summaryrefslogtreecommitdiffstats
path: root/auth_mellon_handler.c
Commit message (Collapse)AuthorAgeFilesLines
* Add directive MellonSubjectConfirmationDataAddressCheckbenjamin.dauvergne2012-02-171-1/+2
| | | | | | | | | MellonSubjectConfirmationDataAddressCheck allows to block client address checking as given in IdP assertion in the SubjectConfirmationData node, it can be necessary when client and IdP or SP are in a NAT-ed network or when the SP is behind a reverse proxy. git-svn-id: https://modmellon.googlecode.com/svn/trunk@152 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Support for HTTP-POST SingleSignOnService endpoint.olavmrk2012-01-121-31/+146
| | | | | | | This patch extends mod_mellon with support for sending authentication requests with the HTTP-POST binding. git-svn-id: https://modmellon.googlecode.com/svn/trunk@151 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Always redirect to the login URL when starting authentication.olavmrk2012-01-121-1/+13
| | | | | | | | We cannot display any pages from the am_start_auth()-function since it runs from the access checker. We therefore need to redirect to the login handler, which can then display web pages. git-svn-id: https://modmellon.googlecode.com/svn/trunk@150 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Split am_auth_new_ticket() into am_handle_auth() and am_start_auth().olavmrk2012-01-121-9/+42
| | | | | | | | | | | | | | | | | | | The code in am_auth_new_ticket() was shared between the "auth" endpoint and the code to start authentication from other requests. This results in the possibility of unpredictable interactions between those functions. For example, it was possible to select the IdP from a random page by adding the "IdP" parameter. The "ReturnTo" parameter could also affect where the user was sent after authentication. The result of this change is two new functions, one for starting authentication from other requests, and one for handling the "auth" endpoint. The "auth"-endpoint is no longer used by code, but may be used elsewhere. It is therefore included for backwards compatibility. git-svn-id: https://modmellon.googlecode.com/svn/trunk@149 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Extract am_start_disco() from am_auth_new_ticket().olavmrk2012-01-121-32/+49
| | | | | | | | In preparation of splitting am_auth_new_ticket() into two functions, extract the code to redirect to the discovery service into its own function. git-svn-id: https://modmellon.googlecode.com/svn/trunk@148 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Move discovery response endpoint to "login" instead of "auth".olavmrk2012-01-121-1/+1
| | | | | | | | We now have a "login" endpoint that can be used for triggering authentication. Make the discovery service send its response to that page. git-svn-id: https://modmellon.googlecode.com/svn/trunk@147 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Fix entityID sent to discovery service.olavmrk2012-01-121-2/+11
| | | | | | | | We assumed that the SP entityID was always the endpoint path followed by "metadata". This does not need to be the case. This patch changes it to fetch the SP entityID from the SP metadata. git-svn-id: https://modmellon.googlecode.com/svn/trunk@146 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Merge am_endpoint_handler() and am_handler().olavmrk2012-01-121-68/+33
| | | | | | | | | | | We currently handle requests to many endpoints from the access control hooks. This change bypasses access control in those cases, and handles the requests from the "handler" hook instead. This change is necessary to be able to do anything else than redirects from the handlers. As a side effect, it also simplifies the code. git-svn-id: https://modmellon.googlecode.com/svn/trunk@144 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Initialize AuthnRequest with asked AuthnContextClassRef if neededolavmrk2011-12-071-0/+24
| | | | | | Thanks to Benjamin Dauvergne for implementing this. git-svn-id: https://modmellon.googlecode.com/svn/trunk@142 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Add checking for AuthContextClassRefolavmrk2011-12-071-0/+60
| | | | | | | | | | | - If request miss needed elements AuthnStatement or AuthnContext, HTTP status BadRequest is returned. - If request does not match one of the required AuthnContextClassRef, HTTP status Forbidden is returned. Thanks to Benjamin Dauvergne for implementing this. git-svn-id: https://modmellon.googlecode.com/svn/trunk@141 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Honour MellonProbeDiscoveryIdP order when sending probesmanu@netbsd.org2011-12-051-51/+75
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@139 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Avoid dependency on GLib 2.16.olavmrk2011-09-231-7/+14
| | | | | | | | | | We used GHashTableIter, which wasn't introduced before version 2.16 of GLib. This patch changes the code to simply use g_hash_table_get_keys instead. (This means that we depend on GLib 2.14.) git-svn-id: https://modmellon.googlecode.com/svn/trunk@137 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Avoid using APR_ARRAY_IDX.olavmrk2011-05-181-1/+1
| | | | | | | APR_ARRAY_IDX is a relatively new macro in the APR package, so we should avoid using it. git-svn-id: https://modmellon.googlecode.com/svn/trunk@134 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Add support for inheriting lasso_server objects.olavmrk2011-05-181-3/+7
| | | | | | | | | | | Change configuration to inherit the lasso_server objects when nothing affecting the lasso_server object changes from the parent configuration object. This should speed up processing of requests where you have request-specific configuration changes, such as access control rules. git-svn-id: https://modmellon.googlecode.com/svn/trunk@130 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Add support for loading federation metadata files.olavmrk2011-05-181-14/+44
| | | | | | Patch originally created by Emmanuel Dreyfus, some changes by me. git-svn-id: https://modmellon.googlecode.com/svn/trunk@129 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Change am_server_add_providers to return number of providers from ↵olavmrk2011-05-181-5/+2
| | | | | | LassoServer object. git-svn-id: https://modmellon.googlecode.com/svn/trunk@127 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Change cfg->idp_metadata_files to an array instead of an hash.olavmrk2011-05-181-13/+7
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@126 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Change am_handle_probe_discovery() to use providers from LassoServer.olavmrk2011-05-181-8/+10
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@125 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Change am_get_idp() to use providers from LassoServer.olavmrk2011-05-181-8/+7
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@124 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Change am_first_idp() to retrieve the entityID from the LassoServer object.olavmrk2011-05-181-10/+10
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@123 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Move am_get_idp() and am_first_idp() to after am_get_lasso_server().olavmrk2011-05-181-84/+86
| | | | | | This is in preparation of using am_get_lasso_server from those functions. git-svn-id: https://modmellon.googlecode.com/svn/trunk@122 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Unbreak logout for lasso version >= 2.3.0benjamin.dauvergne2011-05-041-28/+31
| | | | | | | | | | | Lasso initializes the SessionIndex attribute of LogoutRequest message itself since release 2.3.4 and directly remove the related assertions since 2.3.0, so the old way to initialize the SessionIndex cannot work anymore. Between version 2.3.0 and 2.3.4 it just cannot work at all but it is better to send a broken logout request missing the SessionIndex attribute than to raise a segmentation fault. git-svn-id: https://modmellon.googlecode.com/svn/trunk@121 a716ebb1-153a-0410-b759-cfb97c6a1b53
* A /mellon/probeDisco endpoint replaces the builtin:get-metadata IdP manu@netbsd.org2011-03-091-73/+147
| | | | | | | | dicovery URL scheme. It is configured using the MellonProbeDiscoveryTimeout and MellonProbeDiscoveryIdP directives. git-svn-id: https://modmellon.googlecode.com/svn/trunk@113 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Report the received Recipient for error on SubjectConfirmationDatabenjamin.dauvergne2010-09-281-2/+2
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@109 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Fix error for query string starting characterbenjamin.dauvergne2010-09-281-1/+5
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@108 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Fix segfault when no assertion is foundbenjamin.dauvergne2010-09-281-3/+5
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@107 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Improve formatting of metadatas, fix endpointsbenjamin.dauvergne2010-09-281-29/+28
| | | | | | | | | - NameIdManagement endpoint is incorrectly listed (and useless if only transient federation are expected). - an HTTP-Artifact endpoint for the AssertionConsumerService was added, letting HTTP-Post as the default binding. git-svn-id: https://modmellon.googlecode.com/svn/trunk@105 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Verify Address in SubjectConfirmationData.olavmrk2010-07-021-0/+10
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@102 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Type checking of all referenced XML elements.olavmrk2010-07-021-12/+57
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@101 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Support subsecond precision timestamps.olavmrk2010-07-011-6/+35
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@100 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Validate received response.olavmrk2010-06-301-0/+196
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@99 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Reject messages with more than one assertion.olavmrk2010-06-301-79/+77
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@98 a716ebb1-153a-0410-b759-cfb97c6a1b53
* login endpointolavmrk2010-06-181-0/+70
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@94 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Refactor out am_send_authn_request from am_auth_new_ticket.olavmrk2010-06-181-62/+80
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@93 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Fix memory leak on no-cookie error during response processing.olavmrk2010-06-171-0/+2
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@90 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Set the MellonIDP variable to the IdP that we got a response from.olavmrk2010-06-171-11/+16
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@89 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Add missing session unlock in am_check_uid.olavmrk2010-06-171-0/+1
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@88 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Display proper error when missing MellonSPMetadataFile.olavmrk2010-06-171-6/+11
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@87 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Shibboleth 2 interoperability. This is acchieved by increasing themanu@netbsd.org2010-05-311-0/+13
| | | | | | | | | | | | | storage for attributes, as OID-named attributes sent by the Shibboleth IdP consomes quite some space. There is also a required Destination attribute in AuthnRequest elements. It is done by trunk version of lasso, but not by any currently released version, hence we do if it is not done. git-svn-id: https://modmellon.googlecode.com/svn/trunk@85 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Optionaly ave the remote IdP entityId in the environmentmanu@netbsd.org2010-05-311-0/+10
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@84 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Fix warning about unused variable in am_handle_metadata.olavmrk2009-12-211-1/+1
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@77 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Fix uninitialized variable in repost handler.olavmrk2009-12-211-1/+1
| | | | | | | | This bug could lead to XSS or remote DOS, depending on the compiler. Thanks to Benjamin Dauvergne for reporting this bug. git-svn-id: https://modmellon.googlecode.com/svn/trunk@75 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Require a session for accessing the repost endpointmanu@netbsd.org2009-11-131-0/+6
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@72 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Make sure that redirect URLs doesn't contain control characters.olavmrk2009-11-111-0/+18
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@69 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Support replay of multipart/form-data POST requestsmanu@netbsd.org2009-11-111-41/+185
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@68 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Replay POST requets after been sent to the IdPmanu@netbsd.org2009-11-091-62/+173
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@67 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Disable local session when logout starts.olavmrk2009-08-101-0/+8
| | | | | | | Mark the local session as logged out as soon as logout starts, in case the IdP doesn't respond for some reason. git-svn-id: https://modmellon.googlecode.com/svn/trunk@64 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Properly calculate session expiration.olavmrk2009-08-071-23/+22
| | | | git-svn-id: https://modmellon.googlecode.com/svn/trunk@61 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Add MellonOrganization(Name|DisplayName|URL) for filling themanu@netbsd.org2009-06-151-1/+74
| | | | | | | <Organization> element of autogenerated metadata git-svn-id: https://modmellon.googlecode.com/svn/trunk@57 a716ebb1-153a-0410-b759-cfb97c6a1b53
* Strip "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----", and anymanu@netbsd.org2009-06-141-2/+12
| | | | | | | | non graphic character (space, CR) from the certificate presented in autogenerated metadata. git-svn-id: https://modmellon.googlecode.com/svn/trunk@55 a716ebb1-153a-0410-b759-cfb97c6a1b53
generated by cgit (git 2.34.1) at 2024-05-23 23:43:38 +0000