public-collect/webprofile-ref-project-v3
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

adding validation for destination and instant

Browse Source
This commit is contained in:
srasmusson
2016-05-09 00:01:21 +02:00
parent 47b8a860f6
commit 5369a99603
1 changed files with 36 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
src/main/java/no/steras/opensamlbook/sp/ConsumerServlet.java
View File

@@ -95,7 +95,9 @@ public class ConsumerServlet extends HttpServlet {
ArtifactResponse artifactResponse = sendAndReceiveArtifactResolve(artifactResolve, resp);
logger.info("ArtifactResponse received");
logger.info("ArtifactResponse: ");
// OpenSAMLUtils.logSAMLObject(artifactResponse);
OpenSAMLUtils.logSAMLObject(artifactResponse);
validateDestinationAndLifetime(artifactResponse, req);
EncryptedAssertion encryptedAssertion = getEncryptedAssertion(artifactResponse);
Assertion assertion = decryptAssertion(encryptedAssertion);
@@ -111,6 +113,39 @@ public class ConsumerServlet extends HttpServlet {
redirectToGotoURL(req, resp);
}
private void validateDestinationAndLifetime(ArtifactResponse artifactResponse, HttpServletRequest request) {
MessageContext context = new MessageContext<ArtifactResponse>();
context.setMessage(artifactResponse);
SAMLMessageInfoContext messageInfoContext = context.getSubcontext(SAMLMessageInfoContext.class, true);
messageInfoContext.setMessageIssueInstant(artifactResponse.getIssueInstant());
MessageLifetimeSecurityHandler lifetimeSecurityHandler = new MessageLifetimeSecurityHandler();
lifetimeSecurityHandler.setClockSkew(1000);
lifetimeSecurityHandler.setMessageLifetime(2000);
lifetimeSecurityHandler.setRequiredRule(true);
ReceivedEndpointSecurityHandler receivedEndpointSecurityHandler = new ReceivedEndpointSecurityHandler();
receivedEndpointSecurityHandler.setHttpServletRequest(request);
List handlers = new ArrayList<MessageHandler>();
handlers.add(lifetimeSecurityHandler);
handlers.add(receivedEndpointSecurityHandler);
BasicMessageHandlerChain<ArtifactResponse> handlerChain = new BasicMessageHandlerChain<ArtifactResponse>();
handlerChain.setHandlers(handlers);
try {
handlerChain.initialize();
handlerChain.doInvoke(context);
} catch (ComponentInitializationException e) {
throw new RuntimeException(e);
} catch (MessageHandlerException e) {
throw new RuntimeException(e);
}
}
private Assertion decryptAssertion(EncryptedAssertion encryptedAssertion) {
StaticKeyInfoCredentialResolver keyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(SPCredentials.getCredential());