More config cleanup, use default TrustEngine chain if absent.

author cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>

Tue, 27 Jul 2010 20:02:58 +0000 (20:02 +0000)

committer cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>

Tue, 27 Jul 2010 20:02:58 +0000 (20:02 +0000)
author cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
Tue, 27 Jul 2010 20:02:58 +0000 (20:02 +0000)
committer cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
Tue, 27 Jul 2010 20:02:58 +0000 (20:02 +0000)
diff --git a/configs/shibboleth2.xml b/configs/shibboleth2.xml

index bd98709..8e753e8 100644 (file)
--- a/configs/shibboleth2.xml
+++ b/configs/shibboleth2.xml
@@ -21,8 +21,7 @@
      <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
      <ApplicationDefaults policyId="default"
          entityID="https://sp.example.org/shibboleth"
-        REMOTE_USER="eppn persistent-id targeted-id"
-        signing="false" encryption="false">
+        REMOTE_USER="eppn persistent-id targeted-id">
  
          <!--
          Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
@@ -34,8 +33,7 @@
          impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
          -->
          <Sessions lifetime="28800" timeout="3600" checkAddress="false"
-            handlerURL="/Shibboleth.sso" handlerSSL="false"
-            idpHistory="false" idpHistoryDays="7">
+            handlerURL="/Shibboleth.sso" handlerSSL="false">
              
              <!--
              SessionInitiators handle session requests and relay them to a Discovery page,
@@ -148,12 +146,6 @@
              -->
          </MetadataProvider>
  
-        <!-- Chain the two built-in trust engines together. -->
-        <TrustEngine type="Chaining">
-            <TrustEngine type="ExplicitKey"/>
-            <TrustEngine type="PKIX"/>
-        </TrustEngine>
-
          <!-- Map to extract attributes from SAML assertions. -->
          <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
          
diff --git a/configs/win-shibboleth2.xml b/configs/win-shibboleth2.xml

index 0560824..5b40f3f 100644 (file)
--- a/configs/win-shibboleth2.xml
+++ b/configs/win-shibboleth2.xml
@@ -61,8 +61,7 @@
      -->\r
      <ApplicationDefaults policyId="default"\r
          entityID="https://sp.example.org/shibboleth"\r
-        REMOTE_USER="eppn persistent-id targeted-id"\r
-        signing="false" encryption="false">\r
+        REMOTE_USER="eppn persistent-id targeted-id">\r
  \r
          <!--\r
          Controls session lifetimes, address checks, cookie handling, and the protocol handlers.\r
@@ -74,8 +73,7 @@
          impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.\r
          -->\r
          <Sessions lifetime="28800" timeout="3600" checkAddress="false"\r
-            handlerURL="/Shibboleth.sso" handlerSSL="false"\r
-            idpHistory="false" idpHistoryDays="7">\r
+            handlerURL="/Shibboleth.sso" handlerSSL="false">\r
              \r
              <!--\r
              SessionInitiators handle session requests and relay them to a Discovery page,\r
@@ -188,12 +186,6 @@
              -->\r
          </MetadataProvider>\r
  \r
-        <!-- Chain the two built-in trust engines together. -->\r
-        <TrustEngine type="Chaining">\r
-            <TrustEngine type="ExplicitKey"/>\r
-            <TrustEngine type="PKIX"/>\r
-        </TrustEngine>\r
-\r
          <!-- Map to extract attributes from SAML assertions. -->\r
          <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>\r
          \r
diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd

index 10f4024..14068cd 100644 (file)
--- a/schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/schemas/shibboleth-2.0-native-sp-config.xsd
@@ -372,7 +372,7 @@
        <element name="Notify" type="conf:NotifyType" minOccurs="0" maxOccurs="unbounded"/>
        <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
        <element name="MetadataProvider" type="conf:PluggableType"/>
-      <element name="TrustEngine" type="conf:PluggableType"/>
+      <element name="TrustEngine" type="conf:PluggableType" minOccurs="0"/>
        <element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
        <element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
        <element name="AttributeFilter" type="conf:PluggableType" minOccurs="0"/>
diff --git a/shibsp/impl/XMLServiceProvider.cpp b/shibsp/impl/XMLServiceProvider.cpp

index db279c2..885a29f 100644 (file)
--- a/shibsp/impl/XMLServiceProvider.cpp
+++ b/shibsp/impl/XMLServiceProvider.cpp
@@ -69,9 +69,9 @@
  # include <saml/saml2/metadata/Metadata.h>
  # include <saml/saml2/metadata/MetadataProvider.h>
  # include <saml/util/SAMLConstants.h>
+# include <xmltooling/security/ChainingTrustEngine.h>
  # include <xmltooling/security/CredentialResolver.h>
  # include <xmltooling/security/SecurityHelper.h>
-# include <xmltooling/security/TrustEngine.h>
  # include <xmltooling/util/ReplayCache.h>
  # include <xmltooling/util/StorageService.h>
  # include <xsec/utils/XSECPlatformUtils.hpp>
@@ -642,7 +642,7 @@ XMLApplication::XMLApplication(
                  if (XMLString::equals(child->getLocalName(),_AssertionConsumerService)) {
                      auto_ptr_char bindprop(child->getAttributeNS(nullptr,Binding));
                      if (!bindprop.get() || !*(bindprop.get())) {
-                        log.warn("md:AssertionConsumerService element has no Binding attribute, skipping it...");
+                        log.error("md:AssertionConsumerService element has no Binding attribute, skipping it...");
                          child = XMLHelper::getNextSiblingElement(child);
                          continue;
                      }
@@ -666,7 +666,7 @@ XMLApplication::XMLApplication(
                  else if (XMLString::equals(child->getLocalName(),_SessionInitiator)) {
                      auto_ptr_char type(child->getAttributeNS(nullptr,_type));
                      if (!type.get() || !*(type.get())) {
-                        log.warn("SessionInitiator element has no type attribute, skipping it...");
+                        log.error("SessionInitiator element has no type attribute, skipping it...");
                          child = XMLHelper::getNextSiblingElement(child);
                          continue;
                      }
@@ -690,7 +690,7 @@ XMLApplication::XMLApplication(
                  else if (XMLString::equals(child->getLocalName(),_LogoutInitiator)) {
                      auto_ptr_char type(child->getAttributeNS(nullptr,_type));
                      if (!type.get() || !*(type.get())) {
-                        log.warn("LogoutInitiator element has no type attribute, skipping it...");
+                        log.error("LogoutInitiator element has no type attribute, skipping it...");
                          child = XMLHelper::getNextSiblingElement(child);
                          continue;
                      }
@@ -699,7 +699,7 @@ XMLApplication::XMLApplication(
                  else if (XMLString::equals(child->getLocalName(),_ArtifactResolutionService)) {
                      auto_ptr_char bindprop(child->getAttributeNS(nullptr,Binding));
                      if (!bindprop.get() || !*(bindprop.get())) {
-                        log.warn("md:ArtifactResolutionService element has no Binding attribute, skipping it...");
+                        log.error("md:ArtifactResolutionService element has no Binding attribute, skipping it...");
                          child = XMLHelper::getNextSiblingElement(child);
                          continue;
                      }
@@ -720,7 +720,7 @@ XMLApplication::XMLApplication(
                  else if (XMLString::equals(child->getLocalName(),_SingleLogoutService)) {
                      auto_ptr_char bindprop(child->getAttributeNS(nullptr,Binding));
                      if (!bindprop.get() || !*(bindprop.get())) {
-                        log.warn("md:SingleLogoutService element has no Binding attribute, skipping it...");
+                        log.error("md:SingleLogoutService element has no Binding attribute, skipping it...");
                          child = XMLHelper::getNextSiblingElement(child);
                          continue;
                      }
@@ -729,20 +729,20 @@ XMLApplication::XMLApplication(
                  else if (XMLString::equals(child->getLocalName(),_ManageNameIDService)) {
                      auto_ptr_char bindprop(child->getAttributeNS(nullptr,Binding));
                      if (!bindprop.get() || !*(bindprop.get())) {
-                        log.warn("md:ManageNameIDService element has no Binding attribute, skipping it...");
+                        log.error("md:ManageNameIDService element has no Binding attribute, skipping it...");
                          child = XMLHelper::getNextSiblingElement(child);
                          continue;
                      }
                      handler=conf.ManageNameIDServiceManager.newPlugin(bindprop.get(),make_pair(child, getId()));
                  }
                  else {
-                    auto_ptr_char type(child->getAttributeNS(nullptr,_type));
-                    if (!type.get() || !*(type.get())) {
-                        log.warn("Handler element has no type attribute, skipping it...");
+                    string t(XMLHelper::getAttrString(child, nullptr, _type));
+                    if (t.empty()) {
+                        log.error("Handler element has no type attribute, skipping it...");
                          child = XMLHelper::getNextSiblingElement(child);
                          continue;
                      }
-                    handler=conf.HandlerManager.newPlugin(type.get(),make_pair(child, getId()));
+                    handler = conf.HandlerManager.newPlugin(t.c_str(), make_pair(child, getId()));
                  }
  
                  m_handlers.push_back(handler);
@@ -767,12 +767,12 @@ XMLApplication::XMLApplication(
          for (XMLSize_t i=0; nlist && i<nlist->getLength(); i++) {
              if (nlist->item(i)->getParentNode()->isSameNode(e)) {
                  const XMLCh* channel = static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(nullptr,Channel);
-                auto_ptr_char loc(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(nullptr,Location));
-                if (loc.get() && *loc.get()) {
+                string loc(XMLHelper::getAttrString(static_cast<DOMElement*>(nlist->item(i)), nullptr, Location));
+                if (!loc.empty()) {
                      if (channel && *channel == chLatin_f)
-                        m_frontLogout.push_back(loc.get());
+                        m_frontLogout.push_back(loc);
                      else
-                        m_backLogout.push_back(loc.get());
+                        m_backLogout.push_back(loc);
                  }
              }
          }
@@ -787,14 +787,19 @@ XMLApplication::XMLApplication(
          }
  
          if (conf.isEnabled(SPConfig::Metadata)) {
-            child = XMLHelper::getFirstChildElement(e,_MetadataProvider);
+            child = XMLHelper::getFirstChildElement(e, _MetadataProvider);
              if (child) {
-                auto_ptr_char type(child->getAttributeNS(nullptr,_type));
-                log.info("building MetadataProvider of type %s...",type.get());
+                string t(XMLHelper::getAttrString(child, nullptr, _type));
                  try {
-                    auto_ptr<MetadataProvider> mp(samlConf.MetadataProviderManager.newPlugin(type.get(),child));
-                    mp->init();
-                    m_metadata = mp.release();
+                    if (!t.empty()) {
+                        log.info("building MetadataProvider of type %s...", t.c_str());
+                        auto_ptr<MetadataProvider> mp(samlConf.MetadataProviderManager.newPlugin(t.c_str(), child));
+                        mp->init();
+                        m_metadata = mp.release();
+                    }
+                    else {
+                        throw ConfigurationException("MetadataProvider element had no type attribute.");
+                    }
                  }
                  catch (exception& ex) {
                      log.crit("error building/initializing MetadataProvider: %s", ex.what());
@@ -803,50 +808,82 @@ XMLApplication::XMLApplication(
          }
  
          if (conf.isEnabled(SPConfig::Trust)) {
-            child = XMLHelper::getFirstChildElement(e,_TrustEngine);
+            child = XMLHelper::getFirstChildElement(e, _TrustEngine);
              if (child) {
-                auto_ptr_char type(child->getAttributeNS(nullptr,_type));
-                log.info("building TrustEngine of type %s...",type.get());
+                string t(XMLHelper::getAttrString(child, nullptr, _type));
                  try {
-                    m_trust = xmlConf.TrustEngineManager.newPlugin(type.get(),child);
+                    if (!t.empty()) {
+                        log.info("building TrustEngine of type %s...", t.c_str());
+                        m_trust = xmlConf.TrustEngineManager.newPlugin(t.c_str(), child);
+                    }
+                    else {
+                        throw ConfigurationException("TrustEngine element had no type attribute.");
+                    }
                  }
                  catch (exception& ex) {
                      log.crit("error building TrustEngine: %s", ex.what());
                  }
              }
+            else if (!m_base) {
+                log.info(
+                    "no TrustEngine specified, using default chain {%s, %s}",
+                    EXPLICIT_KEY_TRUSTENGINE, SHIBBOLETH_PKIX_TRUSTENGINE
+                    );
+                m_trust = xmlConf.TrustEngineManager.newPlugin(CHAINING_TRUSTENGINE, nullptr);
+                ChainingTrustEngine* trustchain = dynamic_cast<ChainingTrustEngine*>(m_trust);
+                if (trustchain) {
+                    trustchain->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE, nullptr));
+                    trustchain->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(SHIBBOLETH_PKIX_TRUSTENGINE, nullptr));
+                }
+            }
          }
  
          if (conf.isEnabled(SPConfig::AttributeResolution)) {
-            child = XMLHelper::getFirstChildElement(e,_AttributeExtractor);
+            child = XMLHelper::getFirstChildElement(e, _AttributeExtractor);
              if (child) {
-                auto_ptr_char type(child->getAttributeNS(nullptr,_type));
-                log.info("building AttributeExtractor of type %s...",type.get());
+                string t(XMLHelper::getAttrString(child, nullptr, _type));
                  try {
-                    m_attrExtractor = conf.AttributeExtractorManager.newPlugin(type.get(),child);
+                    if (!t.empty()) {
+                        log.info("building AttributeExtractor of type %s...", t.c_str());
+                        m_attrExtractor = conf.AttributeExtractorManager.newPlugin(t.c_str(), child);
+                    }
+                    else {
+                        throw ConfigurationException("AttributeExtractor element had no type attribute.");
+                    }
                  }
                  catch (exception& ex) {
                      log.crit("error building AttributeExtractor: %s", ex.what());
                  }
              }
  
-            child = XMLHelper::getFirstChildElement(e,_AttributeFilter);
+            child = XMLHelper::getFirstChildElement(e, _AttributeFilter);
              if (child) {
-                auto_ptr_char type(child->getAttributeNS(nullptr,_type));
-                log.info("building AttributeFilter of type %s...",type.get());
+                string t(XMLHelper::getAttrString(child, nullptr, _type));
                  try {
-                    m_attrFilter = conf.AttributeFilterManager.newPlugin(type.get(),child);
+                    if (!t.empty()) {
+                        log.info("building AttributeFilter of type %s...", t.c_str());
+                        m_attrFilter = conf.AttributeFilterManager.newPlugin(t.c_str(), child);
+                    }
+                    else {
+                        throw ConfigurationException("AttributeFilter element had no type attribute.");
+                    }
                  }
                  catch (exception& ex) {
                      log.crit("error building AttributeFilter: %s", ex.what());
                  }
              }
  
-            child = XMLHelper::getFirstChildElement(e,_AttributeResolver);
+            child = XMLHelper::getFirstChildElement(e, _AttributeResolver);
              if (child) {
-                auto_ptr_char type(child->getAttributeNS(nullptr,_type));
-                log.info("building AttributeResolver of type %s...",type.get());
+                string t(XMLHelper::getAttrString(child, nullptr, _type));
                  try {
-                    m_attrResolver = conf.AttributeResolverManager.newPlugin(type.get(),child);
+                    if (!t.empty()) {
+                        log.info("building AttributeResolver of type %s...", t.c_str());
+                        m_attrResolver = conf.AttributeResolverManager.newPlugin(t.c_str(), child);
+                    }
+                    else {
+                        throw ConfigurationException("AttributeResolver element had no type attribute.");
+                    }
                  }
                  catch (exception& ex) {
                      log.crit("error building AttributeResolver: %s", ex.what());
author	cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
	Tue, 27 Jul 2010 20:02:58 +0000 (20:02 +0000)
committer	cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
	Tue, 27 Jul 2010 20:02:58 +0000 (20:02 +0000)
configs/shibboleth2.xml		patch \| blob \| history
configs/win-shibboleth2.xml		patch \| blob \| history
schemas/shibboleth-2.0-native-sp-config.xsd		patch \| blob \| history
shibsp/impl/XMLServiceProvider.cpp		patch \| blob \| history