diff options
-rw-r--r-- | README | 10 | ||||
-rw-r--r-- | auth_mellon.h | 4 | ||||
-rw-r--r-- | auth_mellon_config.c | 41 |
3 files changed, 55 insertions, 0 deletions
@@ -445,6 +445,16 @@ MellonPostCount 100 # This option will make the Lasso session available in # the MELLON_SESSION environement variable. Default is Off. MellonSessionDump Off + + # This option will request specific authentication security-level + # through the AuthnContextClassRef element of the AuthnRequest It will + # also request enforcement of this level when receiving an + # authenticating Assertion. + # If the assertion does not have the required security level, an HTTP + # Forbidden status code is returned to the browser. + # MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" + # MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" + # MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI" </Location> diff --git a/auth_mellon.h b/auth_mellon.h index 274fe12..8846808 100644 --- a/auth_mellon.h +++ b/auth_mellon.h @@ -216,6 +216,10 @@ typedef struct am_dir_cfg_rec { struct am_dir_cfg_rec *inherit_server_from; /* Mutex to prevent us from creating several lasso server objects. */ apr_thread_mutex_t *server_mutex; + + /* AuthnContextClassRef list */ + apr_array_header_t *authn_context_class_ref; + /* Cached lasso server object. */ LassoServer *server; } am_dir_cfg_rec; diff --git a/auth_mellon_config.c b/auth_mellon_config.c index 79953e8..a97b911 100644 --- a/auth_mellon_config.c +++ b/auth_mellon_config.c @@ -755,6 +755,32 @@ static const char *am_set_langstring_slot(cmd_parms *cmd, return NULL; } +/* This function handles the MellonAuthnContextClassRef directive. + * + * Parameters: + * cmd_parms *cmd The command structure for the MellonAuthnContextClassRef + * configuration directive. + * void *struct_ptr Pointer to the current directory configuration. + * NULL if we are not in a directory configuration. + * const char *arg An URI for an SAMLv2 AuthnContextClassRef + * + * Returns: + * This function will always return NULL. + */ +static const char *am_set_authn_context_class_ref(cmd_parms *cmd, + void *struct_ptr, + const char *arg) +{ + am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr; + apr_pool_t *p= cmd->pool; + + if(strlen(arg) == 0) { + return NULL; + } + APR_ARRAY_PUSH(d->authn_context_class_ref, char*) = apr_pstrdup(p, arg); + return NULL; +} + /* This array contains all the configuration directive which are handled * by auth_mellon. */ @@ -1066,6 +1092,14 @@ const command_rec auth_mellon_commands[] = { " \"http://<servername>/mellon/*\". The path you specify must" " be contained within the current Location directive." ), + AP_INIT_TAKE1( + "MellonAuthnContextClassRef", + am_set_authn_context_class_ref, + NULL, + OR_AUTHCFG, + "A list of AuthnContextClassRef to request in the AuthnRequest and " + "to validate upon reception of an Assertion" + ), {NULL} }; @@ -1148,6 +1182,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) apr_thread_mutex_create(&dir->server_mutex, APR_THREAD_MUTEX_DEFAULT, p); dir->inherit_server_from = dir; dir->server = NULL; + dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *));; return dir; } @@ -1347,8 +1382,14 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) APR_THREAD_MUTEX_DEFAULT, p); new_cfg->inherit_server_from = new_cfg; } + new_cfg->server = NULL; + new_cfg->authn_context_class_ref = (add_cfg->idp_metadata->nelts ? + add_cfg->authn_context_class_ref : + base_cfg->authn_context_class_ref); + + return new_cfg; } |