Read DEBUG setting from environment

.classpath

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<classpath>
+	<classpathentry kind="src" output="target/classes" path="src/main/java">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="src" output="target/test-classes" path="src/test/java">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+			<attribute name="test" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/J2SE-1.5">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="src" path="target/generated-sources/annotations">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+			<attribute name="ignore_optional_problems" value="true"/>
+			<attribute name="m2e-apt" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="src" output="target/test-classes" path="target/generated-test-sources/test-annotations">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+			<attribute name="ignore_optional_problems" value="true"/>
+			<attribute name="m2e-apt" value="true"/>
+			<attribute name="test" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="output" path="target/classes"/>
+</classpath>

.project

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>herokusamlsp</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.jdt.core.javabuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.m2e.core.maven2Builder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.jdt.core.javanature</nature>
+		<nature>org.eclipse.m2e.core.maven2Nature</nature>
+	</natures>
+</projectDescription>

.settings/org.eclipse.core.resources.prefs

@@ -0,0 +1,3 @@
+eclipse.preferences.version=1
+encoding//src/main/java=UTF-8
+encoding/<project>=UTF-8

.settings/org.eclipse.jdt.apt.core.prefs

@@ -0,0 +1,2 @@
+eclipse.preferences.version=1
+org.eclipse.jdt.apt.aptEnabled=false

.settings/org.eclipse.jdt.core.prefs

@@ -0,0 +1,9 @@
+eclipse.preferences.version=1
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.8
+org.eclipse.jdt.core.compiler.compliance=1.8
+org.eclipse.jdt.core.compiler.problem.enablePreviewFeatures=disabled
+org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning
+org.eclipse.jdt.core.compiler.problem.reportPreviewFeatures=ignore
+org.eclipse.jdt.core.compiler.processAnnotations=disabled
+org.eclipse.jdt.core.compiler.release=disabled
+org.eclipse.jdt.core.compiler.source=1.8

.settings/org.eclipse.m2e.core.prefs

@@ -0,0 +1,4 @@
+activeProfiles=
+eclipse.preferences.version=1
+resolveWorkspaceProjects=true
+version=1

README.md

@@ -5,4 +5,4 @@ A sample java app that integrates with Salesforce Identity.   Run it!
 
 [![Deploy](https://www.herokucdn.com/deploy/button.png)](https://heroku.com/deploy?template=https://github.com/salesforceidentity/heroku-identity-java)
 
-
+Set the `DEBUG` environment variable to `true` to enable SAML assertion validation debug logs and more info on SAML assertion validation. 

pom.xml

@@ -11,6 +11,8 @@
         <java.version>1.8</java.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <tomcat.version>8.0.28</tomcat.version>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
     </properties>
 
     <dependencies>

src/main/java/com/salesforce/saml/CSPFilter.java

@@ -0,0 +1,30 @@
+
+package com.salesforce.saml;
+
+import java.io.IOException;
+import java.text.MessageFormat;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletResponse;
+
+
+public class CSPFilter implements Filter {
+
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    public void doFilter(ServletRequest request, ServletResponse response,  FilterChain chain) throws IOException, ServletException {
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        final String csp = System.getenv("CSPHeader");
+        if (null != csp && csp.length() > 0) {
+            httpResponse.addHeader("Content-Security-Policy", MessageFormat.format("frame-src {0};", csp));
+        }
+        if (chain != null) chain.doFilter(request, response);
+    }
+
+    public void destroy() {
+
+    }
+}
+

src/main/java/com/salesforce/saml/SAMLServlet.java

@@ -5,7 +5,6 @@
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.httpclient.DefaultHttpMethodRetryHandler;
 import org.apache.commons.httpclient.HttpClient;
-import org.apache.commons.httpclient.HttpException;
 import org.apache.commons.httpclient.HttpStatus;
 import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.commons.httpclient.params.HttpMethodParams;
@@ -44,7 +43,8 @@
 import java.util.zip.Deflater;
 import java.util.zip.DeflaterOutputStream;
 
-public class SAMLServlet extends HttpServlet{
+@SuppressWarnings("serial")
+public class SAMLServlet extends HttpServlet {
 
     private static final String SAML_REQUEST = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" AssertionConsumerServiceURL=\"{0}\" Destination=\"{1}\" ID=\"_{2}\" IssueInstant=\"{3}\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Version=\"2.0\"><saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">{4}</saml:Issuer></samlp:AuthnRequest>";
     private Boolean INITIALIZED = false;

src/main/java/com/salesforce/saml/SAMLValidator.java

@@ -61,11 +61,12 @@
 import java.util.Calendar;
 import java.util.Iterator;
 import java.util.List;
+import java.text.MessageFormat;
 
 
 public class SAMLValidator {
 
-    private static Boolean DEBUG = false;
+    private static Boolean DEBUG = System.getenv("DEBUG") != null && System.getenv("DEBUG").equals("true");
 
     public Identity validate(String encodedResponse,  PublicKey publicKey, PublicKey secondaryPublicKey, String issuer, String recipient, String audience) throws SAMLException {
 
@@ -211,18 +212,21 @@ public Identity validate(String encodedResponse,  PublicKey publicKey, PublicKey
                 Node issuerNode = (Node) issuerXPath.evaluate(assertionNode, XPathConstants.NODE);
                 String assertedIssuer = issuerNode.getTextContent();
                 if (!issuer.equals(assertedIssuer)) throw new SAMLException("Invalid Issuer");
+                if (DEBUG) System.err.println(MessageFormat.format("Verified issuer ({0}) matches assertedIssuer ({1})", issuer, assertedIssuer));
 
                 //check the recipient
                 XPathExpression subjectConfirmationDataXPath = xpath.compile("saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData");
                 Node subjectConfirmationDataNode = (Node) subjectConfirmationDataXPath.evaluate(assertionNode, XPathConstants.NODE);
                 String assertedRecipient = subjectConfirmationDataNode.getAttributes().getNamedItem("Recipient").getTextContent();
                 if (!recipient.equals(assertedRecipient)) throw new SAMLException("Invalid Recipient. Expected "+recipient+", received "+assertedRecipient);
+                if (DEBUG) System.err.println(MessageFormat.format("Verified recipient ({0}) matches asserted recipient ({1})", recipient, assertedRecipient));
 
                 //check the audience
                 XPathExpression audienceXPath = xpath.compile("saml:Conditions/saml:AudienceRestriction/saml:Audience");
                 Node audienceNode = (Node) audienceXPath.evaluate(assertionNode, XPathConstants.NODE);
                 String assertedAudience = audienceNode.getTextContent();
                 if (!audience.equals(assertedAudience)) throw new SAMLException("Invalid Audience");
+                if (DEBUG) System.err.println(MessageFormat.format("Verified audience ({0}) matches asserted audience ({1})", audience, assertedAudience));
 
                 //Check the validity
                 XPathExpression conditionsXPath = xpath.compile("saml:Conditions");
@@ -233,6 +237,7 @@ public Identity validate(String encodedResponse,  PublicKey publicKey, PublicKey
                 Calendar end = DatatypeConverter.parseDateTime(notOnOrAfter);
                 if ( System.currentTimeMillis() <= start.getTimeInMillis() ) throw new SAMLException("Assertion appears to have arrived early");
                 if ( System.currentTimeMillis() > end.getTimeInMillis() ) throw new SAMLException("Assertion Expired");
+                if (DEBUG) System.err.println(MessageFormat.format("Verified NotOnOrAfter ({0}) and NotBefore ({1})", notOnOrAfter, notBefore));
 
                 //get the subject
                 XPathExpression nameIDXPath = xpath.compile("saml:Subject/saml:NameID");
@@ -301,4 +306,4 @@ private boolean validateSignature(Node env, Node signature, String id, PublicKey
         }
 
     }
-}
+}

src/main/java/com/salesforce/saml/TLSFilter.java

@@ -8,8 +8,6 @@
 
 public class TLSFilter implements Filter {
 
-
-    @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 
     }
@@ -35,8 +33,7 @@ public void doFilter(ServletRequest request, ServletResponse response,  FilterCh
             if (chain != null) chain.doFilter(request, response);
         }
     }
-
-    @Override
+
     public void destroy() {
 
     }

src/main/webapp/WEB-INF/web.xml

@@ -12,10 +12,18 @@
         <filter-name>TLSFilter</filter-name>
         <filter-class>com.salesforce.saml.TLSFilter</filter-class>
     </filter>
+    <filter>
+        <filter-name>CSPFilter</filter-name>
+        <filter-class>com.salesforce.saml.CSPFilter</filter-class>
+    </filter>
     <filter-mapping>
         <filter-name>TLSFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
+    <filter-mapping>
+        <filter-name>CSPFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
     <servlet>
         <servlet-name>SAMLServlet</servlet-name>
         <servlet-class>com.salesforce.saml.SAMLServlet</servlet-class>