opensaml::SecurityPolicy Class Reference

A policy used to verify the security of an incoming message. More...

#include <saml/binding/SecurityPolicy.h>

Inheritance diagram for opensaml::SecurityPolicy:

List of all members.

Public Member Functions
	SecurityPolicy (const saml2md::MetadataProvider *metadataProvider=nullptr, const xmltooling::QName *role=nullptr, const xmltooling::TrustEngine *trustEngine=nullptr, bool validate=true)
	Constructor for policy.
const saml2md::MetadataProvider *	getMetadataProvider () const
	Returns the locked MetadataProvider supplied to the policy.
virtual saml2md::MetadataProvider::Criteria &	getMetadataProviderCriteria () const
	Returns a reference to a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider.
const xmltooling::QName *	getRole () const
	Returns the peer role element/type supplied to the policy.
const xmltooling::TrustEngine *	getTrustEngine () const
	Returns the TrustEngine supplied to the policy.
bool	getValidating () const
	Returns XML message validation setting.
bool	requireEntityIssuer () const
	Returns flag controlling non-entity issuer support.
const std::vector< xmltooling::xstring > &	getAudiences () const
	Returns the SAML audiences that represent the receiving peer.
std::vector< xmltooling::xstring > &	getAudiences ()
	Returns the SAML audiences that represent the receiving peer.
time_t	getTime () const
	Gets the effective time of message processing.
const XMLCh *	getCorrelationID () const
	Returns the message identifier to which the message being evaluated is a response.
std::vector< const SecurityPolicyRule * > &	getRules ()
	Gets a mutable array of installed policy rules.
void	setMetadataProvider (const saml2md::MetadataProvider *metadata)
	Sets a locked MetadataProvider for the policy.
void	setMetadataProviderCriteria (saml2md::MetadataProvider::Criteria *criteria)
	Sets a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider.
void	setRole (const xmltooling::QName *role)
	Sets a peer role element/type for to the policy.
void	setTrustEngine (const xmltooling::TrustEngine *trust)
	Sets a TrustEngine for the policy.
void	setValidating (bool validate=true)
	Controls schema validation of incoming XML messages.
void	requireEntityIssuer (bool entityOnly=true)
	Sets flag controlling non-entity issuer support.
void	setTime (time_t ts)
	Sets effective time of message processing.
void	setCorrelationID (const XMLCh *correlationID)
	Sets the message identifier to which the message being evaluated is a response.
void	evaluate (const xmltooling::XMLObject &message, const xmltooling::GenericRequest *request=nullptr)
	Evaluates the policy against the given request and message, possibly populating message information in the policy object.
virtual void	reset (bool messageOnly=false)
	Resets the policy object and/or clears any per-message state.
void	_reset (bool messageOnly=false)
	Resets the policy object and/or clears any per-message state for only this specific class.
const XMLCh *	getMessageID () const
	Returns the message identifier as determined by the registered policies.
time_t	getIssueInstant () const
	Returns the message timestamp as determined by the registered policies.
const saml2::Issuer *	getIssuer () const
	Gets the issuer of the message as determined by the registered policies.
const saml2md::RoleDescriptor *	getIssuerMetadata () const
	Gets the metadata for the role the issuer is operating in.
bool	isAuthenticated () const
	Returns the authentication status of the message as determined by the registered policies.
void	setMessageID (const XMLCh *id)
	Sets the message identifier as determined by the registered policies.
void	setIssueInstant (time_t issueInstant)
	Sets the message timestamp as determined by the registered policies.
void	setIssuer (const saml2::Issuer *issuer)
	Sets the issuer of the message as determined by the registered policies.
void	setIssuer (const XMLCh *issuer)
	Sets the issuer of the message as determined by the registered policies.
void	setIssuerMetadata (const saml2md::RoleDescriptor *issuerRole)
	Sets the metadata for the role the issuer is operating in.
void	setAuthenticated (bool auth)
	Sets the authentication status of the message as determined by the registered policies.
const IssuerMatchingPolicy &	getIssuerMatchingPolicy () const
	Returns the IssuerMatchingPolicy in effect.
void	setIssuerMatchingPolicy (IssuerMatchingPolicy *matchingPolicy)
	Sets the IssuerMatchingPolicy in effect.
Protected Attributes
saml2md::MetadataProvider::Criteria *	m_metadataCriteria
	Manufactured MetadataProvider::Criteria instance.
Static Protected Attributes
static IssuerMatchingPolicy	m_defaultMatching
	A shared matching object that just supports the default matching rules.
Classes
class	IssuerMatchingPolicy
	Allows override of rules for comparing saml2:Issuer information. More...

---

Detailed Description

A policy used to verify the security of an incoming message.

Its security mechanisms may be used to examine the transport layer (e.g client certificates and HTTP basic auth passwords) or to check the payload of a request to ensure it meets certain criteria (e.g. valid digital signature, freshness, replay).

Policy objects can be reused, but are not thread-safe.

---

Constructor & Destructor Documentation

opensaml::SecurityPolicy::SecurityPolicy (  const saml2md::MetadataProvider *  metadataProvider = nullptr, const xmltooling::QName *  role = nullptr, const xmltooling::TrustEngine *  trustEngine = nullptr, bool  validate = true )

Constructor for policy. Parameters: metadataProvider  locked MetadataProvider instance role  identifies the role (generally IdP or SP) of the policy peer trustEngine  TrustEngine to authenticate policy peer validate  true iff XML parsing should be done with validation

---

Member Function Documentation

void opensaml::SecurityPolicy::_reset (  bool  messageOnly = false  )

Resets the policy object and/or clears any per-message state for only this specific class. Resets can be complete (the default) or merely clear the previous message ID and timestamp when evaluating multiple layers of a message. Parameters: messageOnly  true iff security and issuer state should be left in place Reimplemented in opensaml::saml2::SAML2AssertionPolicy.

void opensaml::SecurityPolicy::evaluate (  const xmltooling::XMLObject &  message, const xmltooling::GenericRequest *  request = nullptr )

Evaluates the policy against the given request and message, possibly populating message information in the policy object. Parameters: message  the incoming message request  the protocol request Exceptions: BindingException  raised if the message/request is invalid according to the supplied rules

std::vector<xmltooling::xstring>& opensaml::SecurityPolicy::getAudiences (   )

Returns the SAML audiences that represent the receiving peer. Returns: audience values of the peer processing the message

const std::vector<xmltooling::xstring>& opensaml::SecurityPolicy::getAudiences (   )  const

Returns the SAML audiences that represent the receiving peer. Returns: audience values of the peer processing the message

const XMLCh* opensaml::SecurityPolicy::getCorrelationID (   )  const

Returns the message identifier to which the message being evaluated is a response. Returns: correlated message identifier

time_t opensaml::SecurityPolicy::getIssueInstant (   )  const

Returns the message timestamp as determined by the registered policies. Returns: message timestamp as determined by the registered policies

const saml2::Issuer* opensaml::SecurityPolicy::getIssuer (   )  const

Gets the issuer of the message as determined by the registered policies. Returns: issuer of the message as determined by the registered policies

const IssuerMatchingPolicy& opensaml::SecurityPolicy::getIssuerMatchingPolicy (   )  const

Returns the IssuerMatchingPolicy in effect. Returns: the effective IssuerMatchingPolicy

const saml2md::RoleDescriptor* opensaml::SecurityPolicy::getIssuerMetadata (   )  const

Gets the metadata for the role the issuer is operating in. Returns: metadata for the role the issuer is operating in

const XMLCh* opensaml::SecurityPolicy::getMessageID (   )  const

Returns the message identifier as determined by the registered policies. Returns: message identifier as determined by the registered policies

const saml2md::MetadataProvider* opensaml::SecurityPolicy::getMetadataProvider (   )  const

Returns the locked MetadataProvider supplied to the policy. Returns: the supplied MetadataProvider or nullptr

virtual saml2md::MetadataProvider::Criteria& opensaml::SecurityPolicy::getMetadataProviderCriteria (   )  const [virtual]

Returns a reference to a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider. The object will be cleared/reset when returned, so do not mutate it and then call the method again before using it. Returns: reference to a MetadataProvider::Criteria instance

const xmltooling::QName* opensaml::SecurityPolicy::getRole (   )  const

Returns the peer role element/type supplied to the policy. Returns: the peer role element/type, or an empty QName

std::vector<const SecurityPolicyRule*>& opensaml::SecurityPolicy::getRules (   )

Gets a mutable array of installed policy rules. If adding rules, their lifetime must be at least as long as the policy object. Returns: mutable array of rules

time_t opensaml::SecurityPolicy::getTime (   )  const

Gets the effective time of message processing. Returns: the time at which the message is being processed

const xmltooling::TrustEngine* opensaml::SecurityPolicy::getTrustEngine (   )  const

Returns the TrustEngine supplied to the policy. Returns: the supplied TrustEngine or nullptr

bool opensaml::SecurityPolicy::getValidating (   )  const

Returns XML message validation setting. Returns: validation flag

bool opensaml::SecurityPolicy::isAuthenticated (   )  const

Returns the authentication status of the message as determined by the registered policies. Returns: true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated

void opensaml::SecurityPolicy::requireEntityIssuer (  bool  entityOnly = true  )

Sets flag controlling non-entity issuer support. Parameters: entityOnly  require that Issuer be in entity format

bool opensaml::SecurityPolicy::requireEntityIssuer (   )  const

Returns flag controlling non-entity issuer support. Returns: flag controlling non-entity issuer support

virtual void opensaml::SecurityPolicy::reset (  bool  messageOnly = false  )  [virtual]

Resets the policy object and/or clears any per-message state. Resets can be complete (the default) or merely clear the previous message ID and timestamp when evaluating multiple layers of a message. Parameters: messageOnly  true iff security and issuer state should be left in place Reimplemented in opensaml::saml2::SAML2AssertionPolicy.

void opensaml::SecurityPolicy::setAuthenticated (  bool  auth  )

Sets the authentication status of the message as determined by the registered policies. Parameters: auth  indicates whether the issuer/message has been authenticated

void opensaml::SecurityPolicy::setCorrelationID (  const XMLCh *  correlationID  )

Sets the message identifier to which the message being evaluated is a response. Parameters: correlationID  correlated message identifier

void opensaml::SecurityPolicy::setIssueInstant (  time_t  issueInstant  )

Sets the message timestamp as determined by the registered policies. Parameters: issueInstant  message timestamp

void opensaml::SecurityPolicy::setIssuer (  const XMLCh *  issuer  )

Sets the issuer of the message as determined by the registered policies. Parameters: issuer  issuer of the message

void opensaml::SecurityPolicy::setIssuer (  const saml2::Issuer *  issuer  )

Sets the issuer of the message as determined by the registered policies. Parameters: issuer  issuer of the message

void opensaml::SecurityPolicy::setIssuerMatchingPolicy (  IssuerMatchingPolicy *  matchingPolicy  )

Sets the IssuerMatchingPolicy in effect. Setting no policy will cause the simple, default approach to be used. The matching object will be freed by the SecurityPolicy. Parameters: matchingPolicy  the IssuerMatchingPolicy to use

void opensaml::SecurityPolicy::setIssuerMetadata (  const saml2md::RoleDescriptor *  issuerRole  )

Sets the metadata for the role the issuer is operating in. Parameters: issuerRole  metadata for the role the issuer is operating in

void opensaml::SecurityPolicy::setMessageID (  const XMLCh *  id  )

Sets the message identifier as determined by the registered policies. Parameters: id  message identifier

void opensaml::SecurityPolicy::setMetadataProvider (  const saml2md::MetadataProvider *  metadata  )

Sets a locked MetadataProvider for the policy. Parameters: metadata  a locked MetadataProvider or nullptr

void opensaml::SecurityPolicy::setMetadataProviderCriteria (  saml2md::MetadataProvider::Criteria *  criteria  )

Sets a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider. The policy will take ownership of the criteria object when this method completes. Parameters: criteria  a MetadataProvider::Criteria instance, or nullptr

void opensaml::SecurityPolicy::setRole (  const xmltooling::QName *  role  )

Sets a peer role element/type for to the policy. Parameters: role  the peer role element/type or nullptr

void opensaml::SecurityPolicy::setTime (  time_t  ts  )

Sets effective time of message processing. Assumed to be the time of policy instantiation, can be adjusted to pre- or post-date message processing. Parameters: ts  the time at which the message is being processed

void opensaml::SecurityPolicy::setTrustEngine (  const xmltooling::TrustEngine *  trust  )

Sets a TrustEngine for the policy. Parameters: trust  a TrustEngine or nullptr

void opensaml::SecurityPolicy::setValidating (  bool  validate = true  )

Controls schema validation of incoming XML messages. This is separate from other forms of programmatic validation of objects, but can detect a much wider range of syntax errors. Parameters: validate  validation setting

---

The documentation for this class was generated from the following file:

• saml/binding/SecurityPolicy.h

---