Class AssertionValidator
java.lang.Object
se.swedenconnect.opensaml.common.validation.AbstractObjectValidator<org.opensaml.saml.saml2.core.Assertion>
se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Assertion>
se.swedenconnect.opensaml.saml2.assertion.validation.AssertionValidator
- All Implemented Interfaces:
ObjectValidator<org.opensaml.saml.saml2.core.Assertion>
public class AssertionValidator
extends AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Assertion>
A validator for
Assertion
objects.
Supports the following ValidationContext
static parameters:
- The static parameters defined for
AbstractSignableObjectValidator
. CoreValidatorParameters.SP_METADATA
: Required. The SP metadata.CoreValidatorParameters.IDP_METADATA
: Required. The IdP metadata.CoreValidatorParameters.STRICT_VALIDATION
: Optional. If not supplied, defaults to 'false'. Tells whether strict validation should be performed.SAML2AssertionValidationParameters.CLOCK_SKEW
: Optional. Gives the number of milliseconds that is the maximum allowed clock skew. If not givenSAML20AssertionValidator.DEFAULT_CLOCK_SKEW
is used.CoreValidatorParameters.MAX_AGE_MESSAGE
: Optional. Gives the maximum age (difference between issuance time and the validation time). If not given, theAbstractObjectValidator.DEFAULT_MAX_AGE_RECEIVED_MESSAGE
is used.CoreValidatorParameters.RECEIVE_INSTANT
: Optional. Gives the timestamp (Instant) for when the response message was received. If not given the current time is used.CoreValidatorParameters.AUTHN_REQUEST
: Required. Will be used in a number of validations when information from the correspondingAuthnRequest
is needed.CoreValidatorParameters.AUTHN_REQUEST_ID
: Required if theCoreValidatorParameters.AUTHN_REQUEST
is not assigned. Is used when validating theInResponseTo
attribute of the response.CoreValidatorParameters.RECEIVE_URL
: Required. A String holding the URL on which we received the response message. Is used when theDestination
attribute is validated.CoreValidatorParameters.EXPECTED_ISSUER
: Optional. If set, is used when the issuer of the response is validated. If not set, the issuer from theCoreValidatorParameters.AUTHN_REQUEST
is used (if available).RESPONSE_ISSUE_INSTANT
: Optional. If set, the IssueInstant of the Assertion being validated is compared with the corresponding response issue instant.
Supports the following ValidationContext
dynamic parameters:
SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION
: Optional. Will be present after validation if subject confirmation was successfully performed.HOK_PROFILE_ACTIVE
: Is set to indicate whether the holder-of-key WebSSO profile is active.
Note: Also check the validation context parameters defined by the SubjectConfirmationValidator
and
ConditionValidator
instances that are installed.
- Author:
- Martin Lindström (martin@idsec.se)
-
Field Summary
Modifier and TypeFieldDescriptionRegisteredCondition
validators.static final String
Tells whether the AuthnRequest corresponding to this assertion was sent to the IdP's holder of key-endpoints, i.e., whether the Holder-of-key profile is in use.static final String
Carries aInstant
holding the issue instant of the Response that contained the assertion being validated.RegisteredSubjectConfirmation
validators.Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator
signaturePrevalidator, trustEngine
Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator
DEFAULT_MAX_AGE_RECEIVED_MESSAGE
-
Constructor Summary
ConstructorDescriptionAssertionValidator
(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator, Collection<org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator> confirmationValidators, Collection<org.opensaml.saml.saml2.assertion.ConditionValidator> conditionValidators, Collection<org.opensaml.saml.saml2.assertion.StatementValidator> statementValidators) Constructor. -
Method Summary
Modifier and TypeMethodDescriptionprotected String
getID
(org.opensaml.saml.saml2.core.Assertion signableObject) Returns the Assertion ID.protected String
getIssuer
(org.opensaml.saml.saml2.core.Assertion signableObject) Returns the Assertion issuer.protected String
Returns the name of the object being validated, e.g.protected Instant
getResponseIssueInstant
(org.opensaml.saml.common.assertion.ValidationContext context) Gets theRESPONSE_ISSUE_INSTANT
setting.org.opensaml.saml.common.assertion.ValidationResult
validate
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates the assertion.protected org.opensaml.saml.common.assertion.ValidationResult
validateConditions
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates theConditions
elements of the assertion.protected org.opensaml.saml.common.assertion.ValidationResult
validateConditionsTimeBounds
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.protected org.opensaml.saml.common.assertion.ValidationResult
validateHolderOfKeyRequirement
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Performs initial validation concerning the Holder-of-key WebSSO Profile.protected org.opensaml.saml.common.assertion.ValidationResult
validateID
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theAssertion
object has an ID attribute.protected org.opensaml.saml.common.assertion.ValidationResult
validateIssueInstant
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theAssertion
object has a IssueInstant attribute and checks that its value is OK.protected org.opensaml.saml.common.assertion.ValidationResult
validateIssuer
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Ensures that theIssuer
element is present and matches the expected issuer (if set in the context under theCoreValidatorParameters.EXPECTED_ISSUER
key).protected org.opensaml.saml.common.assertion.ValidationResult
validateStatements
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates the statements of the assertion using the registeredStatementValidator
instance.protected org.opensaml.saml.common.assertion.ValidationResult
validateSubject
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates theSubject
element of the assertion.protected org.opensaml.saml.common.assertion.ValidationResult
validateSubjectConfirmations
(org.opensaml.saml.saml2.core.Assertion assertion, List<org.opensaml.saml.saml2.core.SubjectConfirmation> subjectConfirmations, org.opensaml.saml.common.assertion.ValidationContext context) Validates the subject confirmations and for the one that is confirmed, it is saved in the validation context under theSAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION
key.protected org.opensaml.saml.common.assertion.ValidationResult
validateVersion
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theResponse
object has a valid Version attribute.Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator
getSignatureValidationCriteriaSet, performSignatureValidation, validateSignature
Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator
getAllowedClockSkew, getMaxAgeReceivedMessage, getReceiveInstant, isStrictValidation
-
Field Details
-
RESPONSE_ISSUE_INSTANT
Carries aInstant
holding the issue instant of the Response that contained the assertion being validated.- See Also:
-
HOK_PROFILE_ACTIVE
Tells whether the AuthnRequest corresponding to this assertion was sent to the IdP's holder of key-endpoints, i.e., whether the Holder-of-key profile is in use. Carries aBoolean
.- See Also:
-
subjectConfirmationValidators
protected Map<String,org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator> subjectConfirmationValidatorsRegisteredSubjectConfirmation
validators. -
conditionValidators
RegisteredCondition
validators.
-
-
Constructor Details
-
AssertionValidator
public AssertionValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator, Collection<org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator> confirmationValidators, Collection<org.opensaml.saml.saml2.assertion.ConditionValidator> conditionValidators, Collection<org.opensaml.saml.saml2.assertion.StatementValidator> statementValidators) Constructor.- Parameters:
trustEngine
- the trust used to validate the object's signaturesignaturePrevalidator
- the signature pre-validator used to pre-validate the object's signatureconfirmationValidators
- validators used to validateSubjectConfirmation
methods within the assertionconditionValidators
- validators used to validate theCondition
elements within the assertionstatementValidators
- validators used to validateStatement
s within the assertion
-
-
Method Details
-
validate
public org.opensaml.saml.common.assertion.ValidationResult validate(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates the assertion.- Parameters:
assertion
- object to be evaluatedcontext
- current validation context- Returns:
- the result of the evaluation
-
validateID
protected org.opensaml.saml.common.assertion.ValidationResult validateID(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theAssertion
object has an ID attribute.- Parameters:
assertion
- the assertioncontext
- the validation context- Returns:
- a validation result
-
validateVersion
protected org.opensaml.saml.common.assertion.ValidationResult validateVersion(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theResponse
object has a valid Version attribute.- Parameters:
assertion
- the assertioncontext
- the validation context- Returns:
- a validation result
-
validateIssueInstant
protected org.opensaml.saml.common.assertion.ValidationResult validateIssueInstant(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theAssertion
object has a IssueInstant attribute and checks that its value is OK. If the response that contained the assertion was previously validated the static context parameterRESPONSE_ISSUE_INSTANT
should be passed. If so, the method checks that the assertion issue instant is not after the response issue instant. Otherwise, the method checks that the IssueInstant is not too old given theCoreValidatorParameters.MAX_AGE_MESSAGE
andCoreValidatorParameters.RECEIVE_INSTANT
context parameters.- Parameters:
assertion
- the responsecontext
- the validation context- Returns:
- a validation result
-
getResponseIssueInstant
protected Instant getResponseIssueInstant(org.opensaml.saml.common.assertion.ValidationContext context) Gets theRESPONSE_ISSUE_INSTANT
setting.- Parameters:
context
- the context- Returns:
- the response issue instant, or null if it is not set
-
validateIssuer
protected org.opensaml.saml.common.assertion.ValidationResult validateIssuer(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Ensures that theIssuer
element is present and matches the expected issuer (if set in the context under theCoreValidatorParameters.EXPECTED_ISSUER
key).- Parameters:
assertion
- the assertioncontext
- the validation context- Returns:
- a validation result
-
validateHolderOfKeyRequirement
protected org.opensaml.saml.common.assertion.ValidationResult validateHolderOfKeyRequirement(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Performs initial validation concerning the Holder-of-key WebSSO Profile. The method checks that if the request was sent to an IdP HoK-endpoint, we verify that the SP received the response on an endpoint dedicated for HoK.The method also sets the dynamic validation parameter
HOK_PROFILE_ACTIVE
.- Parameters:
assertion
- the assertioncontext
- the validation context- Returns:
- a validation result
-
validateSubject
protected org.opensaml.saml.common.assertion.ValidationResult validateSubject(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates theSubject
element of the assertion. The default implementation returnsValidationResult.VALID
if there is noSubject
element since it is optional according to the SAML 2.0 Core specifications.- Parameters:
assertion
- the assertioncontext
- the validation context- Returns:
- a validation result
-
validateSubjectConfirmations
protected org.opensaml.saml.common.assertion.ValidationResult validateSubjectConfirmations(org.opensaml.saml.saml2.core.Assertion assertion, List<org.opensaml.saml.saml2.core.SubjectConfirmation> subjectConfirmations, org.opensaml.saml.common.assertion.ValidationContext context) Validates the subject confirmations and for the one that is confirmed, it is saved in the validation context under theSAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION
key.- Parameters:
assertion
- the assertionsubjectConfirmations
- the subject confirmationscontext
- the validation context- Returns:
- a validation result
-
validateConditions
protected org.opensaml.saml.common.assertion.ValidationResult validateConditions(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates theConditions
elements of the assertion.- Parameters:
assertion
- the assertioncontext
- the validation context- Returns:
- the validation result
-
validateConditionsTimeBounds
protected org.opensaml.saml.common.assertion.ValidationResult validateConditionsTimeBounds(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.- Parameters:
assertion
- the assertion whose conditions will be validatedcontext
- current validation context- Returns:
- the result of the validation evaluation
-
validateStatements
protected org.opensaml.saml.common.assertion.ValidationResult validateStatements(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates the statements of the assertion using the registeredStatementValidator
instance.- Parameters:
assertion
- the assertion to validatecontext
- the validation context- Returns:
- validation result
-
getIssuer
Returns the Assertion issuer.- Specified by:
getIssuer
in classAbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Assertion>
- Parameters:
signableObject
- the object being verified- Returns:
- the issuer
-
getID
Returns the Assertion ID.- Specified by:
getID
in classAbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Assertion>
- Parameters:
signableObject
- the object being verified- Returns:
- the ID
-
getObjectName
Returns the name of the object being validated, e.g. "Assertion". Used for logging.- Specified by:
getObjectName
in classAbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Assertion>
- Returns:
- the object name
-