Class ResponseValidator
java.lang.Object
se.swedenconnect.opensaml.common.validation.AbstractObjectValidator<Response>
se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator<Response>
se.swedenconnect.opensaml.saml2.response.validation.ResponseValidator
- All Implemented Interfaces:
ObjectValidator<Response>
Response validator that ensures that a
Response element is valid according to the 2.0 SAML Core specification
and makes checks based on the supplied validation context parameters described below.
Supports the following ValidationContext static parameters:
- The static parameters defined for
AbstractSignableObjectValidator. CoreValidatorParameters.STRICT_VALIDATION: Optional. If not supplied, defaults to 'false'. Tells whether strict validation should be performed.SAML2AssertionValidationParameters.CLOCK_SKEW: Optional. Gives the duration that is the maximum allowed clock skew. If not givenSAML20AssertionValidator.DEFAULT_CLOCK_SKEWis used.CoreValidatorParameters.MAX_AGE_MESSAGE: Optional. Gives the maximum age (difference between issuance time and the validation time). If not given, theAbstractObjectValidator.DEFAULT_MAX_AGE_RECEIVED_MESSAGEis used.CoreValidatorParameters.RECEIVE_INSTANT: Optional. Gives the timestamp (milliseconds since epoch) for when the response message was received. If not given the current time is used.CoreValidatorParameters.AUTHN_REQUEST: Optional. If supplied will be used in a number of validations when information from the correspondingAuthnRequestis needed. If not supplied, other, more detailed parameters must be given.CoreValidatorParameters.AUTHN_REQUEST_ID: Required if theCoreValidatorParameters.AUTHN_REQUESTis not assigned. Is used when validating theInResponseToattribute of the response.CoreValidatorParameters.RECEIVE_URL: Required. A String holding the URL on which we received the response message. Is used when theDestinationattribute is validated.CoreValidatorParameters.EXPECTED_ISSUER: Optional. If set, is used when the issuer of the response is validated.
- Author:
- Martin Lindström (martin.lindstrom@litsec.se)
-
Field Summary
Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator
signaturePrevalidator, trustEngineFields inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator
DEFAULT_MAX_AGE_RECEIVED_MESSAGE -
Constructor Summary
ConstructorsConstructorDescriptionResponseValidator(SignatureTrustEngine trustEngine, SignaturePrevalidator signaturePrevalidator) Constructor. -
Method Summary
Modifier and TypeMethodDescriptionprotected StringReturns the ID of the signable object.protected StringReturns the issuer of the signable object.protected StringReturns the name of the object being validated, e.g.voidsetUriComparator(URIComparator uriComparator) Assigns a customURIComparatorto be used when checking URL:s against eachother.validate(Response response, ValidationContext context) Validates the given object.protected ValidationResultvalidateAssertions(Response response, ValidationContext context) Validates theAssertionand/orEncryptedAssertionelement.protected ValidationResultvalidateConsent(Response response, ValidationContext context) Validates theConsentattribute.protected ValidationResultvalidateDestination(Response response, ValidationContext context) Ensures that theDestinationattribute is present and matches the URL on which we received the message.protected ValidationResultvalidateExtensions(Response response, ValidationContext context) Validates theExtensionselement.protected ValidationResultvalidateID(Response response, ValidationContext context) Validates that theResponseobject has an ID attribute.protected ValidationResultvalidateInResponseTo(Response response, ValidationContext context) Ensures that theInResponseToattribute is present and that it matches the ID of theAuthnRequest.protected ValidationResultvalidateIssueInstant(Response response, ValidationContext context) Validates that theResponseobject has a IssueInstant attribute and that it is not too old given theCoreValidatorParameters.MAX_AGE_MESSAGEandCoreValidatorParameters.RECEIVE_INSTANTcontext parameters.protected ValidationResultvalidateIssuer(Response response, ValidationContext context) Ensures that theIssuerelement is present and matches the expected issuer (if set in the context under theCoreValidatorParameters.EXPECTED_ISSUERkey).protected ValidationResultvalidateStatus(Response response, ValidationContext context) Validates that theResponseobject has aStatusattribute.protected ValidationResultvalidateVersion(Response response, ValidationContext context) Validates that theResponseobject has a valid Version attribute.Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator
getSignatureValidationCriteriaSet, performSignatureValidation, validateSignatureMethods inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator
getAllowedClockSkew, getMaxAgeReceivedMessage, getReceiveInstant, isStrictValidation
-
Constructor Details
-
ResponseValidator
public ResponseValidator(SignatureTrustEngine trustEngine, SignaturePrevalidator signaturePrevalidator) Constructor.- Parameters:
trustEngine- the trust used to validate the object's signaturesignaturePrevalidator- the signature pre-validator used to pre-validate the object's signature
-
-
Method Details
-
validate
Validates the given object.- Parameters:
response- object to be evaluatedcontext- current validation context- Returns:
- the result of the evaluation
-
validateID
Validates that theResponseobject has an ID attribute.- Parameters:
response- the responsecontext- the validation context- Returns:
- a validation result
-
validateVersion
Validates that theResponseobject has a valid Version attribute.- Parameters:
response- the responsecontext- the validation context- Returns:
- a validation result
-
validateStatus
Validates that theResponseobject has aStatusattribute.- Parameters:
response- the responsecontext- the validation context- Returns:
- a validation result
-
validateIssueInstant
Validates that theResponseobject has a IssueInstant attribute and that it is not too old given theCoreValidatorParameters.MAX_AGE_MESSAGEandCoreValidatorParameters.RECEIVE_INSTANTcontext parameters.- Parameters:
response- the responsecontext- the validation context- Returns:
- a validation result
-
validateInResponseTo
Ensures that theInResponseToattribute is present and that it matches the ID of theAuthnRequest. The ID is found in thecontextparameter under the keyCoreValidatorParameters.AUTHN_REQUEST_IDor from the object stored underCoreValidatorParameters.AUTHN_REQUEST.- Parameters:
response- the responsecontext- the validation context- Returns:
- a validation result
-
validateDestination
Ensures that theDestinationattribute is present and matches the URL on which we received the message. This value is found in the context under theCoreValidatorParameters.RECEIVE_URLkey.- Parameters:
response- the responsecontext- the validation context- Returns:
- a validation result
-
validateConsent
Validates theConsentattribute. The default implementation returnsValidationResult.VALIDsince the attribute is optional according to the SAML 2.0 Core specifications.- Parameters:
response- the responsecontext- the validation context- Returns:
- a validation result
-
validateIssuer
Ensures that theIssuerelement is present and matches the expected issuer (if set in the context under theCoreValidatorParameters.EXPECTED_ISSUERkey).- Parameters:
response- the responsecontext- the validation context- Returns:
- a validation result
-
validateAssertions
Validates theAssertionand/orEncryptedAssertionelement. The default implementation checks:- If status is success - At least of assertion (or encrypted assertion) is present.
- Else - No assertions are present.
- Parameters:
response- the responsecontext- the validation context- Returns:
- a validation result
-
validateExtensions
Validates theExtensionselement. The default implementation returnsValidationResult.VALIDsince the element is optional according to the SAML 2.0 Core specifications.- Parameters:
response- the responsecontext- the validation context- Returns:
- a validation result
-
getIssuer
Returns the issuer of the signable object.- Specified by:
getIssuerin classAbstractSignableObjectValidator<Response>- Parameters:
signableObject- the object being verified- Returns:
- the issuer
-
getID
Returns the ID of the signable object.- Specified by:
getIDin classAbstractSignableObjectValidator<Response>- Parameters:
signableObject- the object being verified- Returns:
- the ID
-
getObjectName
Returns the name of the object being validated, e.g. "Assertion". Used for logging.- Specified by:
getObjectNamein classAbstractSignableObjectValidator<Response>- Returns:
- the object name