check for a hardwired target value in the map or handler.
+        prop = getString("target", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
+        if (prop.first)
+            target = prop.second;
+        else
+            target = request.getRequestURL();
+
         discoveryURL = request.getRequestSettings().first->getString("discoveryURL");
     }
     
     // Since we're not passing by index, we need to fully compute the return URL.
     if (!ACS) {
-        pair<bool,unsigned int> index = getUnsignedInt("acsIndex");
+        pair<bool,unsigned int> index = getUnsignedInt("acsIndex", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
         if (index.first) {
             ACS = app.getAssertionConsumerServiceByIndex(index.second);
             if (!ACS)
@@ -148,20 +154,23 @@ pair<bool,long> WAYFSessionInitiator::run(SPRequest& request, string& entityID,
     m_log.debug("sending request to WAYF (%s)", discoveryURL.second);
 
     // Compute the ACS URL. We add the ACS location to the base handlerURL.
-    string ACSloc=request.getHandlerURL(target.c_str());
-    pair<bool,const char*> loc=ACS ? ACS->getString("Location") : pair<bool,const char*>(false,NULL);
-    if (loc.first) ACSloc+=loc.second;
+    string ACSloc = request.getHandlerURL(target.c_str());
+    prop = ACS ? ACS->getString("Location") : pair<bool,const char*>(false,NULL);
+    if (prop.first)
+        ACSloc += prop.second;
 
     if (isHandler) {
         // We may already have RelayState set if we looped back here,
-        // but just in case target is a resource, we reset it back.
-        option = request.getParameter("target");
-        if (option)
-            target = option;
+        // but we've turned it back into a resource by this point, so if there's
+        // a target on the URL, reset to that value.
+        prop.second = request.getParameter("target");
+        if (prop.second && *prop.second)
+            target = prop.second;
     }
-    preserveRelayState(request.getApplication(), request, target);
+
+    preserveRelayState(app, request, target);
     if (!isHandler)
-        preservePostData(request.getApplication(), request, request, target.c_str());
+        preservePostData(app, request, request, target.c_str());
 
     // WAYF requires a target value.
     if (target.empty())