From 5369a9960375c3899feb9cc9c1209c99eb4b0419 Mon Sep 17 00:00:00 2001
From: srasmusson <rasmusson.stefan@gmail.com>
Date: Mon, 9 May 2016 00:01:21 +0200
Subject: [PATCH] adding validation for destination and instant

---
 .../opensamlbook/sp/ConsumerServlet.java      | 37 ++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/src/main/java/no/steras/opensamlbook/sp/ConsumerServlet.java b/src/main/java/no/steras/opensamlbook/sp/ConsumerServlet.java
index 0973058..0907b9c 100644
--- a/src/main/java/no/steras/opensamlbook/sp/ConsumerServlet.java
+++ b/src/main/java/no/steras/opensamlbook/sp/ConsumerServlet.java
@@ -95,7 +95,9 @@ public class ConsumerServlet extends HttpServlet {
         ArtifactResponse artifactResponse = sendAndReceiveArtifactResolve(artifactResolve, resp);
         logger.info("ArtifactResponse received");
         logger.info("ArtifactResponse: ");
-       // OpenSAMLUtils.logSAMLObject(artifactResponse);
+        OpenSAMLUtils.logSAMLObject(artifactResponse);
+
+        validateDestinationAndLifetime(artifactResponse, req);
 
         EncryptedAssertion encryptedAssertion = getEncryptedAssertion(artifactResponse);
         Assertion assertion = decryptAssertion(encryptedAssertion);
@@ -111,6 +113,39 @@ public class ConsumerServlet extends HttpServlet {
         redirectToGotoURL(req, resp);
     }
 
+    private void validateDestinationAndLifetime(ArtifactResponse artifactResponse, HttpServletRequest request) {
+        MessageContext context = new MessageContext<ArtifactResponse>();
+        context.setMessage(artifactResponse);
+
+        SAMLMessageInfoContext messageInfoContext = context.getSubcontext(SAMLMessageInfoContext.class, true);
+        messageInfoContext.setMessageIssueInstant(artifactResponse.getIssueInstant());
+
+        MessageLifetimeSecurityHandler lifetimeSecurityHandler = new MessageLifetimeSecurityHandler();
+        lifetimeSecurityHandler.setClockSkew(1000);
+        lifetimeSecurityHandler.setMessageLifetime(2000);
+        lifetimeSecurityHandler.setRequiredRule(true);
+
+        ReceivedEndpointSecurityHandler receivedEndpointSecurityHandler = new ReceivedEndpointSecurityHandler();
+        receivedEndpointSecurityHandler.setHttpServletRequest(request);
+        List handlers = new ArrayList<MessageHandler>();
+        handlers.add(lifetimeSecurityHandler);
+        handlers.add(receivedEndpointSecurityHandler);
+
+        BasicMessageHandlerChain<ArtifactResponse> handlerChain = new BasicMessageHandlerChain<ArtifactResponse>();
+        handlerChain.setHandlers(handlers);
+
+        try {
+            handlerChain.initialize();
+            handlerChain.doInvoke(context);
+        } catch (ComponentInitializationException e) {
+            throw new RuntimeException(e);
+        } catch (MessageHandlerException e) {
+            throw new RuntimeException(e);
+        }
+
+
+    }
+
     private Assertion decryptAssertion(EncryptedAssertion encryptedAssertion) {
         StaticKeyInfoCredentialResolver keyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(SPCredentials.getCredential());