Class AuthnStatementValidator
java.lang.Object
org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
se.swedenconnect.opensaml.saml2.assertion.validation.AuthnStatementValidator
- All Implemented Interfaces:
org.opensaml.saml.saml2.assertion.StatementValidator
public class AuthnStatementValidator
extends org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
Core statement validator for
AuthnStatement
s.
Supports the following ValidationContext
static parameters:
CoreValidatorParameters.AUTHN_REQUEST
: Optional. If supplied will be used in a number of validations when information from the correspondingAuthnRequest
is needed. If not supplied, other, more detailed parameters must be given.AUTHN_REQUEST_FORCE_AUTHN
: If the aboveCoreValidatorParameters.AUTHN_REQUEST
is not assigned, this parameter gives theForceAuthn
flag. This is used to determine if a valid assertion was issued based on SSO/non-SSO.AUTHN_REQUEST_ISSUE_INSTANT
: If the aboveCoreValidatorParameters.AUTHN_REQUEST
is not assigned, this parameter gives the issue instant of the authentication request. This is used to determine if a valid assertion was issued based on SSO/non-SSO.MAX_ACCEPTED_SSO_SESSION_TIME
: For SSO, we may want to assert that the authentication is not too old. If so, this parameter gives the maximum accepted session time.
- Author:
- Martin Lindström (martin@idsec.se)
-
Field Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected static Instant
getAuthnRequestIssueInstant
(org.opensaml.saml.common.assertion.ValidationContext context) Gets the issue instant of theAuthnRequest
from the validation context.protected static Boolean
getForceAuthnFlag
(org.opensaml.saml.common.assertion.ValidationContext context) Gets theForceAuthn
flag from the validation context.protected static Duration
getMaxAcceptedSsoSessionTime
(org.opensaml.saml.common.assertion.ValidationContext context) Gets the maximum time we allow for SSO sessions.protected org.opensaml.saml.common.assertion.ValidationResult
validate
(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates theAuthnStatement
.final org.opensaml.saml.common.assertion.ValidationResult
validate
(org.opensaml.saml.saml2.core.Statement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) protected org.opensaml.saml.common.assertion.ValidationResult
validateAuthnContext
(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Default implementation will only assert that theAuthnContext
element is present.protected org.opensaml.saml.common.assertion.ValidationResult
validateAuthnInstant
(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates theAuthnInstant
of theAuthnStatement
.protected org.opensaml.saml.common.assertion.ValidationResult
validateSessionIndex
(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Default implementation does not perform any checks and returnsValidationResult.VALID
.protected org.opensaml.saml.common.assertion.ValidationResult
validateSessionNotOnOrAfter
(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Default implementation does not perform any checks and returnsValidationResult.VALID
.protected org.opensaml.saml.common.assertion.ValidationResult
validateSsoAndSession
(Instant authnInstant, org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Makes checks for SSO and session lengths.Methods inherited from class org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
getServicedStatement, validateSubjectLocality
-
Field Details
-
AUTHN_REQUEST_FORCE_AUTHN
Key for a validation context parameter. Carries aBoolean
holding the value of the ForceAuthn flag from the AuthnRequest.- See Also:
-
AUTHN_REQUEST_ISSUE_INSTANT
Key for a validation context parameter. Carries aInstant
holding the issuance time for the AuthnRequest.- See Also:
-
MAX_ACCEPTED_SSO_SESSION_TIME
Key for a validation context parameter. Carries aDuration
holding the maximum session time that we can accept for SSO.- See Also:
-
-
Constructor Details
-
AuthnStatementValidator
public AuthnStatementValidator()
-
-
Method Details
-
validate
@Nonnull public final org.opensaml.saml.common.assertion.ValidationResult validate(@Nonnull org.opensaml.saml.saml2.core.Statement statement, @Nonnull org.opensaml.saml.saml2.core.Assertion assertion, @Nonnull org.opensaml.saml.common.assertion.ValidationContext context) throws org.opensaml.saml.common.assertion.AssertionValidationException - Specified by:
validate
in interfaceorg.opensaml.saml.saml2.assertion.StatementValidator
- Overrides:
validate
in classorg.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
- Throws:
org.opensaml.saml.common.assertion.AssertionValidationException
-
validate
protected org.opensaml.saml.common.assertion.ValidationResult validate(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) throws org.opensaml.saml.common.assertion.AssertionValidationException Validates theAuthnStatement
.- Parameters:
statement
- the statement to validateassertion
- the assertion containing the statementcontext
- validation context- Returns:
- validation result
- Throws:
org.opensaml.saml.common.assertion.AssertionValidationException
- for internal validation errors
-
validateAuthnInstant
@Nonnull protected org.opensaml.saml.common.assertion.ValidationResult validateAuthnInstant(@Nonnull org.opensaml.saml.saml2.core.AuthnStatement statement, @Nonnull org.opensaml.saml.saml2.core.Assertion assertion, @Nonnull org.opensaml.saml.common.assertion.ValidationContext context) Validates theAuthnInstant
of theAuthnStatement
.- Overrides:
validateAuthnInstant
in classorg.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
- Parameters:
statement
- the statementassertion
- the assertion containing the statementcontext
- validation context- Returns:
- validation result
-
validateSsoAndSession
protected org.opensaml.saml.common.assertion.ValidationResult validateSsoAndSession(Instant authnInstant, org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Makes checks for SSO and session lengths.- Parameters:
authnInstant
- the authentication instantstatement
- the statementassertion
- the assertion containing the statementcontext
- validation context- Returns:
- validation result
-
getMaxAcceptedSsoSessionTime
protected static Duration getMaxAcceptedSsoSessionTime(org.opensaml.saml.common.assertion.ValidationContext context) Gets the maximum time we allow for SSO sessions.- Parameters:
context
- the validation context- Returns:
- the max time, or null if the time is not set
-
getForceAuthnFlag
protected static Boolean getForceAuthnFlag(org.opensaml.saml.common.assertion.ValidationContext context) Gets theForceAuthn
flag from the validation context. The method primarily checks for theAUTHN_REQUEST_FORCE_AUTHN
parameter, and that does not exist, tries with theCoreValidatorParameters.AUTHN_REQUEST
parameter.- Parameters:
context
- the validation context- Returns:
- the
ForceAuthn
flag ornull
if this is not set
-
getAuthnRequestIssueInstant
protected static Instant getAuthnRequestIssueInstant(org.opensaml.saml.common.assertion.ValidationContext context) Gets the issue instant of theAuthnRequest
from the validation context. The method primarily checks for theAUTHN_REQUEST_ISSUE_INSTANT
parameter, and that does not exist, tries with theCoreValidatorParameters.AUTHN_REQUEST
parameter.- Parameters:
context
- the validation context- Returns:
- the issuance time or null if not set
-
validateSessionIndex
protected org.opensaml.saml.common.assertion.ValidationResult validateSessionIndex(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Default implementation does not perform any checks and returnsValidationResult.VALID
.- Parameters:
statement
- the statementassertion
- the assertioncontext
- the validation context- Returns:
- validation result
-
validateSessionNotOnOrAfter
protected org.opensaml.saml.common.assertion.ValidationResult validateSessionNotOnOrAfter(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Default implementation does not perform any checks and returnsValidationResult.VALID
.- Parameters:
statement
- the statementassertion
- the assertioncontext
- the validation context- Returns:
- validation result
-
validateAuthnContext
@Nonnull protected org.opensaml.saml.common.assertion.ValidationResult validateAuthnContext(@Nonnull org.opensaml.saml.saml2.core.AuthnStatement statement, @Nonnull org.opensaml.saml.saml2.core.Assertion assertion, @Nonnull org.opensaml.saml.common.assertion.ValidationContext context) Default implementation will only assert that theAuthnContext
element is present.- Overrides:
validateAuthnContext
in classorg.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
- Parameters:
statement
- the statementassertion
- the assertioncontext
- the validation context- Returns:
- validation result
-