[shibboleth-sp2] 79/119: Reduce catch all handlers, and make them optional.
Ferenc Wágner
wferi-guest at moszumanska.debian.org
Tue Jan 26 21:29:52 UTC 2016
This is an automated email from the git hooks/post-receive script.
wferi-guest pushed a commit to annotated tag 1.3.1
in repository shibboleth-sp2.
commit 8dc391f3f8045c47841f5a1deb8a1c67591105f2
Author: Scott Cantor <cantor.2 at osu.edu>
Date: Fri Sep 21 01:54:19 2007 +0000
Reduce catch all handlers, and make them optional.
---
apache/mod_apache.cpp | 228 ++++++++++++++++----------------
fastcgi/shibauthorizer.cpp | 13 +-
fastcgi/shibresponder.cpp | 21 ++-
isapi_shib/isapi_shib.cpp | 47 +++----
nsapi_shib/nsapi_shib.cpp | 126 +++++++++---------
schemas/shibboleth-targetconfig-1.0.xsd | 1 +
shib-target/shib-target.cpp | 32 ++---
7 files changed, 230 insertions(+), 238 deletions(-)
diff --git a/apache/mod_apache.cpp b/apache/mod_apache.cpp
index 213bf43..72546ff 100644
--- a/apache/mod_apache.cpp
+++ b/apache/mod_apache.cpp
@@ -57,10 +57,10 @@
#include <unistd.h> // for getpid()
#endif
-using namespace std;
-using namespace saml;
-using namespace shibboleth;
using namespace shibtarget;
+using namespace shibboleth;
+using namespace saml;
+using namespace std;
extern "C" module MODULE_VAR_EXPORT mod_shib;
@@ -70,6 +70,7 @@ namespace {
ShibTargetConfig* g_Config = NULL;
string g_unsetHeaderValue;
bool g_checkSpoofing = true;
+ bool g_catchAll = true;
static const char* g_UserDataKey = "_shib_check_user_";
}
@@ -470,86 +471,88 @@ public:
extern "C" int shib_check_user(request_rec* r)
{
- // Short-circuit entirely?
- if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
- return DECLINED;
+ // Short-circuit entirely?
+ if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
+ return DECLINED;
+
+ ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_check_user(%d): ENTER", (int)getpid());
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_check_user(%d): ENTER", (int)getpid());
-
- ostringstream threadid;
- threadid << "[" << getpid() << "] shib_check_user" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- try {
- ShibTargetApache sta(r, false);
-
- // Check user authentication and export information, then set the handler bypass
- pair<bool,void*> res = sta.doCheckAuthN(true);
- apr_pool_userdata_setn((const void*)42,g_UserDataKey,NULL,r->pool);
- if (res.first) return (int)(long)res.second;
-
- // user auth was okay -- export the assertions now
- res = sta.doExportAssertions();
- if (res.first) return (int)(long)res.second;
-
- // export happened successfully.. this user is ok.
- return OK;
- }
- catch (SAMLException& e) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_check_user threw an exception: %s", e.what());
- return SERVER_ERROR;
- }
-#ifndef _DEBUG
- catch (...) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_check_user threw an uncaught exception!");
- return SERVER_ERROR;
- }
-#endif
+ ostringstream threadid;
+ threadid << "[" << getpid() << "] shib_check_user" << '\0';
+ saml::NDC ndc(threadid.str().c_str());
+
+ try {
+ ShibTargetApache sta(r, false);
+
+ // Check user authentication and export information, then set the handler bypass
+ pair<bool,void*> res = sta.doCheckAuthN(true);
+ apr_pool_userdata_setn((const void*)42,g_UserDataKey,NULL,r->pool);
+ if (res.first) return (int)(long)res.second;
+
+ // user auth was okay -- export the assertions now
+ res = sta.doExportAssertions();
+ if (res.first) return (int)(long)res.second;
+
+ // export happened successfully.. this user is ok.
+ return OK;
+ }
+ catch (exception& e) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_check_user threw an exception: %s", e.what());
+ return SERVER_ERROR;
+ }
+ catch (...) {
+ if (g_catchAll) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_check_user threw an uncaught exception!");
+ return SERVER_ERROR;
+ }
+ throw;
+ }
}
extern "C" int shib_handler(request_rec* r)
{
- // Short-circuit entirely?
- if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
- return DECLINED;
-
- ostringstream threadid;
- threadid << "[" << getpid() << "] shib_handler" << '\0';
- saml::NDC ndc(threadid.str().c_str());
+ // Short-circuit entirely?
+ if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
+ return DECLINED;
+
+ ostringstream threadid;
+ threadid << "[" << getpid() << "] shib_handler" << '\0';
+ saml::NDC ndc(threadid.str().c_str());
#ifndef SHIB_APACHE_13
- // With 2.x, this handler always runs, though last.
- // We check if shib_check_user ran, because it will detect a handler request
- // and dispatch it directly.
- void* data;
- apr_pool_userdata_get(&data,g_UserDataKey,r->pool);
- if (data==(const void*)42) {
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_handler skipped since check_user ran");
- return DECLINED;
- }
+ // With 2.x, this handler always runs, though last.
+ // We check if shib_check_user ran, because it will detect a handler request
+ // and dispatch it directly.
+ void* data;
+ apr_pool_userdata_get(&data,g_UserDataKey,r->pool);
+ if (data==(const void*)42) {
+ ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_handler skipped since check_user ran");
+ return DECLINED;
+ }
#endif
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_handler(%d): ENTER: %s", (int)getpid(), r->handler);
-
- try {
- ShibTargetApache sta(r, true);
+ ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_handler(%d): ENTER: %s", (int)getpid(), r->handler);
- pair<bool,void*> res = sta.doHandler();
- if (res.first) return (int)(long)res.second;
-
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "doHandler() did not do anything.");
- return SERVER_ERROR;
- }
- catch (SAMLException& e) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_handler threw an exception: %s", e.what());
- return SERVER_ERROR;
- }
-#ifndef _DEBUG
- catch (...) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_handler threw an uncaught exception!");
- return SERVER_ERROR;
- }
-#endif
+ try {
+ ShibTargetApache sta(r, true);
+
+ pair<bool,void*> res = sta.doHandler();
+ if (res.first) return (int)(long)res.second;
+
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "doHandler() did not do anything.");
+ return SERVER_ERROR;
+ }
+ catch (exception& e) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_handler threw an exception: %s", e.what());
+ return SERVER_ERROR;
+ }
+ catch (...) {
+ if (g_catchAll) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_handler threw an uncaught exception!");
+ return SERVER_ERROR;
+ }
+ throw;
+ }
}
/*
@@ -558,35 +561,36 @@ extern "C" int shib_handler(request_rec* r)
*/
extern "C" int shib_auth_checker(request_rec* r)
{
- // Short-circuit entirely?
- if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
- return DECLINED;
-
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_auth_checker(%d): ENTER", (int)getpid());
-
- ostringstream threadid;
- threadid << "[" << getpid() << "] shib_auth_checker" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- try {
- ShibTargetApache sta(r, false);
-
- pair<bool,void*> res = sta.doCheckAuthZ();
- if (res.first) return (int)(long)res.second;
-
- // We're all okay.
- return OK;
- }
- catch (SAMLException& e) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_auth_checker threw an exception: %s", e.what());
- return SERVER_ERROR;
- }
-#ifndef _DEBUG
- catch (...) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_auth_checker threw an uncaught exception!");
- return SERVER_ERROR;
- }
-#endif
+ // Short-circuit entirely?
+ if (((shib_dir_config*)ap_get_module_config(r->per_dir_config, &mod_shib))->bOff==1)
+ return DECLINED;
+
+ ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_auth_checker(%d): ENTER", (int)getpid());
+
+ ostringstream threadid;
+ threadid << "[" << getpid() << "] shib_auth_checker" << '\0';
+ saml::NDC ndc(threadid.str().c_str());
+
+ try {
+ ShibTargetApache sta(r, false);
+
+ pair<bool,void*> res = sta.doCheckAuthZ();
+ if (res.first) return (int)(long)res.second;
+
+ // We're all okay.
+ return OK;
+ }
+ catch (exception& e) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_auth_checker threw an exception: %s", e.what());
+ return SERVER_ERROR;
+ }
+ catch (...) {
+ if (g_catchAll) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_auth_checker threw an uncaught exception!");
+ return SERVER_ERROR;
+ }
+ throw;
+ }
}
// Access control plugin that enforces htaccess rules
@@ -639,7 +643,7 @@ IPlugIn* ApacheRequestMapFactory(const DOMElement* e)
ApacheRequestMapper::ApacheRequestMapper(const DOMElement* e) : m_mapper(NULL), m_staKey(NULL), m_propsKey(NULL), m_htaccess(NULL)
{
- IPlugIn* p=SAMLConfig::getConfig().getPlugMgr().newPlugin(shibtarget::XML::XMLRequestMapType,e);
+ IPlugIn* p=saml::SAMLConfig::getConfig().getPlugMgr().newPlugin(shibtarget::XML::XMLRequestMapType,e);
m_mapper=dynamic_cast<IRequestMapper*>(p);
if (!m_mapper) {
delete p;
@@ -1103,10 +1107,11 @@ extern "C" void shib_child_init(apr_pool_t* p, server_rec* s)
ap_log_error(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,SH_AP_R(s),"shib_child_init() failed to initialize libraries");
exit(1);
}
- SAMLConfig::getConfig().getPlugMgr().regFactory(shibtarget::XML::htAccessControlType,&htAccessFactory);
- SAMLConfig::getConfig().getPlugMgr().regFactory(shibtarget::XML::NativeRequestMapType,&ApacheRequestMapFactory);
+ PlugManager& mgr = SAMLConfig::getConfig().getPlugMgr();
+ mgr.regFactory(shibtarget::XML::htAccessControlType,&htAccessFactory);
+ mgr.regFactory(shibtarget::XML::NativeRequestMapType,&ApacheRequestMapFactory);
// We hijack the legacy type so that 1.2 config files will load this plugin
- SAMLConfig::getConfig().getPlugMgr().regFactory(shibtarget::XML::LegacyRequestMapType,&ApacheRequestMapFactory);
+ mgr.regFactory(shibtarget::XML::LegacyRequestMapType,&ApacheRequestMapFactory);
if (!g_Config->load(g_szSHIBConfig)) {
ap_log_error(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,SH_AP_R(s),"shib_child_init() failed to load configuration");
@@ -1114,18 +1119,19 @@ extern "C" void shib_child_init(apr_pool_t* p, server_rec* s)
}
IConfig* conf=g_Config->getINI();
- Locker locker(conf);
+ saml::Locker locker(conf);
const IPropertySet* props=conf->getPropertySet("Local");
if (props) {
pair<bool,const char*> unsetValue=props->getString("unsetHeaderValue");
if (unsetValue.first)
g_unsetHeaderValue = unsetValue.second;
- pair<bool,bool> checkSpoofing=props->getBool("checkSpoofing");
- if (checkSpoofing.first && !checkSpoofing.second)
- g_checkSpoofing = false;
+ pair<bool,bool> flag=props->getBool("checkSpoofing");
+ g_checkSpoofing = !flag.first || flag.second;
+ flag=props->getBool("catchAll");
+ g_catchAll = !flag.first || flag.second;
}
}
- catch (...) {
+ catch (exception&) {
ap_log_error(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,SH_AP_R(s),"shib_child_init() failed to initialize system");
exit(1);
}
diff --git a/fastcgi/shibauthorizer.cpp b/fastcgi/shibauthorizer.cpp
index c6a8cec..3d385c2 100644
--- a/fastcgi/shibauthorizer.cpp
+++ b/fastcgi/shibauthorizer.cpp
@@ -31,7 +31,6 @@
#include <fcgio.h>
using namespace shibtarget;
-using namespace saml;
using namespace std;
typedef enum {
@@ -58,7 +57,7 @@ public:
server_port = strtol(server_port_str, &server_port_str, 10);
if (*server_port_str) {
cerr << "can't parse SERVER_PORT (" << FCGX_GetParam("SERVER_PORT", req->envp) << ")" << endl;
- throw SAMLException("Unable to determine server port.");
+ throw exception("Unable to determine server port.");
}
}
@@ -104,7 +103,7 @@ public:
}
virtual string getPostData(void) {
- throw SAMLException("getPostData not implemented by FastCGI authorizer.");
+ throw exception("getPostData not implemented by FastCGI authorizer.");
}
virtual void clearHeader(const string& name) {
@@ -141,7 +140,7 @@ public:
const string& msg,
int code=200,
const string& content_type="text/html",
- const Iterator<header_t>& headers=EMPTY(header_t)) {
+ const saml::Iterator<header_t>& headers=EMPTY(header_t)) {
string hdr = m_cookie + "Connection: close\r\nContent-type: " + content_type + "\r\n";
while (headers.hasNext()) {
@@ -228,8 +227,8 @@ int main(void)
exit(1);
}
}
- catch (...) {
- cerr << "exception while initializing Shibboleth configuration" << endl;
+ catch (exception& e) {
+ cerr << "exception while initializing Shibboleth configuration: " << e.what() << endl;
exit(1);
}
@@ -343,7 +342,7 @@ int main(void)
print_ok(sta.m_headers);
}
- catch (SAMLException& e) {
+ catch (exception& e) {
cerr << "shib: FastCGI authorizer caught an exception: " << e.what() << endl;
print_error("<html><body>FastCGI Shibboleth authorizer caught an exception, check log for details.</body></html>");
}
diff --git a/fastcgi/shibresponder.cpp b/fastcgi/shibresponder.cpp
index f861807..f4d09b6 100644
--- a/fastcgi/shibresponder.cpp
+++ b/fastcgi/shibresponder.cpp
@@ -31,7 +31,6 @@
#include <fcgio.h>
using namespace shibtarget;
-using namespace saml;
using namespace std;
typedef enum {
@@ -61,7 +60,7 @@ public:
server_port = strtol(server_port_str, &server_port_str, 10);
if (*server_port_str) {
cerr << "can't parse SERVER_PORT (" << FCGX_GetParam("SERVER_PORT", req->envp) << ")" << endl;
- throw SAMLException("Unable to determine server port.");
+ throw exception("Unable to determine server port.");
}
}
@@ -121,30 +120,30 @@ public:
}
virtual void clearHeader(const string &name) {
- throw SAMLException("clearHeader not implemented by FastCGI responder.");
+ throw exception("clearHeader not implemented by FastCGI responder.");
}
virtual void setHeader(const string &name, const string &value) {
- throw SAMLException("setHeader not implemented by FastCGI responder.");
+ throw exception("setHeader not implemented by FastCGI responder.");
}
virtual string getHeader(const string &name) {
- throw SAMLException("getHeader not implemented by FastCGI responder.");
+ throw exception("getHeader not implemented by FastCGI responder.");
}
virtual void setRemoteUser(const string &user) {
- throw SAMLException("setRemoteUser not implemented by FastCGI responder.");
+ throw exception("setRemoteUser not implemented by FastCGI responder.");
}
virtual string getRemoteUser(void) {
- throw SAMLException("getRemoteUser not implemented by FastCGI responder.");
+ throw exception("getRemoteUser not implemented by FastCGI responder.");
}
virtual void* sendPage(
const string& msg,
int code=200,
const string& content_type="text/html",
- const Iterator<header_t>& headers=EMPTY(header_t)) {
+ const saml::Iterator<header_t>& headers=EMPTY(header_t)) {
string hdr = string ("Connection: close\r\nContent-type: ") + content_type + "\r\n" + m_cookie;
while (headers.hasNext()) {
@@ -261,8 +260,8 @@ int main(void)
exit(1);
}
}
- catch (...) {
- cerr << "exception while initializing Shibboleth configuration" << endl;
+ catch (exception& e) {
+ cerr << "exception while initializing Shibboleth configuration:" << e.what() << endl;
exit(1);
}
@@ -340,7 +339,7 @@ int main(void)
}
}
- catch (SAMLException& e) {
+ catch (exception& e) {
cerr << "shib: FastCGI responder caught an exception: " << e.what() << endl;
print_error("<html><body>FastCGI Shibboleth responder caught an exception, check log for details.</body></html>");
}
diff --git a/isapi_shib/isapi_shib.cpp b/isapi_shib/isapi_shib.cpp
index f0968c5..7a63c70 100644
--- a/isapi_shib/isapi_shib.cpp
+++ b/isapi_shib/isapi_shib.cpp
@@ -44,6 +44,8 @@ using namespace shibtarget;
// globals
namespace {
+ static const XMLCh catchAll[] =
+ { chLatin_c, chLatin_a, chLatin_t, chLatin_c, chLatin_h, chLatin_A, chLatin_l, chLatin_l, chNull };
static const XMLCh name[] = { chLatin_n, chLatin_a, chLatin_m, chLatin_e, chNull };
static const XMLCh port[] = { chLatin_p, chLatin_o, chLatin_r, chLatin_t, chNull };
static const XMLCh sslport[] = { chLatin_s, chLatin_s, chLatin_l, chLatin_p, chLatin_o, chLatin_r, chLatin_t, chNull };
@@ -88,6 +90,7 @@ namespace {
bool g_bNormalizeRequest = true;
string g_unsetHeaderValue;
bool g_checkSpoofing = true;
+ bool g_catchAll = true;
}
BOOL LogEvent(
@@ -143,10 +146,7 @@ extern "C" BOOL WINAPI GetFilterVersion(PHTTP_FILTER_VERSION pVer)
return TRUE;
}
-#ifndef _DEBUG
- try
- {
-#endif
+ try {
LPCSTR schemadir=getenv("SHIBSCHEMAS");
if (!schemadir)
schemadir=SHIB_SCHEMAS;
@@ -183,15 +183,17 @@ extern "C" BOOL WINAPI GetFilterVersion(PHTTP_FILTER_VERSION pVer)
pair<bool,const char*> unsetValue=props->getString("unsetHeaderValue");
if (unsetValue.first)
g_unsetHeaderValue = unsetValue.second;
- pair<bool,bool> checkSpoofing=props->getBool("checkSpoofing");
- if (checkSpoofing.first && !checkSpoofing.second)
- g_checkSpoofing = false;
+ pair<bool,bool> flag=props->getBool("checkSpoofing");
+ g_checkSpoofing = !flag.first || flag.second;
+ flag=props->getBool("checkAll");
+ g_catchAll = !flag.first || flag.second;
+
const DOMElement* impl=saml::XML::getFirstChildElement(
props->getElement(),shibtarget::XML::SHIBTARGET_NS,Implementation
);
if (impl && (impl=saml::XML::getFirstChildElement(impl,shibtarget::XML::SHIBTARGET_NS,ISAPI))) {
- const XMLCh* flag=impl->getAttributeNS(NULL,normalizeRequest);
- g_bNormalizeRequest=(!flag || !*flag || *flag==chDigit_1 || *flag==chLatin_t);
+ const XMLCh* ch=impl->getAttributeNS(NULL,normalizeRequest);
+ g_bNormalizeRequest=(!ch || !*ch || *ch==chDigit_1 || *ch==chLatin_t);
impl=saml::XML::getFirstChildElement(impl,shibtarget::XML::SHIBTARGET_NS,Site);
while (impl) {
auto_ptr_char id(impl->getAttributeNS(NULL,id));
@@ -201,14 +203,11 @@ extern "C" BOOL WINAPI GetFilterVersion(PHTTP_FILTER_VERSION pVer)
}
}
}
-#ifndef _DEBUG
}
- catch (...)
- {
+ catch (exception&) {
LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, "Filter startup failed with an exception.");
return FALSE;
}
-#endif
pVer->dwFilterVersion=HTTP_FILTER_REVISION;
strncpy(pVer->lpszFilterDesc,"Shibboleth ISAPI Filter",SF_MAX_FILTER_DESC_LEN);
@@ -508,16 +507,14 @@ DWORD WriteClientError(PHTTP_FILTER_CONTEXT pfc, const char* msg)
extern "C" DWORD WINAPI HttpFilterProc(PHTTP_FILTER_CONTEXT pfc, DWORD notificationType, LPVOID pvNotification)
{
// Is this a log notification?
- if (notificationType==SF_NOTIFY_LOG)
- {
+ if (notificationType==SF_NOTIFY_LOG) {
if (pfc->pFilterContext)
((PHTTP_FILTER_LOG)pvNotification)->pszClientUserName=static_cast<LPCSTR>(pfc->pFilterContext);
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
PHTTP_FILTER_PREPROC_HEADERS pn=(PHTTP_FILTER_PREPROC_HEADERS)pvNotification;
- try
- {
+ try {
// Determine web site number. This can't really fail, I don't think.
dynabuf buf(128);
GetServerVariable(pfc,"INSTANCE_ID",buf,10);
@@ -555,15 +552,15 @@ extern "C" DWORD WINAPI HttpFilterProc(PHTTP_FILTER_CONTEXT pfc, DWORD notificat
else
return WriteClientError(pfc,"Shibboleth Filter detected unexpected IIS error.");
}
- catch (SAMLException& e) {
+ catch (exception& e) {
LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, e.what());
return WriteClientError(pfc,"Shibboleth Filter caught an exception, ask administrator to check Event Log for details.");
}
-#ifndef _DEBUG
catch(...) {
- return WriteClientError(pfc,"Shibboleth Filter caught an unknown exception.");
+ if (g_catchAll)
+ return WriteClientError(pfc,"Shibboleth Filter caught an unknown exception.");
+ throw;
}
-#endif
return WriteClientError(pfc,"Shibboleth Filter reached unreachable code, save my walrus!");
}
@@ -798,15 +795,15 @@ extern "C" DWORD WINAPI HttpExtensionProc(LPEXTENSION_CONTROL_BLOCK lpECB)
else
return WriteClientError(lpECB,"Server detected unexpected IIS error.");
}
- catch (SAMLException& e) {
+ catch (exception& e) {
LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, e.what());
return WriteClientError(lpECB,"Shibboleth Extension caught an exception, check Event Log for details.");
}
-#ifndef _DEBUG
catch(...) {
- return WriteClientError(lpECB,"Shibboleth Extension caught an unknown exception.");
+ if (g_catchAll)
+ return WriteClientError(lpECB,"Shibboleth Extension caught an unknown exception.");
+ throw;
}
-#endif
// If we get here we've got an error.
return HSE_STATUS_ERROR;
diff --git a/nsapi_shib/nsapi_shib.cpp b/nsapi_shib/nsapi_shib.cpp
index 013df1f..2fd66d9 100644
--- a/nsapi_shib/nsapi_shib.cpp
+++ b/nsapi_shib/nsapi_shib.cpp
@@ -68,6 +68,7 @@ namespace {
string g_ServerScheme;
string g_unsetHeaderValue;
bool g_checkSpoofing = true;
+ bool g_catchAll = true;
}
PlugManager::Factory SunRequestMapFactory;
@@ -107,9 +108,7 @@ extern "C" NSAPI_PUBLIC int nsapi_shib_init(pblock* pb, Session* sn, Request* rq
log_error(LOG_INFORM,"nsapi_shib_init",sn,rq,"nsapi_shib loaded for host (%s)",g_ServerName.c_str());
-#ifndef _DEBUG
try {
-#endif
const char* schemadir=pblock_findval("shib-schemas",pb);
if (!schemadir)
schemadir=getenv("SHIBSCHEMAS");
@@ -154,18 +153,17 @@ extern "C" NSAPI_PUBLIC int nsapi_shib_init(pblock* pb, Session* sn, Request* rq
pair<bool,const char*> unsetValue=props->getString("unsetHeaderValue");
if (unsetValue.first)
g_unsetHeaderValue = unsetValue.second;
- pair<bool,bool> checkSpoofing=props->getBool("checkSpoofing");
- if (checkSpoofing.first && !checkSpoofing.second)
- g_checkSpoofing = false;
+ pair<bool,bool> flag=props->getBool("checkSpoofing");
+ g_checkSpoofing = !flag.first || flag.second;
+ flag=props->getBool("catchAll");
+ g_catchAll = !flag.first || flag.second;
}
-#ifndef _DEBUG
}
- catch (...) {
+ catch (exception&) {
g_Config=NULL;
pblock_nvinsert("error","caught exception, unable to initialize Shibboleth libraries",pb);
return REQ_ABORTED;
}
-#endif
return REQ_PROCEED;
}
@@ -374,41 +372,41 @@ int WriteClientError(Session* sn, Request* rq, char* func, char* msg)
#define FUNC "shibboleth"
extern "C" NSAPI_PUBLIC int nsapi_shib(pblock* pb, Session* sn, Request* rq)
{
- ostringstream threadid;
- threadid << "[" << getpid() << "] nsapi_shib" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- try {
- ShibTargetNSAPI stn(pb, sn, rq);
-
- // Check user authentication
- pair<bool,void*> res = stn.doCheckAuthN();
- if (res.first) return (int)res.second;
-
- // user authN was okay -- export the assertions now
- param_free(pblock_remove("auth-user",rq->vars));
- // This seems to be required in order to eventually set
- // the auth-user var.
- pblock_nvinsert("auth-type","shibboleth",rq->vars);
- res = stn.doExportAssertions();
- if (res.first) return (int)res.second;
-
- // Check the Authorization
- res = stn.doCheckAuthZ();
- if (res.first) return (int)res.second;
-
- // this user is ok.
- return REQ_PROCEED;
- }
- catch (SAMLException& e) {
- log_error(LOG_FAILURE,FUNC,sn,rq,const_cast<char*>(e.what()));
- return WriteClientError(sn, rq, FUNC, "Shibboleth filter threw an exception, see web server log for error.");
- }
-#ifndef _DEBUG
- catch (...) {
- return WriteClientError(sn, rq, FUNC, "Shibboleth filter threw an uncaught exception.");
- }
-#endif
+ ostringstream threadid;
+ threadid << "[" << getpid() << "] nsapi_shib" << '\0';
+ saml::NDC ndc(threadid.str().c_str());
+
+ try {
+ ShibTargetNSAPI stn(pb, sn, rq);
+
+ // Check user authentication
+ pair<bool,void*> res = stn.doCheckAuthN();
+ if (res.first) return (int)res.second;
+
+ // user authN was okay -- export the assertions now
+ param_free(pblock_remove("auth-user",rq->vars));
+ // This seems to be required in order to eventually set
+ // the auth-user var.
+ pblock_nvinsert("auth-type","shibboleth",rq->vars);
+ res = stn.doExportAssertions();
+ if (res.first) return (int)res.second;
+
+ // Check the Authorization
+ res = stn.doCheckAuthZ();
+ if (res.first) return (int)res.second;
+
+ // this user is ok.
+ return REQ_PROCEED;
+ }
+ catch (exception& e) {
+ log_error(LOG_FAILURE,FUNC,sn,rq,const_cast<char*>(e.what()));
+ return WriteClientError(sn, rq, FUNC, "Shibboleth filter threw an exception, see web server log for error.");
+ }
+ catch (...) {
+ if (g_catchAll)
+ return WriteClientError(sn, rq, FUNC, "Shibboleth filter threw an uncaught exception.");
+ throw;
+ }
}
@@ -416,27 +414,27 @@ extern "C" NSAPI_PUBLIC int nsapi_shib(pblock* pb, Session* sn, Request* rq)
#define FUNC "shib_handler"
extern "C" NSAPI_PUBLIC int shib_handler(pblock* pb, Session* sn, Request* rq)
{
- ostringstream threadid;
- threadid << "[" << getpid() << "] shib_handler" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- try {
- ShibTargetNSAPI stn(pb, sn, rq);
-
- pair<bool,void*> res = stn.doHandler();
- if (res.first) return (int)res.second;
-
- return WriteClientError(sn, rq, FUNC, "Shibboleth handler did not do anything.");
- }
- catch (SAMLException& e) {
- log_error(LOG_FAILURE,FUNC,sn,rq,const_cast<char*>(e.what()));
- return WriteClientError(sn, rq, FUNC, "Shibboleth handler threw an exception, see web server log for error.");
- }
-#ifndef _DEBUG
- catch (...) {
- return WriteClientError(sn, rq, FUNC, "Shibboleth handler threw an unknown exception.");
- }
-#endif
+ ostringstream threadid;
+ threadid << "[" << getpid() << "] shib_handler" << '\0';
+ saml::NDC ndc(threadid.str().c_str());
+
+ try {
+ ShibTargetNSAPI stn(pb, sn, rq);
+
+ pair<bool,void*> res = stn.doHandler();
+ if (res.first) return (int)res.second;
+
+ return WriteClientError(sn, rq, FUNC, "Shibboleth handler did not do anything.");
+ }
+ catch (exception& e) {
+ log_error(LOG_FAILURE,FUNC,sn,rq,const_cast<char*>(e.what()));
+ return WriteClientError(sn, rq, FUNC, "Shibboleth handler threw an exception, see web server log for error.");
+ }
+ catch (...) {
+ if (g_catchAll)
+ return WriteClientError(sn, rq, FUNC, "Shibboleth handler threw an unknown exception.");
+ throw;
+ }
}
diff --git a/schemas/shibboleth-targetconfig-1.0.xsd b/schemas/shibboleth-targetconfig-1.0.xsd
index 7c7efb8..d716b57 100644
--- a/schemas/shibboleth-targetconfig-1.0.xsd
+++ b/schemas/shibboleth-targetconfig-1.0.xsd
@@ -180,6 +180,7 @@
<attribute name="localRelayState" type="boolean" use="optional" default="false"/>
<attribute name="unsetHeaderValue" type="string" use="optional"/>
<attribute name="checkSpoofing" type="boolean" use="optional"/>
+ <attribute name="catchAll" type="boolean" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
diff --git a/shib-target/shib-target.cpp b/shib-target/shib-target.cpp
index 304f4a9..e8f4384 100644
--- a/shib-target/shib-target.cpp
+++ b/shib-target/shib-target.cpp
@@ -40,11 +40,11 @@
# define strcasecmp stricmp
#endif
-using namespace std;
-using namespace saml;
-using namespace shibboleth;
-using namespace shibtarget;
using namespace shibtarget::logging;
+using namespace shibtarget;
+using namespace shibboleth;
+using namespace saml;
+using namespace std;
namespace shibtarget {
class ShibTargetPriv
@@ -313,11 +313,9 @@ pair<bool,void*> ShibTarget::doCheckAuthN(bool handler)
catch (SAMLException& e) {
mlp.insert(e);
}
-#ifndef _DEBUG
- catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ catch (exception& e) {
+ mlp.insert("errorText", e.what());
}
-#endif
// If we get here then we've got an error.
mlp.insert("errorType", procState);
@@ -420,11 +418,9 @@ pair<bool,void*> ShibTarget::doHandler(void)
catch (SAMLException& e) {
mlp.insert(e);
}
-#ifndef _DEBUG
- catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ catch (exception& e) {
+ mlp.insert("errorText", e.what());
}
-#endif
// If we get here then we've got an error.
mlp.insert("errorType", procState);
@@ -506,11 +502,9 @@ pair<bool,void*> ShibTarget::doCheckAuthZ(void)
catch (SAMLException& e) {
mlp.insert(e);
}
-#ifndef _DEBUG
- catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ catch (exception& e) {
+ mlp.insert("errorText", e.what());
}
-#endif
// If we get here then we've got an error.
mlp.insert("errorType", procState);
@@ -676,11 +670,9 @@ pair<bool,void*> ShibTarget::doExportAssertions(bool requireSession)
catch (SAMLException& e) {
mlp.insert(e);
}
-#ifndef _DEBUG
- catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ catch (exception& e) {
+ mlp.insert("errorText", e.what());
}
-#endif
// If we get here then we've got an error.
mlp.insert("errorType", procState);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
More information about the Pkg-shibboleth-devel
mailing list