bool authorized(const SPRequest& request, const Session* session) const;
};
-AccessControl* htAccessFactory(const DOMElement* const & e)
+AccessControl* htAccessFactory(const xercesc::DOMElement* const & e)
{
return new htAccessControl();
}
class ApacheRequestMapper : public virtual RequestMapper, public virtual PropertySet
{
public:
- ApacheRequestMapper(const DOMElement* e);
+ ApacheRequestMapper(const xercesc::DOMElement* e);
~ApacheRequestMapper() { delete m_mapper; delete m_htaccess; delete m_staKey; delete m_propsKey; }
Lockable* lock() { return m_mapper->lock(); }
void unlock() { m_staKey->setData(NULL); m_propsKey->setData(NULL); m_mapper->unlock(); }
pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const;
pair<bool,int> getInt(const char* name, const char* ns=NULL) const;
const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:target:config:1.0") const;
- const DOMElement* getElement() const;
+ const xercesc::DOMElement* getElement() const;
private:
RequestMapper* m_mapper;
AccessControl* m_htaccess;
};
-RequestMapper* ApacheRequestMapFactory(const DOMElement* const & e)
+RequestMapper* ApacheRequestMapFactory(const xercesc::DOMElement* const & e)
{
return new ApacheRequestMapper(e);
}
-ApacheRequestMapper::ApacheRequestMapper(const DOMElement* e) : m_mapper(NULL), m_staKey(NULL), m_propsKey(NULL), m_htaccess(NULL)
+ApacheRequestMapper::ApacheRequestMapper(const xercesc::DOMElement* e) : m_mapper(NULL), m_staKey(NULL), m_propsKey(NULL), m_htaccess(NULL)
{
m_mapper=SPConfig::getConfig().RequestMapperManager.newPlugin(XML_REQUEST_MAPPER,e);
m_htaccess=new htAccessControl();
return s ? s->getPropertySet(name,ns) : NULL;
}
-const DOMElement* ApacheRequestMapper::getElement() const
+const xercesc::DOMElement* ApacheRequestMapper::getElement() const
{
const PropertySet* s=reinterpret_cast<const PropertySet*>(m_propsKey->getData());
return s ? s->getElement() : NULL;
try {
// To do regex matching, we have to convert from UTF-8.
auto_ptr<XMLCh> trans(fromUTF8(w));
- RegularExpression re(trans.get());
+ xercesc::RegularExpression re(trans.get());
auto_ptr<XMLCh> trans2(fromUTF8(remote_user.c_str()));
if (re.matches(trans2.get())) {
request.log(SPRequest::SPDebug, string("htAccessControl plugin accepting user (") + w + ")");
SHIB_AP_CHECK_IS_OK;
}
}
- catch (XMLException& ex) {
+ catch (xercesc::XMLException& ex) {
auto_ptr_char tmp(ex.getMessage());
request.log(SPRequest::SPError,
string("htAccessControl plugin caught exception while parsing regular expression (") + w + "): " + tmp.get());
}
try {
- auto_ptr<RegularExpression> re;
+ auto_ptr<xercesc::RegularExpression> re;
if (regexp) {
delete re.release();
auto_ptr<XMLCh> trans(fromUTF8(w));
- auto_ptr<RegularExpression> temp(new RegularExpression(trans.get()));
+ auto_ptr<xercesc::RegularExpression> temp(new xercesc::RegularExpression(trans.get()));
re=temp;
}
}
}
}
- catch (XMLException& ex) {
+ catch (xercesc::XMLException& ex) {
auto_ptr_char tmp(ex.getMessage());
request.log(SPRequest::SPError,
string("htAccessControl plugin caught exception while parsing regular expression (") + w + "): " + tmp.get()
g_Config->RequestMapperManager.registerFactory(NATIVE_REQUEST_MAPPER,&ApacheRequestMapFactory);
try {
- DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument();
- XercesJanitor<DOMDocument> docjanitor(dummydoc);
- DOMElement* dummy = dummydoc->createElementNS(NULL,path);
+ xercesc::DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument();
+ XercesJanitor<xercesc::DOMDocument> docjanitor(dummydoc);
+ xercesc::DOMElement* dummy = dummydoc->createElementNS(NULL,path);
auto_ptr_XMLCh src(g_szSHIBConfig);
dummy->setAttributeNS(NULL,path,src.get());
dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE);
* forceAuthn insist on user reauthentication at IdP
* isPassive preclude interaction at IdP or discovery service
* authnContextClassRef URI reference of an AuthnContextClass to request
- * authnContextDeclRef URI reference of an AuthnContextDecl to request
* authnContextComparison comparison operator to apply to AuthnContext reference
-->
static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e);
}
-PluginManager<RequestMapper,const DOMElement*>::Factory SunRequestMapFactory;
+PluginManager<RequestMapper,const xercesc::DOMElement*>::Factory SunRequestMapFactory;
extern "C" NSAPI_PUBLIC void nsapi_shib_exit(void*)
{
g_Config->RequestMapperManager.registerFactory(XML_REQUEST_MAPPER,&SunRequestMapFactory);
try {
- DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument();
- XercesJanitor<DOMDocument> docjanitor(dummydoc);
- DOMElement* dummy = dummydoc->createElementNS(NULL,path);
+ xercesc::DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument();
+ XercesJanitor<xercesc::DOMDocument> docjanitor(dummydoc);
+ xercesc::DOMElement* dummy = dummydoc->createElementNS(NULL,path);
auto_ptr_XMLCh src(config);
dummy->setAttributeNS(NULL,path,src.get());
dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE);
class SunRequestMapper : public virtual RequestMapper, public virtual PropertySet
{
public:
- SunRequestMapper(const DOMElement* e);
+ SunRequestMapper(const xercesc::DOMElement* e);
~SunRequestMapper() { delete m_mapper; delete m_stKey; delete m_propsKey; }
Lockable* lock() { return m_mapper->lock(); }
void unlock() { m_stKey->setData(NULL); m_propsKey->setData(NULL); m_mapper->unlock(); }
pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const;
pair<bool,int> getInt(const char* name, const char* ns=NULL) const;
const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:target:config:1.0") const;
- const DOMElement* getElement() const;
+ const xercesc::DOMElement* getElement() const;
private:
RequestMapper* m_mapper;
ThreadKey* m_propsKey;
};
-RequestMapper* SunRequestMapFactory(const DOMElement* const & e)
+RequestMapper* SunRequestMapFactory(const xercesc::DOMElement* const & e)
{
return new SunRequestMapper(e);
}
-SunRequestMapper::SunRequestMapper(const DOMElement* e) : m_mapper(NULL), m_stKey(NULL), m_propsKey(NULL)
+SunRequestMapper::SunRequestMapper(const xercesc::DOMElement* e) : m_mapper(NULL), m_stKey(NULL), m_propsKey(NULL)
{
m_mapper = SPConfig::getConfig().RequestMapperManager.newPlugin(XML_REQUEST_MAPPER,e);
m_stKey=ThreadKey::create(NULL);
return s ? s->getPropertySet(name,ns) : NULL;
}
-const DOMElement* SunRequestMapper::getElement() const
+const xercesc::DOMElement* SunRequestMapper::getElement() const
{
const PropertySet* s=reinterpret_cast<const PropertySet*>(m_propsKey->getData());
return s ? s->getElement() : NULL;
<attribute name="isPassive" type="boolean"/>\r
<attribute name="forceAuthn" type="boolean"/>\r
<attribute name="authnContextClassRef" type="anyURI"/>\r
- <attribute name="authnContextDeclRef" type="anyURI"/>\r
<attribute name="authnContextComparison" type="conf:string"/>\r
<anyAttribute namespace="##other" processContents="lax"/>\r
</attributeGroup>\r
fprintf(stderr, "loading configuration file: %s\n", shar_config);\r
static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h);\r
static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e);\r
- DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument();\r
- XercesJanitor<DOMDocument> docjanitor(dummydoc);\r
- DOMElement* dummy = dummydoc->createElementNS(NULL,path);\r
+ xercesc::DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument();\r
+ XercesJanitor<xercesc::DOMDocument> docjanitor(dummydoc);\r
+ xercesc::DOMElement* dummy = dummydoc->createElementNS(NULL,path);\r
auto_ptr_XMLCh src(shar_config);\r
dummy->setAttributeNS(NULL,path,src.get());\r
dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE);\r
*
* @param e root of DOM tree to configure the cache
*/
- SessionCache(const DOMElement* e);
+ SessionCache(const xercesc::DOMElement* e);
/** maximum lifetime in seconds for unused sessions to be cached */
unsigned long m_cacheTimeout;
* @param remapper optional map of property rename rules for legacy property support
*/
AbstractHandler(
- const DOMElement* e,
+ const xercesc::DOMElement* e,
log4cpp::Category& log,
- DOMNodeFilter* filter=NULL,
+ xercesc::DOMNodeFilter* filter=NULL,
const std::map<std::string,std::string>* remapper=NULL
);
* @param appId ID of application that "owns" the handler
* @param log a logging object to use
*/
- AssertionConsumerService(const DOMElement* e, const char* appId, log4cpp::Category& log);
+ AssertionConsumerService(const xercesc::DOMElement* e, const char* appId, log4cpp::Category& log);
/**
* Implement protocol-specific handling of the incoming decoded message.
HTTPResponse& httpResponse,
const char* entityID,
const XMLCh* acsIndex,
- const XMLCh* acsLocation,
+ const char* acsLocation,
const XMLCh* acsBinding,
+ bool isPassive,
+ bool forceAuthn,
string& relayState
) const;
string target;
const Handler* ACS=NULL;
const char* option;
+ pair<bool,const char*> acClass;
+ pair<bool,const char*> acComp;
+ bool isPassive=false,forceAuthn=false;
const Application& app=request.getApplication();
pair<bool,bool> acsByIndex = getBool("acsByIndex");
// so we'll need the target resource for real.
recoverRelayState(request.getApplication(), request, target, false);
}
+
+ option = request.getParameter("isPassive");
+ isPassive = (option && (*option=='1' || *option=='t'));
+ if (!isPassive) {
+ option = request.getParameter("forceAuthn");
+ forceAuthn = (option && (*option=='1' || *option=='t'));
+ }
+
+ acClass.second = request.getParameter("authnContextClassRef");
+ acClass.first = (acClass.second!=NULL);
+ acComp.second = request.getParameter("authnContextComparison");
+ acComp.first = (acComp.second!=NULL);
}
else {
// We're running as a "virtual handler" from within the filter.
// The target resource is the current one and everything else is defaulted.
target=request.getRequestURL();
+ const PropertySet* settings = request.getRequestSettings().first;
+
+ pair<bool,bool> flag = settings->getBool("isPassive");
+ isPassive = flag.first && flag.second;
+ if (!isPassive) {
+ flag = settings->getBool("forceAuthn");
+ forceAuthn = flag.first && flag.second;
+ }
+
+ acClass = settings->getString("authnContextClassRef");
+ acComp = settings->getString("authnContextComparison");
}
m_log.debug("attempting to initiate session using SAML 2.0 with provider (%s)", entityID);
if (option)
target = option;
}
- return doRequest(app, request, entityID, ACS ? ACS->getXMLString("index").second : NULL, NULL, NULL, target);
+ return doRequest(
+ app, request, entityID, ACS ? ACS->getXMLString("index").second : NULL, NULL, NULL, isPassive, forceAuthn, target
+ );
}
// Since we're not passing by index, we need to fully compute the return URL and binding.
target = option;
}
- auto_ptr_XMLCh wideloc(ACSloc.c_str());
- return doRequest(app, request, entityID, NULL, wideloc.get(), ACS ? ACS->getXMLString("Binding").second : NULL, target);
+ return doRequest(
+ app, request, entityID, NULL, ACSloc.c_str(), ACS ? ACS->getXMLString("Binding").second : NULL, isPassive, forceAuthn, target
+ );
}
// Remote the call.
DDFJanitor jin(in), jout(out);
in.addmember("application_id").string(app.getId());
in.addmember("entity_id").string(entityID);
+ if (isPassive)
+ in.addmember("isPassive").integer(1);
+ else if (forceAuthn)
+ in.addmember("forceAuthn").integer(1);
+ if (acClass.first)
+ in.addmember("authnContextClassRef").string(acClass.second);
+ if (acComp.first)
+ in.addmember("authnContextComparison").string(acComp.second);
if (acsByIndex.first && acsByIndex.second) {
if (ACS)
in.addmember("acsIndex").string(ACS->getString("index").second);
auto_ptr<HTTPResponse> http(getResponse(ret));
auto_ptr_XMLCh index(in["acsIndex"].string());
- auto_ptr_XMLCh loc(in["acsLocation"].string());
auto_ptr_XMLCh bind(in["acsBinding"].string());
string relayState(in["RelayState"].string() ? in["RelayState"].string() : "");
// Since we're remoted, the result should either be a throw, which we pass on,
// a false/0 return, which we just return as an empty structure, or a response/redirect,
// which we capture in the facade and send back.
- doRequest(*app, *http.get(), entityID, index.get(), loc.get(), bind.get(), relayState);
+ doRequest(
+ *app, *http.get(), entityID,
+ index.get(), in["acsLocation"].string(), bind.get(),
+ in["isPassive"].integer()==1, in["forceAuthn"].integer()==1,
+ relayState
+ );
out << ret;
}
HTTPResponse& httpResponse,
const char* entityID,
const XMLCh* acsIndex,
- const XMLCh* acsLocation,
+ const char* acsLocation,
const XMLCh* acsBinding,
+ bool isPassive,
+ bool forceAuthn,
string& relayState
) const
{
req->setDestination(ep->getLocation());
if (acsIndex)
req->setAssertionConsumerServiceIndex(acsIndex);
- if (acsLocation)
- req->setAssertionConsumerServiceURL(acsLocation);
+ if (acsLocation) {
+ auto_ptr_XMLCh wideloc(acsLocation);
+ req->setAssertionConsumerServiceURL(wideloc.get());
+ }
if (acsBinding)
req->setProtocolBinding(acsBinding);
+ if (isPassive)
+ req->IsPassive(isPassive);
+ else if (forceAuthn)
+ req->ForceAuthn(forceAuthn);
Issuer* issuer = IssuerBuilder::buildIssuer();
req->setIssuer(issuer);
issuer->setName(app.getXMLString("providerId").second);
#include "base.h"
#include "SPConfig.h"
+using namespace xercesc;
+
namespace shibsp {
/// @cond OFF
using namespace samlconstants;
using namespace opensaml::saml2md;
using namespace opensaml;
+using namespace xercesc;
using namespace log4cpp;
using namespace std;
try {\r
static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h);\r
static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e);\r
- DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument();\r
- XercesJanitor<DOMDocument> docjanitor(dummydoc);\r
- DOMElement* dummy = dummydoc->createElementNS(NULL,path);\r
+ xercesc::DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument();\r
+ XercesJanitor<xercesc::DOMDocument> docjanitor(dummydoc);\r
+ xercesc::DOMElement* dummy = dummydoc->createElementNS(NULL,path);\r
auto_ptr_XMLCh src(config);\r
dummy->setAttributeNS(NULL,path,src.get());\r
dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE);\r