opensaml::SecurityPolicy Class Reference

A policy used to verify the security of an incoming message. More...

#include <saml/binding/SecurityPolicy.h>

Inheritance diagram for opensaml::SecurityPolicy:
opensaml::saml2::SAML2AssertionPolicy

List of all members.

Classes

class  IssuerMatchingPolicy
 Allows override of rules for comparing saml2:Issuer information. More...

Public Member Functions

 SecurityPolicy (const saml2md::MetadataProvider *metadataProvider=nullptr, const xmltooling::QName *role=nullptr, const xmltooling::TrustEngine *trustEngine=nullptr, bool validate=true)
 Constructor for policy.
const saml2md::MetadataProvidergetMetadataProvider () const
 Returns the locked MetadataProvider supplied to the policy.
virtual
saml2md::MetadataProvider::Criteria
getMetadataProviderCriteria () const
 Returns a reference to a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider.
const xmltooling::QName * getRole () const
 Returns the peer role element/type supplied to the policy.
const xmltooling::TrustEngine * getTrustEngine () const
 Returns the TrustEngine supplied to the policy.
bool getValidating () const
 Returns XML message validation setting.
bool requireEntityIssuer () const
 Returns flag controlling non-entity issuer support.
const std::vector
< xmltooling::xstring > & 
getAudiences () const
 Returns the SAML audiences that represent the receiving peer.
std::vector
< xmltooling::xstring > & 
getAudiences ()
 Returns the SAML audiences that represent the receiving peer.
time_t getTime () const
 Gets the effective time of message processing.
const XMLCh * getCorrelationID () const
 Returns the message identifier to which the message being evaluated is a response.
std::vector< const
SecurityPolicyRule * > & 
getRules ()
 Gets a mutable array of installed policy rules.
void setMetadataProvider (const saml2md::MetadataProvider *metadata)
 Sets a locked MetadataProvider for the policy.
void setMetadataProviderCriteria (saml2md::MetadataProvider::Criteria *criteria)
 Sets a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider.
void setRole (const xmltooling::QName *role)
 Sets a peer role element/type for to the policy.
void setTrustEngine (const xmltooling::TrustEngine *trust)
 Sets a TrustEngine for the policy.
void setValidating (bool validate=true)
 Controls schema validation of incoming XML messages.
void requireEntityIssuer (bool entityOnly=true)
 Sets flag controlling non-entity issuer support.
void setTime (time_t ts)
 Sets effective time of message processing.
void setCorrelationID (const XMLCh *correlationID)
 Sets the message identifier to which the message being evaluated is a response.
void evaluate (const xmltooling::XMLObject &message, const xmltooling::GenericRequest *request=nullptr)
 Evaluates the policy against the given request and message, possibly populating message information in the policy object.
virtual void reset (bool messageOnly=false)
 Resets the policy object and/or clears any per-message state.
void _reset (bool messageOnly=false)
 Resets the policy object and/or clears any per-message state for only this specific class.
const XMLCh * getMessageID () const
 Returns the message identifier as determined by the registered policies.
time_t getIssueInstant () const
 Returns the message timestamp as determined by the registered policies.
const saml2::Issuer * getIssuer () const
 Gets the issuer of the message as determined by the registered policies.
const saml2md::RoleDescriptor * getIssuerMetadata () const
 Gets the metadata for the role the issuer is operating in.
bool isAuthenticated () const
 Returns the authentication status of the message as determined by the registered policies.
void setMessageID (const XMLCh *id)
 Sets the message identifier as determined by the registered policies.
void setIssueInstant (time_t issueInstant)
 Sets the message timestamp as determined by the registered policies.
void setIssuer (const saml2::Issuer *issuer)
 Sets the issuer of the message as determined by the registered policies.
void setIssuer (const XMLCh *issuer)
 Sets the issuer of the message as determined by the registered policies.
void setIssuerMetadata (const saml2md::RoleDescriptor *issuerRole)
 Sets the metadata for the role the issuer is operating in.
void setAuthenticated (bool auth)
 Sets the authentication status of the message as determined by the registered policies.
const IssuerMatchingPolicygetIssuerMatchingPolicy () const
 Returns the IssuerMatchingPolicy in effect.
void setIssuerMatchingPolicy (IssuerMatchingPolicy *matchingPolicy)
 Sets the IssuerMatchingPolicy in effect.

Protected Attributes

saml2md::MetadataProvider::Criteriam_metadataCriteria
 Manufactured MetadataProvider::Criteria instance.

Static Protected Attributes

static IssuerMatchingPolicy m_defaultMatching
 A shared matching object that just supports the default matching rules.

Detailed Description

A policy used to verify the security of an incoming message.

Its security mechanisms may be used to examine the transport layer (e.g client certificates and HTTP basic auth passwords) or to check the payload of a request to ensure it meets certain criteria (e.g. valid digital signature, freshness, replay).

Policy objects can be reused, but are not thread-safe.


Constructor & Destructor Documentation

opensaml::SecurityPolicy::SecurityPolicy ( const saml2md::MetadataProvider metadataProvider = nullptr,
const xmltooling::QName *  role = nullptr,
const xmltooling::TrustEngine *  trustEngine = nullptr,
bool  validate = true 
)

Constructor for policy.

Parameters:
metadataProvider locked MetadataProvider instance
role identifies the role (generally IdP or SP) of the policy peer
trustEngine TrustEngine to authenticate policy peer
validate true iff XML parsing should be done with validation

Member Function Documentation

void opensaml::SecurityPolicy::_reset ( bool  messageOnly = false  ) 

Resets the policy object and/or clears any per-message state for only this specific class.

Resets can be complete (the default) or merely clear the previous message ID and timestamp when evaluating multiple layers of a message.

Parameters:
messageOnly true iff security and issuer state should be left in place

Reimplemented in opensaml::saml2::SAML2AssertionPolicy.

void opensaml::SecurityPolicy::evaluate ( const xmltooling::XMLObject &  message,
const xmltooling::GenericRequest *  request = nullptr 
)

Evaluates the policy against the given request and message, possibly populating message information in the policy object.

Parameters:
message the incoming message
request the protocol request
Exceptions:
BindingException raised if the message/request is invalid according to the supplied rules
std::vector<xmltooling::xstring>& opensaml::SecurityPolicy::getAudiences (  ) 

Returns the SAML audiences that represent the receiving peer.

Returns:
audience values of the peer processing the message
const std::vector<xmltooling::xstring>& opensaml::SecurityPolicy::getAudiences (  )  const

Returns the SAML audiences that represent the receiving peer.

Returns:
audience values of the peer processing the message
const XMLCh* opensaml::SecurityPolicy::getCorrelationID (  )  const

Returns the message identifier to which the message being evaluated is a response.

Returns:
correlated message identifier
time_t opensaml::SecurityPolicy::getIssueInstant (  )  const

Returns the message timestamp as determined by the registered policies.

Returns:
message timestamp as determined by the registered policies
const saml2::Issuer* opensaml::SecurityPolicy::getIssuer (  )  const

Gets the issuer of the message as determined by the registered policies.

Returns:
issuer of the message as determined by the registered policies
const IssuerMatchingPolicy& opensaml::SecurityPolicy::getIssuerMatchingPolicy (  )  const

Returns the IssuerMatchingPolicy in effect.

Returns:
the effective IssuerMatchingPolicy
const saml2md::RoleDescriptor* opensaml::SecurityPolicy::getIssuerMetadata (  )  const

Gets the metadata for the role the issuer is operating in.

Returns:
metadata for the role the issuer is operating in
const XMLCh* opensaml::SecurityPolicy::getMessageID (  )  const

Returns the message identifier as determined by the registered policies.

Returns:
message identifier as determined by the registered policies
const saml2md::MetadataProvider* opensaml::SecurityPolicy::getMetadataProvider (  )  const

Returns the locked MetadataProvider supplied to the policy.

Returns:
the supplied MetadataProvider or nullptr
virtual saml2md::MetadataProvider::Criteria& opensaml::SecurityPolicy::getMetadataProviderCriteria (  )  const [virtual]

Returns a reference to a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider.

The object will be cleared/reset when returned, so do not mutate it and then call the method again before using it.

Returns:
reference to a MetadataProvider::Criteria instance
const xmltooling::QName* opensaml::SecurityPolicy::getRole (  )  const

Returns the peer role element/type supplied to the policy.

Returns:
the peer role element/type, or an empty QName
std::vector<const SecurityPolicyRule*>& opensaml::SecurityPolicy::getRules (  ) 

Gets a mutable array of installed policy rules.

If adding rules, their lifetime must be at least as long as the policy object.

Returns:
mutable array of rules
time_t opensaml::SecurityPolicy::getTime (  )  const

Gets the effective time of message processing.

Returns:
the time at which the message is being processed
const xmltooling::TrustEngine* opensaml::SecurityPolicy::getTrustEngine (  )  const

Returns the TrustEngine supplied to the policy.

Returns:
the supplied TrustEngine or nullptr
bool opensaml::SecurityPolicy::getValidating (  )  const

Returns XML message validation setting.

Returns:
validation flag
bool opensaml::SecurityPolicy::isAuthenticated (  )  const

Returns the authentication status of the message as determined by the registered policies.

Returns:
true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated
void opensaml::SecurityPolicy::requireEntityIssuer ( bool  entityOnly = true  ) 

Sets flag controlling non-entity issuer support.

Parameters:
entityOnly require that Issuer be in entity format
bool opensaml::SecurityPolicy::requireEntityIssuer (  )  const

Returns flag controlling non-entity issuer support.

Returns:
flag controlling non-entity issuer support
virtual void opensaml::SecurityPolicy::reset ( bool  messageOnly = false  )  [virtual]

Resets the policy object and/or clears any per-message state.

Resets can be complete (the default) or merely clear the previous message ID and timestamp when evaluating multiple layers of a message.

Parameters:
messageOnly true iff security and issuer state should be left in place

Reimplemented in opensaml::saml2::SAML2AssertionPolicy.

void opensaml::SecurityPolicy::setAuthenticated ( bool  auth  ) 

Sets the authentication status of the message as determined by the registered policies.

Parameters:
auth indicates whether the issuer/message has been authenticated
void opensaml::SecurityPolicy::setCorrelationID ( const XMLCh *  correlationID  ) 

Sets the message identifier to which the message being evaluated is a response.

Parameters:
correlationID correlated message identifier
void opensaml::SecurityPolicy::setIssueInstant ( time_t  issueInstant  ) 

Sets the message timestamp as determined by the registered policies.

Parameters:
issueInstant message timestamp
void opensaml::SecurityPolicy::setIssuer ( const XMLCh *  issuer  ) 

Sets the issuer of the message as determined by the registered policies.

Parameters:
issuer issuer of the message
void opensaml::SecurityPolicy::setIssuer ( const saml2::Issuer *  issuer  ) 

Sets the issuer of the message as determined by the registered policies.

Parameters:
issuer issuer of the message
void opensaml::SecurityPolicy::setIssuerMatchingPolicy ( IssuerMatchingPolicy matchingPolicy  ) 

Sets the IssuerMatchingPolicy in effect.

Setting no policy will cause the simple, default approach to be used.

The matching object will be freed by the SecurityPolicy.

Parameters:
matchingPolicy the IssuerMatchingPolicy to use
void opensaml::SecurityPolicy::setIssuerMetadata ( const saml2md::RoleDescriptor *  issuerRole  ) 

Sets the metadata for the role the issuer is operating in.

Parameters:
issuerRole metadata for the role the issuer is operating in
void opensaml::SecurityPolicy::setMessageID ( const XMLCh *  id  ) 

Sets the message identifier as determined by the registered policies.

Parameters:
id message identifier
void opensaml::SecurityPolicy::setMetadataProvider ( const saml2md::MetadataProvider metadata  ) 

Sets a locked MetadataProvider for the policy.

Parameters:
metadata a locked MetadataProvider or nullptr
void opensaml::SecurityPolicy::setMetadataProviderCriteria ( saml2md::MetadataProvider::Criteria criteria  ) 

Sets a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider.

The policy will take ownership of the criteria object when this method completes.

Parameters:
criteria a MetadataProvider::Criteria instance, or nullptr
void opensaml::SecurityPolicy::setRole ( const xmltooling::QName *  role  ) 

Sets a peer role element/type for to the policy.

Parameters:
role the peer role element/type or nullptr
void opensaml::SecurityPolicy::setTime ( time_t  ts  ) 

Sets effective time of message processing.

Assumed to be the time of policy instantiation, can be adjusted to pre- or post-date message processing.

Parameters:
ts the time at which the message is being processed
void opensaml::SecurityPolicy::setTrustEngine ( const xmltooling::TrustEngine *  trust  ) 

Sets a TrustEngine for the policy.

Parameters:
trust a TrustEngine or nullptr
void opensaml::SecurityPolicy::setValidating ( bool  validate = true  ) 

Controls schema validation of incoming XML messages.

This is separate from other forms of programmatic validation of objects, but can detect a much wider range of syntax errors.

Parameters:
validate validation setting

Member Data Documentation

A shared matching object that just supports the default matching rules.

Manufactured MetadataProvider::Criteria instance.


The documentation for this class was generated from the following file:

Generated on 9 Jan 2013 for opensaml-2.5.2 by  doxygen 1.6.1