Add directive MellonSubjectConfirmationDataAddressCheck

MellonSubjectConfirmationDataAddressCheck allows to block client address
checking as given in IdP assertion in the SubjectConfirmationData node,
it can be necessary when client and IdP or SP are in a NAT-ed network or
when the SP is behind a reverse proxy.

git-svn-id: https://modmellon.googlecode.com/svn/trunk@152 a716ebb1-153a-0410-b759-cfb97c6a1b53

1 files changed, 10 insertions, 0 deletions

diff --git a/auth_mellon_config.c b/auth_mellon_config.c
index 66a4032..7607668 100644
--- a/auth_mellon_config.c
+++ b/auth_mellon_config.c
@@ -1102,6 +1102,13 @@ const command_rec auth_mellon_commands[] = {
         "A list of AuthnContextClassRef to request in the AuthnRequest and "
         "to validate upon reception of an Assertion"
         ),
+    AP_INIT_FLAG(
+        "MellonSubjectConfirmationDataAddressCheck",
+        ap_set_flag_slot,
+        (void *)APR_OFFSETOF(am_dir_cfg_rec, subject_confirmation_data_address_check),
+        OR_AUTHCFG,
+        "Check address given in SubjectConfirmationData Address attribute. Default is on."
+        ),
     {NULL}
 };
 
@@ -1185,6 +1192,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d)
     dir->inherit_server_from = dir;
     dir->server = NULL;
     dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *));;
+    dir->subject_confirmation_data_address_check = inherit_subject_confirmation_data_address_check;
 
     return dir;
 }
@@ -1391,6 +1399,8 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add)
                              add_cfg->authn_context_class_ref :
                              base_cfg->authn_context_class_ref);
 
+    new_cfg->subject_confirmation_data_address_check =
+        CFG_MERGE(add_cfg, base_cfg, subject_confirmation_data_address_check);
 
     return new_cfg;
 }