Be able to get at the auth object the last processed ID

pitbulk · pitbulk · commit a183afd76b4d · 2017-02-10T17:37:51.000+01:00
diff --git a/README.md b/README.md
@@ -515,6 +515,21 @@ auth.getLastRequestId()
 and later excuting the redirection manually.
 
 
+### Working behind load balancer
+
+Is possible that asserting request URL and Destination attribute of SAML response fails when working behind load balancer with SSL offload.
+
+You should be able to workaround this by configuring your server so that it is aware of the proxy and returns the original url when requested.
+
+For Apache Tomcat this is done by setting the proxyName, proxyPort, scheme and secure attributes for the Connector. See [here](http://serverfault.com/questions/774300/ssl-offloading-from-apache-to-tomcat-get-overwritten-somewhere) for an example.
+
+
+### Reply attacks
+
+In order to avoid reply attacks, you can store the ID of the SAML messages already processed, to avoid processing them twice. Since the Messages expires and will be invalidated due that fact, you don't need to store those IDs longer than the time frame that you currently accepting.
+
+Get the ID of the last processed message with the getLastMessageId method of the Auth object.
+
 ## Demo included in the toolkit
 The Onelogin's Java Toolkit allows you to provide the settings in a unique file as described at the [Settings  section](https://github.com/onelogin/java-saml/#Settings).
 
diff --git a/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java b/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
@@ -705,6 +705,13 @@ public String getSessionIndex() throws XPathExpressionException {
         return sessionIndex;
     }
 
+	/**
+	 * @return the ID of the Response
+	 */
+	public String getId() {
+		return samlResponseDocument.getDocumentElement().getAttributes().getNamedItem("ID").getNodeValue();
+	}
+
 	/**
 	 * @return the ID of the assertion in the Response
 	 * @throws XPathExpressionException
diff --git a/core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java b/core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java
@@ -619,7 +619,7 @@ public String getError() {
 	}
 
 	/**
-	 * @return the generated id of the LogoutRequest message
+	 * @return the ID of the Logout Request
 	 */
 	public String getId()
 	{
diff --git a/core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java b/core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java
@@ -143,6 +143,19 @@ public String getLogoutResponseXml() {
 		return logoutResponseString;
 	}
 
+	/**
+	 * @return the ID of the Response
+	 */
+	public String getId() {
+		String idvalue = null;
+		if (id != null) {
+			idvalue = id;
+		} else if (logoutResponseDocument != null) {
+			idvalue = logoutResponseDocument.getDocumentElement().getAttributes().getNamedItem("ID").getNodeValue();
+		}
+		return idvalue;
+	}
+
 	 /**
      * Determines if the SAML LogoutResponse is valid
      *
diff --git a/core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java b/core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java
@@ -1667,7 +1667,6 @@ public void testIsInValidSessionIndex() throws IOException, Error, XPathExpressi
 	public void testIsValidSubjectConfirmation_noSubjectConfirmationMethod() throws Exception {
 		final Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
 		final String samlResponseEncoded = Util.getFileAsString("data/responses/invalids/no_subjectconfirmation_method.xml.base64");
-		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 
 		assertResponseValid(settings, samlResponseEncoded, false, false, "No Signature found. SAML Response rejected");
 		assertResponseValid(settings, samlResponseEncoded, true, false, "A valid SubjectConfirmation was not found on this Response");
diff --git a/core/src/test/java/com/onelogin/saml2/test/logout/LogoutRequestTest.java b/core/src/test/java/com/onelogin/saml2/test/logout/LogoutRequestTest.java
@@ -192,7 +192,7 @@ public void testConstructorWithEncryptedNameID() throws Exception {
 	 *
 	 * @throws Exception
 	 * 
-	 * @see com.onelogin.saml2.logout.getLogoutRequestXml
+	 * @see com.onelogin.saml2.logout.LogoutRequest#getLogoutRequestXml
 	 */
 	@Test
 	public void testGetLogoutRequestXml() throws Exception {
diff --git a/core/src/test/java/com/onelogin/saml2/test/logout/LogoutResponseTest.java b/core/src/test/java/com/onelogin/saml2/test/logout/LogoutResponseTest.java
@@ -161,7 +161,7 @@ public void testBuild() throws IOException, XMLEntityException, URISyntaxExcepti
 	 *
 	 * @throws Exception
 	 * 
-	 * @see com.onelogin.saml2.logout.getLogoutResponseXml
+	 * @see com.onelogin.saml2.logout.LogoutResponse#getLogoutResponseXml
 	 */
 	@Test
 	public void testGetLogoutRequestXml() throws Exception {
diff --git a/toolkit/src/main/java/com/onelogin/saml2/Auth.java b/toolkit/src/main/java/com/onelogin/saml2/Auth.java
@@ -81,6 +81,11 @@ public class Auth {
 	 */
 	private DateTime sessionExpiration;
 
+	/**
+	 * The ID of the last message processed
+	 */
+	private String lastMessageId;
+
 	/**
 	 * The ID of the last assertion processed
 	 */
@@ -474,6 +479,7 @@ public void processResponse(String requestId) throws Exception {
 				attributes = samlResponse.getAttributes();
 				sessionIndex = samlResponse.getSessionIndex();
 				sessionExpiration = samlResponse.getSessionNotOnOrAfter();
+				lastMessageId = samlResponse.getId();
 				lastAssertionId = samlResponse.getAssertionId();
 				lastAssertionNotOnOrAfter = samlResponse.getAssertionNotOnOrAfter();
 				LOGGER.debug("processResponse success --> " + samlResponseParameter);
@@ -531,6 +537,7 @@ public void processSLO(Boolean keepLocalSession, String requestId) throws Except
 					LOGGER.error("processSLO error. logout_not_success");
 					LOGGER.debug(" --> " + samlResponseParameter);
 				} else {
+					lastMessageId = logoutResponse.getId();
 					LOGGER.debug("processSLO success --> " + samlResponseParameter);
 					if (!keepLocalSession) {
 						request.getSession().invalidate();
@@ -546,6 +553,7 @@ public void processSLO(Boolean keepLocalSession, String requestId) throws Except
 				LOGGER.debug(" --> " + samlRequestParameter);
 				errorReason = logoutRequest.getError();
 			} else {
+				lastMessageId = logoutRequest.getId();
 				LOGGER.debug("processSLO success --> " + samlRequestParameter);
 				if (!keepLocalSession) {
 					request.getSession().invalidate();
@@ -651,6 +659,13 @@ public final DateTime getSessionExpiration()
 	    return sessionExpiration;
 	}
 
+	/**
+	 * @return The ID of the last message processed
+	 */
+	public String getLastMessageId() {
+		return lastMessageId;
+	}
+
 	/**
 	 * @return The ID of the last assertion processed
 	 */

Original file line number	Diff line number	Diff line change
`@@ -619,7 +619,7 @@ public String getError() {`
`619`	`619`	`}`
`620`	`620`
`621`	`621`	`/**`
`622`		`- * @return the generated id of the LogoutRequest message`
	`622`	`+ * @return the ID of the Logout Request`
`623`	`623`	`*/`
`624`	`624`	`public String getId()`
`625`	`625`	`{`
Original file line number	Diff line number	Diff line change
`@@ -192,7 +192,7 @@ public void testConstructorWithEncryptedNameID() throws Exception {`
`192`	`192`	`*`
`193`	`193`	`* @throws Exception`
`194`	`194`	`*`
`195`		`- * @see com.onelogin.saml2.logout.getLogoutRequestXml`
	`195`	`+ * @see com.onelogin.saml2.logout.LogoutRequest#getLogoutRequestXml`
`196`	`196`	`*/`
`197`	`197`	`@Test`
`198`	`198`	`public void testGetLogoutRequestXml() throws Exception {`
Original file line number	Diff line number	Diff line change
`@@ -161,7 +161,7 @@ public void testBuild() throws IOException, XMLEntityException, URISyntaxExcepti`
`161`	`161`	`*`
`162`	`162`	`* @throws Exception`
`163`	`163`	`*`
`164`		`- * @see com.onelogin.saml2.logout.getLogoutResponseXml`
	`164`	`+ * @see com.onelogin.saml2.logout.LogoutResponse#getLogoutResponseXml`
`165`	`165`	`*/`
`166`	`166`	`@Test`
`167`	`167`	`public void testGetLogoutRequestXml() throws Exception {`