From b1005d43b7435fe5615d666a4b9895af6178ec73 Mon Sep 17 00:00:00 2001
From: cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
Date: Wed, 28 Oct 2009 19:04:25 +0000
Subject: [PATCH] https://bugs.internet2.edu/jira/browse/SSPCPP-244

git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/branches/REL_2@3149 cb58f699-b61c-0410-a6fe-9272a202ed29
---
 adfs/adfs.cpp                                 | 20 +++++++++++++-------
 shibsp/handler/impl/SAML2SessionInitiator.cpp |  8 ++++----
 shibsp/handler/impl/Shib1SessionInitiator.cpp |  8 ++++----
 shibsp/handler/impl/WAYFSessionInitiator.cpp  |  8 ++++----
 4 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/adfs/adfs.cpp b/adfs/adfs.cpp
index bc2aa8d..858227e 100644
--- a/adfs/adfs.cpp
+++ b/adfs/adfs.cpp
@@ -363,7 +363,6 @@ pair<bool,long> ADFSSessionInitiator::run(SPRequest& request, string& entityID,
             acClass = getString("authnContextClassRef");
     }
 
-    // Since we're not passing by index, we need to fully compute the return URL.
     if (!ACS) {
         pair<bool,unsigned int> index = getUnsignedInt("acsIndex");
         if (index.first) {
@@ -371,22 +370,29 @@ pair<bool,long> ADFSSessionInitiator::run(SPRequest& request, string& entityID,
             if (!ACS)
                 request.log(SPRequest::SPWarn, "invalid acsIndex property, using default ACS location");
         }
-        if (!ACS)
-            ACS = app.getDefaultAssertionConsumerService();
+        if (!ACS) {
+            const vector<const Handler*>& endpoints = app.getAssertionConsumerServicesByBinding(m_binding.get());
+            if (endpoints.empty()) {
+                m_log.error("unable to locate a compatible ACS");
+                throw ConfigurationException("Unable to locate an ADFS-compatible ACS in the configuration.");
+            }
+            ACS = endpoints.front();
+        }
     }
 
     // Validate the ACS for use with this protocol.
-    pair<bool,const XMLCh*> ACSbinding = ACS ? ACS->getXMLString("Binding") : pair<bool,const XMLCh*>(false,NULL);
+    pair<bool,const XMLCh*> ACSbinding = ACS->getXMLString("Binding");
     if (ACSbinding.first) {
         if (!XMLString::equals(ACSbinding.second, m_binding.get())) {
-            m_log.info("configured or requested ACS has non-ADFS binding");
-            return make_pair(false,0L);
+            m_log.error("configured or requested ACS has non-ADFS binding");
+            throw ConfigurationException("Configured or requested ACS has non-ADFS binding ($1).", params(1, ACSbinding.second));
         }
     }
 
+    // Since we're not passing by index, we need to fully compute the return URL.
     // Compute the ACS URL. We add the ACS location to the base handlerURL.
     string ACSloc=request.getHandlerURL(target.c_str());
-    pair<bool,const char*> loc=ACS ? ACS->getString("Location") : pair<bool,const char*>(false,NULL);
+    pair<bool,const char*> loc=ACS->getString("Location");
     if (loc.first) ACSloc+=loc.second;
 
     if (isHandler) {
diff --git a/shibsp/handler/impl/SAML2SessionInitiator.cpp b/shibsp/handler/impl/SAML2SessionInitiator.cpp
index 1a7f63c..87a3750 100644
--- a/shibsp/handler/impl/SAML2SessionInitiator.cpp
+++ b/shibsp/handler/impl/SAML2SessionInitiator.cpp
@@ -364,14 +364,14 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, string& entityID,
         if (ACSbinding.first) {
             pair<bool,const char*> compatibleBindings = getString("compatibleBindings");
             if (compatibleBindings.first && strstr(compatibleBindings.second, ACSbinding.second) == NULL) {
-                m_log.info("configured or requested ACS has non-SAML 2.0 binding");
-                return make_pair(false,0L);
+                m_log.error("configured or requested ACS has non-SAML 2.0 binding");
+                throw ConfigurationException("Configured or requested ACS has non-SAML 2.0 binding ($1).", params(1, ACSbinding.second));
             }
             else if (strcmp(ACSbinding.second, samlconstants::SAML20_BINDING_HTTP_POST) &&
                      strcmp(ACSbinding.second, samlconstants::SAML20_BINDING_HTTP_ARTIFACT) &&
                      strcmp(ACSbinding.second, samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN)) {
-                m_log.info("configured or requested ACS has non-SAML 2.0 binding");
-                return make_pair(false,0L);
+                m_log.error("configured or requested ACS has non-SAML 2.0 binding");
+                throw ConfigurationException("Configured or requested ACS has non-SAML 2.0 binding ($1).", params(1, ACSbinding.second));
             }
         }
     }
diff --git a/shibsp/handler/impl/Shib1SessionInitiator.cpp b/shibsp/handler/impl/Shib1SessionInitiator.cpp
index 105b5bd..7bdc6cd 100644
--- a/shibsp/handler/impl/Shib1SessionInitiator.cpp
+++ b/shibsp/handler/impl/Shib1SessionInitiator.cpp
@@ -161,13 +161,13 @@ pair<bool,long> Shib1SessionInitiator::run(SPRequest& request, string& entityID,
     if (ACSbinding.first) {
         pair<bool,const char*> compatibleBindings = getString("compatibleBindings");
         if (compatibleBindings.first && strstr(compatibleBindings.second, ACSbinding.second) == NULL) {
-            m_log.info("configured or requested ACS has non-SAML 1.x binding");
-            return make_pair(false,0L);
+            m_log.error("configured or requested ACS has non-SAML 1.x binding");
+            throw ConfigurationException("Configured or requested ACS has non-SAML 1.x binding ($1).", params(1, ACSbinding.second));
         }
         else if (strcmp(ACSbinding.second, samlconstants::SAML1_PROFILE_BROWSER_POST) &&
                  strcmp(ACSbinding.second, samlconstants::SAML1_PROFILE_BROWSER_ARTIFACT)) {
-            m_log.info("configured or requested ACS has non-SAML 1.x binding");
-            return make_pair(false,0L);
+            m_log.error("configured or requested ACS has non-SAML 1.x binding");
+            throw ConfigurationException("Configured or requested ACS has non-SAML 1.x binding ($1).", params(1, ACSbinding.second));
         }
     }
 
diff --git a/shibsp/handler/impl/WAYFSessionInitiator.cpp b/shibsp/handler/impl/WAYFSessionInitiator.cpp
index 90e565a..aeeedf1 100644
--- a/shibsp/handler/impl/WAYFSessionInitiator.cpp
+++ b/shibsp/handler/impl/WAYFSessionInitiator.cpp
@@ -133,13 +133,13 @@ pair<bool,long> WAYFSessionInitiator::run(SPRequest& request, string& entityID,
     if (ACSbinding.first) {
         pair<bool,const char*> compatibleBindings = getString("compatibleBindings");
         if (compatibleBindings.first && strstr(compatibleBindings.second, ACSbinding.second) == NULL) {
-            m_log.info("configured or requested ACS has non-SAML 1.x binding");
-            return make_pair(false,0L);
+            m_log.error("configured or requested ACS has non-SAML 1.x binding");
+            throw ConfigurationException("Configured or requested ACS has non-SAML 1.x binding ($1).", params(1, ACSbinding.second));
         }
         else if (strcmp(ACSbinding.second, samlconstants::SAML1_PROFILE_BROWSER_POST) &&
                  strcmp(ACSbinding.second, samlconstants::SAML1_PROFILE_BROWSER_ARTIFACT)) {
-            m_log.info("configured or requested ACS has non-SAML 1.x binding");
-            return make_pair(false,0L);
+            m_log.error("configured or requested ACS has non-SAML 1.x binding");
+            throw ConfigurationException("Configured or requested ACS has non-SAML 1.x binding ($1).", params(1, ACSbinding.second));
         }
     }
 
-- 
2.1.4