Package se.swedenconnect.opensaml.saml2.assertion.validation

Class AssertionValidator

java.lang.Object

se.swedenconnect.opensaml.common.validation.AbstractObjectValidator<Assertion>

se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator<Assertion>

se.swedenconnect.opensaml.saml2.assertion.validation.AssertionValidator

All Implemented Interfaces:

ObjectValidator<Assertion>

public class AssertionValidator
extends AbstractSignableObjectValidator<Assertion>

A validator for Assertion objects.

Supports the following ValidationContext static parameters:

• The static parameters defined for AbstractSignableObjectValidator.
• CoreValidatorParameters.SP_METADATA: Required. The SP metadata.
• CoreValidatorParameters.IDP_METADATA: Required. The IdP metadata.
• CoreValidatorParameters.STRICT_VALIDATION: Optional. If not supplied, defaults to 'false'. Tells whether strict validation should be performed.
• SAML2AssertionValidationParameters.CLOCK_SKEW: Optional. Gives the number of milliseconds that is the maximum allowed clock skew. If not given SAML20AssertionValidator.DEFAULT_CLOCK_SKEW is used.
• CoreValidatorParameters.MAX_AGE_MESSAGE: Optional. Gives the maximum age (difference between issuance time and the validation time). If not given, the AbstractObjectValidator.DEFAULT_MAX_AGE_RECEIVED_MESSAGE is used.
• CoreValidatorParameters.RECEIVE_INSTANT: Optional. Gives the timestamp (Instant) for when the response message was received. If not given the current time is used.
• CoreValidatorParameters.AUTHN_REQUEST: Required. Will be used in a number of validations when information from the corresponding AuthnRequest is needed.
• CoreValidatorParameters.AUTHN_REQUEST_ID: Required if the CoreValidatorParameters.AUTHN_REQUEST is not assigned. Is used when validating the InResponseTo attribute of the response.
• CoreValidatorParameters.RECEIVE_URL: Required. A String holding the URL on which we received the response message. Is used when the Destination attribute is validated.
• CoreValidatorParameters.EXPECTED_ISSUER: Optional. If set, is used when the issuer of the response is validated. If not set, the issuer from the CoreValidatorParameters.AUTHN_REQUEST is used (if available).
• RESPONSE_ISSUE_INSTANT: Optional. If set, the IssueInstant of the Assertion being validated is compared with the corresponding response issue instant.

Supports the following ValidationContext dynamic parameters:

• SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION: Optional. Will be present after validation if subject confirmation was successfully performed.
• HOK_PROFILE_ACTIVE: Is set to indicate whether the holder-of-key WebSSO profile is active.

Note: Also check the validation context parameters defined by the SubjectConfirmationValidator and ConditionValidator instances that are installed.

Author:

Martin Lindström (martin@idsec.se)

Field Summary

Fields

Modifier and Type	Field	Description
protected Map<QName,ConditionValidator>	conditionValidators	Registered Condition validators.
static final String	HOK_PROFILE_ACTIVE	Tells whether the AuthnRequest corresponding to this assertion was sent to the IdP's holder of key-endpoints, i.e., whether the Holder-of-key profile is in use.
static final String	RESPONSE_ISSUE_INSTANT	Carries a Instant holding the issue instant of the Response that contained the assertion being validated.
protected Map<String,SubjectConfirmationValidator>	subjectConfirmationValidators	Registered SubjectConfirmation validators.

Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator

signaturePrevalidator, trustEngine

Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator

DEFAULT_MAX_AGE_RECEIVED_MESSAGE

Constructor Summary

Constructors

Constructor	Description
AssertionValidator(SignatureTrustEngine trustEngine, SignaturePrevalidator signaturePrevalidator, Collection<SubjectConfirmationValidator> confirmationValidators, Collection<ConditionValidator> conditionValidators, Collection<StatementValidator> statementValidators)	Constructor.

Method Summary

Modifier and Type	Method	Description
protected String	getID(Assertion signableObject)	Returns the Assertion ID.
protected String	getIssuer(Assertion signableObject)	Returns the Assertion issuer.
protected String	getObjectName()	Returns the name of the object being validated, e.g.
protected Instant	getResponseIssueInstant(ValidationContext context)	Gets the RESPONSE_ISSUE_INSTANT setting.
ValidationResult	validate(Assertion assertion, ValidationContext context)	Validates the assertion.
protected ValidationResult	validateConditions(Assertion assertion, ValidationContext context)	Validates the Conditions elements of the assertion.
protected ValidationResult	validateConditionsTimeBounds(Assertion assertion, ValidationContext context)	Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.
protected ValidationResult	validateHolderOfKeyRequirement(Assertion assertion, ValidationContext context)	Performs initial validation concerning the Holder-of-key WebSSO Profile.
protected ValidationResult	validateID(Assertion assertion, ValidationContext context)	Validates that the Assertion object has an ID attribute.
protected ValidationResult	validateIssueInstant(Assertion assertion, ValidationContext context)	Validates that the Assertion object has a IssueInstant attribute and checks that its value is OK.
protected ValidationResult	validateIssuer(Assertion assertion, ValidationContext context)	Ensures that the Issuer element is present and matches the expected issuer (if set in the context under the CoreValidatorParameters.EXPECTED_ISSUER key).
protected ValidationResult	validateStatements(Assertion assertion, ValidationContext context)	Validates the statements of the assertion using the registered StatementValidator instance.
protected ValidationResult	validateSubject(Assertion assertion, ValidationContext context)	Validates the Subject element of the assertion.
protected ValidationResult	validateSubjectConfirmations(Assertion assertion, List<SubjectConfirmation> subjectConfirmations, ValidationContext context)	Validates the subject confirmations and for the one that is confirmed, it is saved in the validation context under the SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION key.
protected ValidationResult	validateVersion(Assertion assertion, ValidationContext context)	Validates that the Response object has a valid Version attribute.

Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator

getSignatureValidationCriteriaSet, performSignatureValidation, validateSignature

Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator

getAllowedClockSkew, getMaxAgeReceivedMessage, getReceiveInstant, isStrictValidation

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

RESPONSE_ISSUE_INSTANT

public static final String RESPONSE_ISSUE_INSTANT

Carries a Instant holding the issue instant of the Response that contained the assertion being validated.

See Also:

• Constant Field Values

HOK_PROFILE_ACTIVE

public static final String HOK_PROFILE_ACTIVE

Tells whether the AuthnRequest corresponding to this assertion was sent to the IdP's holder of key-endpoints, i.e., whether the Holder-of-key profile is in use. Carries a Boolean.

See Also:

• Constant Field Values

subjectConfirmationValidators

protected Map<String,SubjectConfirmationValidator> subjectConfirmationValidators

Registered SubjectConfirmation validators.

conditionValidators

protected Map<QName,ConditionValidator> conditionValidators

Registered Condition validators.

Constructor Details

AssertionValidator

public AssertionValidator(SignatureTrustEngine trustEngine,
 SignaturePrevalidator signaturePrevalidator,
 Collection<SubjectConfirmationValidator> confirmationValidators,
 Collection<ConditionValidator> conditionValidators,
 Collection<StatementValidator> statementValidators)

Constructor.

Parameters:

trustEngine - the trust used to validate the object's signature

signaturePrevalidator - the signature pre-validator used to pre-validate the object's signature

confirmationValidators - validators used to validate SubjectConfirmation methods within the assertion

conditionValidators - validators used to validate the Condition elements within the assertion

statementValidators - validators used to validate Statements within the assertion

Method Details

validate

public ValidationResult validate(Assertion assertion,
 ValidationContext context)

Validates the assertion.

Parameters:

assertion - object to be evaluated

context - current validation context

Returns:

the result of the evaluation

validateID

protected ValidationResult validateID(Assertion assertion,
 ValidationContext context)

Validates that the Assertion object has an ID attribute.

Parameters:

assertion - the assertion

context - the validation context

Returns:

a validation result

validateVersion

protected ValidationResult validateVersion(Assertion assertion,
 ValidationContext context)

Validates that the Response object has a valid Version attribute.

Parameters:

assertion - the assertion

context - the validation context

Returns:

a validation result

validateIssueInstant

protected ValidationResult validateIssueInstant(Assertion assertion,
 ValidationContext context)

Validates that the Assertion object has a IssueInstant attribute and checks that its value is OK. If the response that contained the assertion was previously validated the static context parameter RESPONSE_ISSUE_INSTANT should be passed. If so, the method checks that the assertion issue instant is not after the response issue instant. Otherwise, the method checks that the IssueInstant is not too old given the CoreValidatorParameters.MAX_AGE_MESSAGE and CoreValidatorParameters.RECEIVE_INSTANT context parameters.

Parameters:

assertion - the response

context - the validation context

Returns:

a validation result

getResponseIssueInstant

protected Instant getResponseIssueInstant(ValidationContext context)

Gets the RESPONSE_ISSUE_INSTANT setting.

Parameters:

context - the context

Returns:

the response issue instant, or null if it is not set

validateIssuer

protected ValidationResult validateIssuer(Assertion assertion,
 ValidationContext context)

Ensures that the Issuer element is present and matches the expected issuer (if set in the context under the CoreValidatorParameters.EXPECTED_ISSUER key).

Parameters:

assertion - the assertion

context - the validation context

Returns:

a validation result

validateHolderOfKeyRequirement

protected ValidationResult validateHolderOfKeyRequirement(Assertion assertion,
 ValidationContext context)

Performs initial validation concerning the Holder-of-key WebSSO Profile. The method checks that if the request was sent to an IdP HoK-endpoint, we verify that the SP received the response on an endpoint dedicated for HoK.

The method also sets the dynamic validation parameter HOK_PROFILE_ACTIVE.

Parameters:

assertion - the assertion

context - the validation context

Returns:

a validation result

validateSubject

protected ValidationResult validateSubject(Assertion assertion,
 ValidationContext context)

Validates the Subject element of the assertion. The default implementation returns ValidationResult.VALID if there is no Subject element since it is optional according to the SAML 2.0 Core specifications.

Parameters:

assertion - the assertion

context - the validation context

Returns:

a validation result

validateSubjectConfirmations

protected ValidationResult validateSubjectConfirmations(Assertion assertion,
 List<SubjectConfirmation> subjectConfirmations,
 ValidationContext context)

Validates the subject confirmations and for the one that is confirmed, it is saved in the validation context under the SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION key.

Parameters:

assertion - the assertion

subjectConfirmations - the subject confirmations

context - the validation context

Returns:

a validation result

validateConditions

protected ValidationResult validateConditions(Assertion assertion,
 ValidationContext context)

Validates the Conditions elements of the assertion.

Parameters:

assertion - the assertion

context - the validation context

Returns:

the validation result

validateConditionsTimeBounds

protected ValidationResult validateConditionsTimeBounds(Assertion assertion,
 ValidationContext context)

Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.

Parameters:

assertion - the assertion whose conditions will be validated

context - current validation context

Returns:

the result of the validation evaluation

validateStatements

protected ValidationResult validateStatements(Assertion assertion,
 ValidationContext context)

Validates the statements of the assertion using the registered StatementValidator instance.

Parameters:

assertion - the assertion to validate

context - the validation context

Returns:

validation result

getIssuer

protected String getIssuer(Assertion signableObject)

Returns the Assertion issuer.

Specified by:

getIssuer in class AbstractSignableObjectValidator<Assertion>

Parameters:

signableObject - the object being verified

Returns:

the issuer

getID

protected String getID(Assertion signableObject)

Returns the Assertion ID.

Specified by:

getID in class AbstractSignableObjectValidator<Assertion>

Parameters:

signableObject - the object being verified

Returns:

the ID

getObjectName

protected String getObjectName()

Returns the name of the object being validated, e.g. "Assertion". Used for logging.

Specified by:

getObjectName in class AbstractSignableObjectValidator<Assertion>

Returns:

the object name