| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
MellonSubjectConfirmationDataAddressCheck allows to block client address
checking as given in IdP assertion in the SubjectConfirmationData node,
it can be necessary when client and IdP or SP are in a NAT-ed network or
when the SP is behind a reverse proxy.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@152 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
| |
This patch extends mod_mellon with support for sending authentication
requests with the HTTP-POST binding.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@151 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
| |
We cannot display any pages from the am_start_auth()-function since
it runs from the access checker. We therefore need to redirect to the
login handler, which can then display web pages.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@150 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code in am_auth_new_ticket() was shared between the "auth"
endpoint and the code to start authentication from other requests. This
results in the possibility of unpredictable interactions between those
functions.
For example, it was possible to select the IdP from a random page by
adding the "IdP" parameter. The "ReturnTo" parameter could also affect
where the user was sent after authentication.
The result of this change is two new functions, one for starting
authentication from other requests, and one for handling the "auth"
endpoint. The "auth"-endpoint is no longer used by code, but may
be used elsewhere. It is therefore included for backwards
compatibility.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@149 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
| |
In preparation of splitting am_auth_new_ticket() into two functions,
extract the code to redirect to the discovery service into its own
function.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@148 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
| |
We now have a "login" endpoint that can be used for triggering
authentication. Make the discovery service send its response to that
page.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@147 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
| |
We assumed that the SP entityID was always the endpoint path
followed by "metadata". This does not need to be the case. This patch
changes it to fetch the SP entityID from the SP metadata.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@146 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
|
|
|
| |
We currently handle requests to many endpoints from the access control
hooks. This change bypasses access control in those cases, and handles
the requests from the "handler" hook instead.
This change is necessary to be able to do anything else than redirects
from the handlers. As a side effect, it also simplifies the code.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@144 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
| |
Thanks to Benjamin Dauvergne for implementing this.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@142 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
|
|
|
| |
- If request miss needed elements AuthnStatement or AuthnContext, HTTP
status BadRequest is returned.
- If request does not match one of the required AuthnContextClassRef,
HTTP status Forbidden is returned.
Thanks to Benjamin Dauvergne for implementing this.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@141 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@139 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
|
|
| |
We used GHashTableIter, which wasn't introduced before version 2.16 of
GLib. This patch changes the code to simply use g_hash_table_get_keys
instead.
(This means that we depend on GLib 2.14.)
git-svn-id: https://modmellon.googlecode.com/svn/trunk@137 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
| |
APR_ARRAY_IDX is a relatively new macro in the APR package, so we
should avoid using it.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@134 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
|
|
|
| |
Change configuration to inherit the lasso_server objects when nothing
affecting the lasso_server object changes from the parent configuration
object.
This should speed up processing of requests where you have
request-specific configuration changes, such as access control rules.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@130 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
| |
Patch originally created by Emmanuel Dreyfus, some changes by me.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@129 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
| |
LassoServer object.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@127 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@126 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@125 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@124 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@123 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
| |
This is in preparation of using am_get_lasso_server from those functions.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@122 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
|
|
|
| |
Lasso initializes the SessionIndex attribute of LogoutRequest message
itself since release 2.3.4 and directly remove the related assertions
since 2.3.0, so the old way to initialize the SessionIndex cannot work
anymore. Between version 2.3.0 and 2.3.4 it just cannot work at all but
it is better to send a broken logout request missing the SessionIndex
attribute than to raise a segmentation fault.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@121 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
| |
dicovery URL scheme. It is configured using the MellonProbeDiscoveryTimeout
and MellonProbeDiscoveryIdP directives.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@113 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@109 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@108 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@107 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
|
| |
- NameIdManagement endpoint is incorrectly listed (and useless if only
transient federation are expected).
- an HTTP-Artifact endpoint for the AssertionConsumerService was added,
letting HTTP-Post as the default binding.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@105 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@102 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@101 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@100 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@99 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@98 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@94 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@93 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@90 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@89 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@88 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@87 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
storage for attributes, as OID-named attributes sent by the Shibboleth
IdP consomes quite some space.
There is also a required Destination attribute in AuthnRequest elements.
It is done by trunk version of lasso, but not by any currently released
version, hence we do if it is not done.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@85 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@84 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@77 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
| |
This bug could lead to XSS or remote DOS, depending on the compiler.
Thanks to Benjamin Dauvergne for reporting this bug.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@75 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@72 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@69 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@68 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@67 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
| |
Mark the local session as logged out as soon as logout starts, in case
the IdP doesn't respond for some reason.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@64 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
| |
git-svn-id: https://modmellon.googlecode.com/svn/trunk@61 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
| |
<Organization> element of autogenerated metadata
git-svn-id: https://modmellon.googlecode.com/svn/trunk@57 a716ebb1-153a-0410-b759-cfb97c6a1b53
|
|
|
|
|
|
|
|
| |
non graphic character (space, CR) from the certificate presented in
autogenerated metadata.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@55 a716ebb1-153a-0410-b759-cfb97c6a1b53
|