From 75458f3458ecf6f36c3c46a70154701c0d68a8e5 Mon Sep 17 00:00:00 2001 From: cantor Date: Wed, 12 Mar 2008 20:34:51 +0000 Subject: [PATCH] Add sslIndex option to override ACS index in metadata generation. Favor sslIndex when passing ACS by index in a 2.0 request. git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/trunk@2771 cb58f699-b61c-0410-a6fe-9272a202ed29 --- apache/mod_apache.cpp | 2 +- nsapi_shib/nsapi_shib.cpp | 2 +- shibsp/handler/impl/AssertionConsumerService.cpp | 11 ++++++- shibsp/handler/impl/SAML2SessionInitiator.cpp | 40 +++++++++++++++++++----- shibsp/util/DOMPropertySet.h | 2 +- shibsp/util/PropertySet.h | 4 +-- shibsp/util/SPConstants.cpp | 2 ++ shibsp/util/SPConstants.h | 3 ++ 8 files changed, 53 insertions(+), 13 deletions(-) diff --git a/apache/mod_apache.cpp b/apache/mod_apache.cpp index c67b06d..cbc0dbf 100644 --- a/apache/mod_apache.cpp +++ b/apache/mod_apache.cpp @@ -696,7 +696,7 @@ public: pair getUnsignedInt(const char* name, const char* ns=NULL) const; pair getInt(const char* name, const char* ns=NULL) const; void getAll(map& properties) const; - const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:2.0:native:sp:config") const; + const PropertySet* getPropertySet(const char* name, const char* ns=shibspconstants::ASCII_SHIB2SPCONFIG_NS) const; const xercesc::DOMElement* getElement() const; private: diff --git a/nsapi_shib/nsapi_shib.cpp b/nsapi_shib/nsapi_shib.cpp index 7719018..d1efdc4 100644 --- a/nsapi_shib/nsapi_shib.cpp +++ b/nsapi_shib/nsapi_shib.cpp @@ -477,7 +477,7 @@ public: pair getUnsignedInt(const char* name, const char* ns=NULL) const; pair getInt(const char* name, const char* ns=NULL) const; void getAll(map& properties) const; - const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:2.0:native:sp:config") const; + const PropertySet* getPropertySet(const char* name, const char* ns=shibspconstants::ASCII_SHIB2SPCONFIG_NS) const; const xercesc::DOMElement* getElement() const; private: diff --git a/shibsp/handler/impl/AssertionConsumerService.cpp b/shibsp/handler/impl/AssertionConsumerService.cpp index 02c7f97..f4863cd 100644 --- a/shibsp/handler/impl/AssertionConsumerService.cpp +++ b/shibsp/handler/impl/AssertionConsumerService.cpp @@ -212,7 +212,16 @@ void AssertionConsumerService::generateMetadata(SPSSODescriptor& role, const cha saml2md::AssertionConsumerService* ep = saml2md::AssertionConsumerServiceBuilder::buildAssertionConsumerService(); ep->setLocation(widen.get()); ep->setBinding(getXMLString("Binding").second); - ep->setIndex(getXMLString("index").second); + if (!strncmp(handlerURL, "https", 5)) { + pair index = getXMLString("sslIndex", shibspconstants::ASCII_SHIB2SPCONFIG_NS); + if (index.first) + ep->setIndex(index.second); + else + ep->setIndex(getXMLString("index").second); + } + else { + ep->setIndex(getXMLString("index").second); + } role.getAssertionConsumerServices().push_back(ep); } diff --git a/shibsp/handler/impl/SAML2SessionInitiator.cpp b/shibsp/handler/impl/SAML2SessionInitiator.cpp index 644772c..9906907 100644 --- a/shibsp/handler/impl/SAML2SessionInitiator.cpp +++ b/shibsp/handler/impl/SAML2SessionInitiator.cpp @@ -331,10 +331,13 @@ pair SAML2SessionInitiator::run(SPRequest& request, string& entityID, // To invoke the request builder, the key requirement is to figure out how // to express the ACS, by index or value, and if by value, where. - + // We have to compute the handlerURL no matter what, because we may need to + // flip the index to an SSL-version. + string ACSloc=request.getHandlerURL(target.c_str()); + SPConfig& conf = SPConfig::getConfig(); if (conf.isEnabled(SPConfig::OutOfProcess)) { - if (!acsByIndex.first || acsByIndex.second) { + if (!acsByIndex.first || acsByIndex.second) { // Pass by Index. if (isHandler) { // We may already have RelayState set if we looped back here, @@ -344,9 +347,23 @@ pair SAML2SessionInitiator::run(SPRequest& request, string& entityID, if (option) target = option; } + + // Determine index to use. + pair ix = pair(false,NULL); + if (ACS) { + if (!strncmp(ACSloc.c_str(), "https", 5)) { + ix = ACS->getXMLString("sslIndex", shibspconstants::ASCII_SHIB2SPCONFIG_NS); + if (!ix.first) + ix = ACS->getXMLString("index"); + } + else { + ix = ACS->getXMLString("index"); + } + } + return doRequest( app, request, entityID.c_str(), - ACS ? ACS->getXMLString("index").second : NULL, NULL, NULL, + ix.second, NULL, NULL, isPassive, forceAuthn, acClass.first ? acClass.second : NULL, acComp.first ? acComp.second : NULL, @@ -356,7 +373,6 @@ pair SAML2SessionInitiator::run(SPRequest& request, string& entityID, // Since we're not passing by index, we need to fully compute the return URL and binding. // Compute the ACS URL. We add the ACS location to the base handlerURL. - string ACSloc=request.getHandlerURL(target.c_str()); pair loc=ACS ? ACS->getString("Location") : pair(false,NULL); if (loc.first) ACSloc+=loc.second; @@ -394,13 +410,23 @@ pair SAML2SessionInitiator::run(SPRequest& request, string& entityID, if (acComp.first) in.addmember("authnContextComparison").string(acComp.second); if (!acsByIndex.first || acsByIndex.second) { - if (ACS) - in.addmember("acsIndex").string(ACS->getString("index").second); + if (ACS) { + // Determine index to use. + pair ix = pair(false,NULL); + if (!strncmp(ACSloc.c_str(), "https", 5)) { + ix = ACS->getString("sslIndex", shibspconstants::ASCII_SHIB2SPCONFIG_NS); + if (!ix.first) + ix = ACS->getString("index"); + } + else { + ix = ACS->getString("index"); + } + in.addmember("acsIndex").string(ix.second); + } } else { // Since we're not passing by index, we need to fully compute the return URL and binding. // Compute the ACS URL. We add the ACS location to the base handlerURL. - string ACSloc=request.getHandlerURL(target.c_str()); pair loc=ACS ? ACS->getString("Location") : pair(false,NULL); if (loc.first) ACSloc+=loc.second; in.addmember("acsLocation").string(ACSloc.c_str()); diff --git a/shibsp/util/DOMPropertySet.h b/shibsp/util/DOMPropertySet.h index 45d67ac..d642615 100644 --- a/shibsp/util/DOMPropertySet.h +++ b/shibsp/util/DOMPropertySet.h @@ -52,7 +52,7 @@ namespace shibsp { std::pair getUnsignedInt(const char* name, const char* ns=NULL) const; std::pair getInt(const char* name, const char* ns=NULL) const; void getAll(std::map& properties) const; - const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:2.0:native:sp:config") const; + const PropertySet* getPropertySet(const char* name, const char* ns=shibspconstants::ASCII_SHIB2SPCONFIG_NS) const; const xercesc::DOMElement* getElement() const { return m_root; diff --git a/shibsp/util/PropertySet.h b/shibsp/util/PropertySet.h index 7313c4a..bfc7988 100644 --- a/shibsp/util/PropertySet.h +++ b/shibsp/util/PropertySet.h @@ -23,7 +23,7 @@ #ifndef __shibsp_propset_h__ #define __shibsp_propset_h__ -#include +#include #include #include @@ -113,7 +113,7 @@ namespace shibsp { * @param ns nested property set namespace, or NULL * @return the nested property set, or NULL */ - virtual const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:2.0:native:sp:config") const=0; + virtual const PropertySet* getPropertySet(const char* name, const char* ns=shibspconstants::ASCII_SHIB2SPCONFIG_NS) const=0; /** * Returns a DOM element representing the property container, if any. diff --git a/shibsp/util/SPConstants.cpp b/shibsp/util/SPConstants.cpp index 78c140a..38f0a0a 100644 --- a/shibsp/util/SPConstants.cpp +++ b/shibsp/util/SPConstants.cpp @@ -112,3 +112,5 @@ const XMLCh shibspconstants::SHIB1_AUTHNREQUEST_PROFILE_URI[] = // urn:mace:shib const char shibspconstants::SHIB1_SESSIONINIT_PROFILE_URI[] = "urn:mace:shibboleth:sp:1.3:SessionInit"; const char shibspconstants::SHIB1_LOGOUT_PROFILE_URI[] = "urn:mace:shibboleth:sp:1.3:Logout"; + +const char shibspconstants::ASCII_SHIB2SPCONFIG_NS[] = "urn:mace:shibboleth:2.0:native:sp:config"; diff --git a/shibsp/util/SPConstants.h b/shibsp/util/SPConstants.h index 92689a0..dd730f9 100644 --- a/shibsp/util/SPConstants.h +++ b/shibsp/util/SPConstants.h @@ -76,6 +76,9 @@ namespace shibspconstants { /** Shibboleth 1.3 Local Logout binding/profile ("urn:mace:shibboleth:sp:1.3:Logout") */ extern SHIBSP_API const char SHIB1_LOGOUT_PROFILE_URI[]; + + /** Shibboleth 2.0 SP configuration namespace ("urn:mace:shibboleth:2.0:native:sp:config") */ + extern SHIBSP_API const char ASCII_SHIB2SPCONFIG_NS[]; }; #endif /* __shibsp_constants_h__ */ -- 2.1.4