[shibboleth-sp2] 15/25: https://issues.shibboleth.net/jira/browse/SSPCPP-179

Tue Jan 26 21:30:03 UTC 2016

This is an automated email from the git hooks/post-receive script.

wferi-guest pushed a commit to annotated tag 1.3.2
in repository shibboleth-sp2.

commit 4e41ef0280b2cd945de6fd22dbd9fd7a32203fd6
Author: Scott Cantor <cantor.2 at osu.edu>
Date:   Sat Jan 10 21:53:37 2009 +0000

    https://issues.shibboleth.net/jira/browse/SSPCPP-179
---
 nsapi_shib/nsapi_shib.cpp | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/nsapi_shib/nsapi_shib.cpp b/nsapi_shib/nsapi_shib.cpp
index d9f4900..1925021 100644
--- a/nsapi_shib/nsapi_shib.cpp
+++ b/nsapi_shib/nsapi_shib.cpp
@@ -65,7 +65,6 @@ using namespace shibtarget;
 namespace {
     ShibTargetConfig* g_Config=NULL;
     string g_ServerName;
-    string g_ServerScheme;
     string g_unsetHeaderValue;
     bool g_checkSpoofing = false;
     bool g_catchAll = true;
@@ -102,9 +101,6 @@ extern "C" NSAPI_PUBLIC int nsapi_shib_init(pblock* pb, Session* sn, Request* rq
             }
         }
     }
-    name=pblock_findval("server-scheme",pb);
-    if (name)
-        g_ServerScheme=name;
 
     log_error(LOG_INFORM,"nsapi_shib_init",sn,rq,"nsapi_shib loaded for host (%s)",g_ServerName.c_str());
 
@@ -174,11 +170,34 @@ class ShibTargetNSAPI : public ShibTarget
 {
 public:
   ShibTargetNSAPI(pblock* pb, Session* sn, Request* rq) : m_pb(pb), m_sn(sn), m_rq(rq), m_firsttime(true) {
-    // Get everything but hostname...
+
+      // To determine whether SSL is active or not, we're supposed to rely
+      // on the security_active macro. For iPlanet 4.x, this works.
+      // For Sun 7.x, it's useless and appears to be on or off based
+      // on whether ANY SSL support is enabled for a vhost. Sun 6.x is unknown.
+      // As a fix, there's a conf variable called $security that can be mapped
+      // into a function parameter: security_active="$security"
+      // We check for this parameter, and rely on the macro if it isn't set.
+      // This doubles as a scheme virtualizer for load balanced scenarios
+      // since you can set the parameter to 1 or 0 as needed.
+      const char* scheme;
+      const char* sa = pblock_findval("security_active", pb);
+      if (sa)
+          scheme = (*sa == '1') ? "https" : "http";
+      else if (security_active)
+          scheme = "https";
+      else
+          scheme = "http";
+
+      // A similar issue exists for the port. server_portnum is no longer
+      // working on at least Sun 7.x, and returns the first listener's port
+      // rather than whatever port is actually used for the request. Nice job, Sun.
+      sa = pblock_findval("server_portnum", pb);
+      int port = (sa && *sa) ? atoi(sa) : server_portnum;
+
+    // Get everything else but hostname...
     const char* uri=pblock_findval("uri", rq->reqpb);
     const char* qstr=pblock_findval("query", rq->reqpb);
-    int port=server_portnum;
-    const char* scheme=security_active ? "https" : "http";
     const char* host=NULL;
 
     string url;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git

