Shibboleth Developers

[Daniel F Crisman <>]

With current cpp-sp at least two locations are legal to have a Path
element in shibboleth2.xml:

 <SPConfig>
   <RequestMapper> <RequestMap> <Host> <Path>
   <ApplicationDefaults> <CredentialResolver> <Certificate> <Path>

The SP reads both those locations correctly and without complaint as far
as I know, but the second one (under <Certificate>) causes a schema
validation failure on the shibboleth-2.0-native-sp-config.xsd schema
file.

The problem as I see it is that there are 33 global elements in the
urn:mace:shibboleth:2.0:native:sp:config namespace while the
documentation [1] reads like <SPConfig> should be the only root.

[1] https://spaces.internet2.edu/display/SHIB2/NativeSPShibbolethXML

So the <element name="Path"> declaration in
shibboleth-2.0-native-sp-config.xsd is the only valid "Path" anywhere
including under PluggableType elements like CredentialResolver which
leads to two problems:

Obviously wrong, but schema valid SP Configurations like:
<Path name="n" xmlns="urn:mace:shibboleth:2.0:native:sp:config"></Path>

SP Configuration files with a <Certificate> <Path> being schema invalid.

This seems to be the exact same problem (with the "Rule" element) that
was worked around with the deprecation of <Rule> [2] in favor of
<PolicyRule> in SVN r2962.  I can't find any reasoning on why the
element name change instead of just fixing the schema, but if there is a
good reason feel free to go with that.

[2] https://spaces.internet2.edu/display/SHIB2/NativeSPSecurityPolicies

The attached patch removes the global declaration for the element Path
and replaces it with complexType HostPathType, so <Path> under <Host> is
still defined correctly, but will no longer conflict with elements
under other parent elements.  It also fixes the line ending on two lines
to match the other 700+ lines.

If this seems reasonable to all let me know and I will take the time to
fix the other 31 global elements that should not be global in that
schema file and submit a new patch.

dc
--- shibboleth-2.0-native-sp-config.xsd_r3140   2009-09-30 16:35:10.000000000 
-0400
+++ shibboleth-2.0-native-sp-config.xsd 2009-10-23 05:03:13.000000000 -0400
@@ -83,11 +83,11 @@
                 <element name="RequestMapper" type="conf:PluggableType" 
minOccurs="0"/>
                                <element ref="conf:ApplicationDefaults"/>
                                <element ref="conf:SecurityPolicies"/>
-                <element ref="conf:TransportOption" minOccurs="0" 
maxOccurs="unbounded"/>
+                <element ref="conf:TransportOption" minOccurs="0" 
maxOccurs="unbounded"/>
                        </sequence>
                        <attribute name="logger" type="anyURI"/>
                        <attribute name="clockSkew" type="unsignedInt"/>
-            <attribute name="unsafeChars" type="conf:string"/>
+            <attribute name="unsafeChars" type="conf:string"/>
                        <anyAttribute namespace="##other" 
processContents="lax"/>
                </complexType>
        </element>
@@ -337,7 +337,7 @@
                        <element ref="conf:AccessControlProvider"/>
                    </choice>
                        <choice minOccurs="0" maxOccurs="unbounded">
-                               <element ref="conf:Path"/>
+                               <element name="Path" 
type="conf:HostPathType"/>
                                <element ref="conf:PathRegex"/>
                                <element ref="conf:Query"/>
                        </choice>
@@ -369,7 +369,7 @@
                                        <element 
ref="conf:AccessControlProvider"/>
                                </choice>
                                <choice minOccurs="0" maxOccurs="unbounded">
-                                       <element ref="conf:Path"/>
+                                       <element name="Path" 
type="conf:HostPathType"/>
                                        <element ref="conf:PathRegex"/>
                                        <element ref="conf:Query"/>
                                </choice>
@@ -381,8 +381,7 @@
                </complexType>
        </element>
 
-    <element name="Path">
-        <complexType>
+        <complexType name="HostPathType">
                <sequence>
                <choice minOccurs="0">
                        <element ref="conf:htaccess"/>
@@ -390,7 +389,7 @@
                        <element ref="conf:AccessControlProvider"/>
                    </choice>
                        <choice minOccurs="0" maxOccurs="unbounded">
-                               <element ref="conf:Path"/>
+                               <element name="Path" 
type="conf:HostPathType"/>
                                <element ref="conf:PathRegex"/>
                                <element ref="conf:Query"/>
                        </choice>
@@ -399,7 +398,6 @@
                        <attribute name="applicationId" type="conf:string"/>
                        <attributeGroup ref="conf:ContentSettings"/>
         </complexType>
-    </element>
 
        <element name="PathRegex">
                <complexType>