private static boolean isOneTimeUse(SecurityToken issuedToken) { Element token = issuedToken.getToken(); if (token != null && "Assertion".equals(token.getLocalName()) && WSS4JConstants.SAML2_NS.equals(token.getNamespaceURI())) { try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(token); if (assertion.getSaml2().getConditions() != null && assertion.getSaml2().getConditions().getOneTimeUse() != null) { return true; } } catch (WSSecurityException ex) { throw new Fault(ex); } } return false; }
private static boolean isOneTimeUse(SecurityToken issuedToken) { Element token = issuedToken.getToken(); if (token != null && "Assertion".equals(token.getLocalName()) && WSS4JConstants.SAML2_NS.equals(token.getNamespaceURI())) { try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(token); if (assertion.getSaml2().getConditions() != null && assertion.getSaml2().getConditions().getOneTimeUse() != null) { return true; } } catch (WSSecurityException ex) { throw new Fault(ex); } } return false; }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { final SAMLObjectBuilder<OneTimeUse> conditionBuilder = (SAMLObjectBuilder<OneTimeUse>) XMLObjectProviderRegistrySupport.getBuilderFactory().<OneTimeUse>getBuilderOrThrow( OneTimeUse.DEFAULT_ELEMENT_NAME); for (final Assertion assertion : response.getAssertions()) { final Conditions conditions = SAML2ActionSupport.addConditionsToAssertion(this, assertion); if (conditions.getOneTimeUse() == null) { conditions.getConditions().add(conditionBuilder.buildObject()); log.debug("{} Added OneTimeUse condition to Assertion {}", getLogPrefix(), assertion.getID()); } else { log.debug("{} Assertion {} already contained OneTimeUse condition, another was not added", getLogPrefix(), assertion.getID()); } } }
/** * Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion * is cached (if a cache is defined), and must not have been previously cached */ protected void checkOneTimeUse( SamlAssertionWrapper samlAssertion, ReplayCache replayCache ) throws WSSecurityException { if (replayCache != null && samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null) { String identifier = samlAssertion.getId(); if (replayCache.contains(identifier)) { throw new WSSecurityException( WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[] {"A replay attack has been detected"}); } DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Instant currentTime = Instant.now(); replayCache.add(identifier, 1L + Duration.between(currentTime, expires.toDate().toInstant()).getSeconds()); } else { replayCache.add(identifier); } } }
/** * Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion * is cached (if a cache is defined), and must not have been previously cached */ protected void checkOneTimeUse( SamlAssertionWrapper samlAssertion, RequestData data ) throws WSSecurityException { if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null && data.getSamlOneTimeUseReplayCache() != null) { String identifier = samlAssertion.getId(); ReplayCache replayCache = data.getSamlOneTimeUseReplayCache(); if (replayCache.contains(identifier)) { throw new WSSecurityException( WSSecurityException.ErrorCode.INVALID_SECURITY, "badSamlToken", new Object[] {"A replay attack has been detected"}); } DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Instant currentTime = Instant.now(); Instant zonedExpires = Instant.ofEpochMilli(expires.getMillis()); replayCache.add(identifier, 1L + Duration.between(currentTime, zonedExpires).getSeconds()); } else { replayCache.add(identifier); } replayCache.add(identifier); } }