Class AbstractSignableObjectValidator<T extends org.opensaml.xmlsec.signature.SignableXMLObject>

java.lang.Object
se.swedenconnect.opensaml.common.validation.AbstractObjectValidator<T>
se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator<T>
Type Parameters:
T - the type of the object that is to be validated
All Implemented Interfaces:
ObjectValidator<T>
Direct Known Subclasses:
AssertionValidator, ResponseValidator

public abstract class AbstractSignableObjectValidator<T extends org.opensaml.xmlsec.signature.SignableXMLObject> extends AbstractObjectValidator<T>
Abstract object validator that supports validating signatures.

Supports the following ValidationContext static parameters:

  • The static parameters defined in AbstractObjectValidator.
  • SAML2AssertionValidationParameters.SIGNATURE_REQUIRED: Optional. If not supplied, defaults to 'true'. If an object is signed, the signature is always evaluated and the result factored into the overall validation result, regardless of the value of this setting.
  • SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_CRITERIA_SET: Optional. If not supplied, a minimal criteria set will be constructed which contains an EntityIdCriterion containing the Issuer entityID, and a UsageCriterion of UsageType.SIGNING. If it is supplied, but either of those criteria are absent from the criteria set, they will be added with the above values.
Author:
Martin Lindström (martin@idsec.se)
  • Field Details

    • trustEngine

      protected org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine
      Trust engine for signature evaluation.
    • signaturePrevalidator

      protected org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator
      SAML signature profile validator.
  • Constructor Details

    • AbstractSignableObjectValidator

      public AbstractSignableObjectValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator)
      Constructor.
      Parameters:
      trustEngine - the trust used to validate the object's signature
      signaturePrevalidator - the signature pre-validator used to pre-validate the object's signature
  • Method Details

    • validateSignature

      protected org.opensaml.saml.common.assertion.ValidationResult validateSignature(T token, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the signature of the assertion, if it is signed.
      Parameters:
      token - assertion whose signature will be validated
      context - current validation context
      Returns:
      the result of the signature validation
    • performSignatureValidation

      protected org.opensaml.saml.common.assertion.ValidationResult performSignatureValidation(T token, org.opensaml.saml.common.assertion.ValidationContext context)
      Handles the actual signature validation.
      Parameters:
      token - object whose signature will be validated
      context - current validation context
      Returns:
      the validation result
    • getSignatureValidationCriteriaSet

      protected net.shibboleth.shared.resolver.CriteriaSet getSignatureValidationCriteriaSet(T token, org.opensaml.saml.common.assertion.ValidationContext context)
      Get the criteria set that will be used in evaluating the Assertion signature via the supplied trust engine.
      Parameters:
      token - object whose signature will be validated
      context - current validation context
      Returns:
      the criteria set to use
    • getIssuer

      protected abstract String getIssuer(T signableObject)
      Returns the issuer of the signable object.
      Parameters:
      signableObject - the object being verified
      Returns:
      the issuer
    • getID

      protected abstract String getID(T signableObject)
      Returns the ID of the signable object.
      Parameters:
      signableObject - the object being verified
      Returns:
      the ID
    • getObjectName

      protected abstract String getObjectName()
      Returns the name of the object being validated, e.g. "Assertion". Used for logging.
      Returns:
      the object name