1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.opensaml.common.binding.security;
18
19 import org.joda.time.DateTime;
20 import org.opensaml.common.binding.SAMLMessageContext;
21 import org.opensaml.ws.message.MessageContext;
22 import org.opensaml.ws.security.SecurityPolicyException;
23 import org.opensaml.ws.security.SecurityPolicyRule;
24 import org.slf4j.Logger;
25 import org.slf4j.LoggerFactory;
26
27
28
29
30 public class IssueInstantRule implements SecurityPolicyRule {
31
32
33 private final Logger log = LoggerFactory.getLogger(IssueInstantRule.class);
34
35
36
37
38
39 private int clockSkew;
40
41
42 private int expires;
43
44
45 private boolean requiredRule;
46
47
48
49
50
51
52
53 public IssueInstantRule(int newClockSkew, int newExpires) {
54 clockSkew = newClockSkew;
55 expires = newExpires;
56 requiredRule = true;
57 }
58
59
60
61
62
63
64 public boolean isRequiredRule() {
65 return requiredRule;
66 }
67
68
69
70
71
72
73 public void setRequiredRule(boolean required) {
74 requiredRule = required;
75 }
76
77
78 public void evaluate(MessageContext messageContext) throws SecurityPolicyException {
79 if (!(messageContext instanceof SAMLMessageContext)) {
80 log.debug("Invalid message context type, this policy rule only supports SAMLMessageContext");
81 return;
82 }
83 SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext;
84
85 if (samlMsgCtx.getInboundSAMLMessageIssueInstant() == null) {
86 if(requiredRule){
87 log.warn("Inbound SAML message issue instant not present in message context");
88 throw new SecurityPolicyException("Inbound SAML message issue instant not present in message context");
89 }else{
90 return;
91 }
92 }
93
94 DateTime issueInstant = samlMsgCtx.getInboundSAMLMessageIssueInstant();
95 DateTime now = new DateTime();
96 DateTime latestValid = now.plusSeconds(clockSkew);
97 DateTime expiration = issueInstant.plusSeconds(clockSkew + expires);
98
99
100 if (issueInstant.isAfter(latestValid)) {
101 log.warn("Message was not yet valid: message time was {}, latest valid is: {}", issueInstant, latestValid);
102 throw new SecurityPolicyException("Message was rejected because was issued in the future");
103 }
104
105
106 if (expiration.isBefore(now)) {
107 log.warn("Message was expired: message issue time was '" + issueInstant + "', message expired at: '"
108 + expiration + "', current time: '" + now + "'");
109 throw new SecurityPolicyException("Message was rejected due to issue instant expiration");
110 }
111
112 }
113 }