facilitate replay detection of Shibboleth SSO messages by: - SIDP-452
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 11 Jan 2011 10:31:32 +0000 (10:31 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 11 Jan 2011 10:31:32 +0000 (10:31 +0000)
  - add psuedo-message ID for Shibboleth SSO requests
  - adding reply check to Shibboleth SSO protocol security checks

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2979 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

doc/RELEASE-NOTES.txt
src/installer/resources/conf-tmpl/relying-party.xml
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSODecoder.java

index cf013c1..a3a77dd 100644 (file)
@@ -15,6 +15,7 @@ Changes in Release 2.2.1
 [SIDP-443] - Profile handlers override encoder nameQualifier setting
 [SIDP-447] - Fix for SIDP-417 missed RemoteUserLoginHandler
 [SIDP-450] - NPE with AttributeQueryProfile when there are errors resolving attributes
+[SIDP-452] - Facilitate replay detection to Shibboleth SSO
 [SIDP-453] - Session inactivity timeout being treated as a hard expiration time
 [SIDP-457] - would be nice to include displayName in default attribute resolver
 
index 9477860..0076964 100644 (file)
     </security:TrustEngine>
      
     <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay" required="false" />
         <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
     </security:SecurityPolicy>
index 5f79a4a..94b1c65 100644 (file)
@@ -24,6 +24,7 @@ import org.opensaml.saml1.binding.decoding.BaseSAML1MessageDecoder;
 import org.opensaml.ws.message.MessageContext;
 import org.opensaml.ws.message.decoder.MessageDecodingException;
 import org.opensaml.ws.transport.http.HTTPInTransport;
+import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
 import org.opensaml.xml.util.DatatypeHelper;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -91,6 +92,13 @@ public class ShibbolethSSODecoder extends BaseSAML1MessageDecoder implements SAM
         if (timeStr != null) {
             long time = Long.parseLong(timeStr) * 1000;
             requestContext.setInboundSAMLMessageIssueInstant(new DateTime(time, ISOChronology.getInstanceUTC()));
+            
+            // If a timestamp is provided, construct a pseudo message ID by combining the timestamp
+            // and a client-specific ID (the Java session ID).
+            String sessionID = ((HttpServletRequestAdapter) transport).getWrappedRequest().getRequestedSessionId();
+            if (sessionID != null) {
+                requestContext.setInboundSAMLMessageId(sessionID + '!' + timeStr);
+            }
         }
         
         populateRelyingPartyMetadata(requestContext);