Class AuthnStatementValidator
java.lang.Object
org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
se.swedenconnect.opensaml.saml2.assertion.validation.AuthnStatementValidator
- All Implemented Interfaces:
org.opensaml.saml.saml2.assertion.StatementValidator
public class AuthnStatementValidator
extends org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
Core statement validator for
AuthnStatements.
Supports the following ValidationContext static parameters:
CoreValidatorParameters.AUTHN_REQUEST: Optional. If supplied will be used in a number of validations when information from the correspondingAuthnRequestis needed. If not supplied, other, more detailed parameters must be given.AUTHN_REQUEST_FORCE_AUTHN: If the aboveCoreValidatorParameters.AUTHN_REQUESTis not assigned, this parameter gives theForceAuthnflag. This is used to determine if a valid assertion was issued based on SSO/non-SSO.AUTHN_REQUEST_ISSUE_INSTANT: If the aboveCoreValidatorParameters.AUTHN_REQUESTis not assigned, this parameter gives the issue instant of the authentication request. This is used to determine if a valid assertion was issued based on SSO/non-SSO.MAX_ACCEPTED_SSO_SESSION_TIME: For SSO, we may want to assert that the authentication is not too old. If so, this parameter gives the maximum accepted session time.
- Author:
- Martin Lindström (martin@idsec.se)
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected static InstantgetAuthnRequestIssueInstant(org.opensaml.saml.common.assertion.ValidationContext context) Gets the issue instant of theAuthnRequestfrom the validation context.protected static BooleangetForceAuthnFlag(org.opensaml.saml.common.assertion.ValidationContext context) Gets theForceAuthnflag from the validation context.protected static DurationgetMaxAcceptedSsoSessionTime(org.opensaml.saml.common.assertion.ValidationContext context) Gets the maximum time we allow for SSO sessions.protected org.opensaml.saml.common.assertion.ValidationResultvalidate(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates theAuthnStatement.final org.opensaml.saml.common.assertion.ValidationResultvalidate(org.opensaml.saml.saml2.core.Statement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) protected org.opensaml.saml.common.assertion.ValidationResultvalidateAuthnContext(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Default implementation will only assert that theAuthnContextelement is present.protected org.opensaml.saml.common.assertion.ValidationResultvalidateAuthnInstant(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Validates theAuthnInstantof theAuthnStatement.protected org.opensaml.saml.common.assertion.ValidationResultvalidateSessionIndex(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Default implementation does not perform any checks and returnsValidationResult.VALID.protected org.opensaml.saml.common.assertion.ValidationResultvalidateSessionNotOnOrAfter(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Default implementation does not perform any checks and returnsValidationResult.VALID.protected org.opensaml.saml.common.assertion.ValidationResultvalidateSsoAndSession(Instant authnInstant, org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Makes checks for SSO and session lengths.Methods inherited from class org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
getServicedStatement, validateSubjectLocality
-
Field Details
-
AUTHN_REQUEST_FORCE_AUTHN
Key for a validation context parameter. Carries aBooleanholding the value of the ForceAuthn flag from the AuthnRequest.- See Also:
-
AUTHN_REQUEST_ISSUE_INSTANT
Key for a validation context parameter. Carries aInstantholding the issuance time for the AuthnRequest.- See Also:
-
MAX_ACCEPTED_SSO_SESSION_TIME
Key for a validation context parameter. Carries aDurationholding the maximum session time that we can accept for SSO.- See Also:
-
-
Constructor Details
-
AuthnStatementValidator
public AuthnStatementValidator()
-
-
Method Details
-
validate
@Nonnull public final org.opensaml.saml.common.assertion.ValidationResult validate(@Nonnull org.opensaml.saml.saml2.core.Statement statement, @Nonnull org.opensaml.saml.saml2.core.Assertion assertion, @Nonnull org.opensaml.saml.common.assertion.ValidationContext context) throws org.opensaml.saml.common.assertion.AssertionValidationException - Specified by:
validatein interfaceorg.opensaml.saml.saml2.assertion.StatementValidator- Overrides:
validatein classorg.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator- Throws:
org.opensaml.saml.common.assertion.AssertionValidationException
-
validate
protected org.opensaml.saml.common.assertion.ValidationResult validate(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) throws org.opensaml.saml.common.assertion.AssertionValidationException Validates theAuthnStatement.- Parameters:
statement- the statement to validateassertion- the assertion containing the statementcontext- validation context- Returns:
- validation result
- Throws:
org.opensaml.saml.common.assertion.AssertionValidationException- for internal validation errors
-
validateAuthnInstant
@Nonnull protected org.opensaml.saml.common.assertion.ValidationResult validateAuthnInstant(@Nonnull org.opensaml.saml.saml2.core.AuthnStatement statement, @Nonnull org.opensaml.saml.saml2.core.Assertion assertion, @Nonnull org.opensaml.saml.common.assertion.ValidationContext context) Validates theAuthnInstantof theAuthnStatement.- Overrides:
validateAuthnInstantin classorg.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator- Parameters:
statement- the statementassertion- the assertion containing the statementcontext- validation context- Returns:
- validation result
-
validateSsoAndSession
protected org.opensaml.saml.common.assertion.ValidationResult validateSsoAndSession(Instant authnInstant, org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Makes checks for SSO and session lengths.- Parameters:
authnInstant- the authentication instantstatement- the statementassertion- the assertion containing the statementcontext- validation context- Returns:
- validation result
-
getMaxAcceptedSsoSessionTime
protected static Duration getMaxAcceptedSsoSessionTime(org.opensaml.saml.common.assertion.ValidationContext context) Gets the maximum time we allow for SSO sessions.- Parameters:
context- the validation context- Returns:
- the max time, or null if the time is not set
-
getForceAuthnFlag
protected static Boolean getForceAuthnFlag(org.opensaml.saml.common.assertion.ValidationContext context) Gets theForceAuthnflag from the validation context. The method primarily checks for theAUTHN_REQUEST_FORCE_AUTHNparameter, and that does not exist, tries with theCoreValidatorParameters.AUTHN_REQUESTparameter.- Parameters:
context- the validation context- Returns:
- the
ForceAuthnflag ornullif this is not set
-
getAuthnRequestIssueInstant
protected static Instant getAuthnRequestIssueInstant(org.opensaml.saml.common.assertion.ValidationContext context) Gets the issue instant of theAuthnRequestfrom the validation context. The method primarily checks for theAUTHN_REQUEST_ISSUE_INSTANTparameter, and that does not exist, tries with theCoreValidatorParameters.AUTHN_REQUESTparameter.- Parameters:
context- the validation context- Returns:
- the issuance time or null if not set
-
validateSessionIndex
protected org.opensaml.saml.common.assertion.ValidationResult validateSessionIndex(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Default implementation does not perform any checks and returnsValidationResult.VALID.- Parameters:
statement- the statementassertion- the assertioncontext- the validation context- Returns:
- validation result
-
validateSessionNotOnOrAfter
protected org.opensaml.saml.common.assertion.ValidationResult validateSessionNotOnOrAfter(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Default implementation does not perform any checks and returnsValidationResult.VALID.- Parameters:
statement- the statementassertion- the assertioncontext- the validation context- Returns:
- validation result
-
validateAuthnContext
@Nonnull protected org.opensaml.saml.common.assertion.ValidationResult validateAuthnContext(@Nonnull org.opensaml.saml.saml2.core.AuthnStatement statement, @Nonnull org.opensaml.saml.saml2.core.Assertion assertion, @Nonnull org.opensaml.saml.common.assertion.ValidationContext context) Default implementation will only assert that theAuthnContextelement is present.- Overrides:
validateAuthnContextin classorg.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator- Parameters:
statement- the statementassertion- the assertioncontext- the validation context- Returns:
- validation result
-