Class ResponseValidator
java.lang.Object
se.swedenconnect.opensaml.common.validation.AbstractObjectValidator<org.opensaml.saml.saml2.core.Response>
se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>
se.swedenconnect.opensaml.saml2.response.validation.ResponseValidator
- All Implemented Interfaces:
ObjectValidator<org.opensaml.saml.saml2.core.Response>
public class ResponseValidator
extends AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>
Response validator that ensures that a
Response
element is valid according to the 2.0 SAML Core specification
and makes checks based on the supplied validation context parameters described below.
Supports the following ValidationContext
static parameters:
- The static parameters defined for
AbstractSignableObjectValidator
. CoreValidatorParameters.STRICT_VALIDATION
: Optional. If not supplied, defaults to 'false'. Tells whether strict validation should be performed.SAML2AssertionValidationParameters.CLOCK_SKEW
: Optional. Gives the duration that is the maximum allowed clock skew. If not givenSAML20AssertionValidator.DEFAULT_CLOCK_SKEW
is used.CoreValidatorParameters.MAX_AGE_MESSAGE
: Optional. Gives the maximum age (difference between issuance time and the validation time). If not given, theAbstractObjectValidator.DEFAULT_MAX_AGE_RECEIVED_MESSAGE
is used.CoreValidatorParameters.RECEIVE_INSTANT
: Optional. Gives the timestamp (milliseconds since epoch) for when the response message was received. If not given the current time is used.CoreValidatorParameters.AUTHN_REQUEST
: Optional. If supplied will be used in a number of validations when information from the correspondingAuthnRequest
is needed. If not supplied, other, more detailed parameters must be given.CoreValidatorParameters.AUTHN_REQUEST_ID
: Required if theCoreValidatorParameters.AUTHN_REQUEST
is not assigned. Is used when validating theInResponseTo
attribute of the response.CoreValidatorParameters.RECEIVE_URL
: Required. A String holding the URL on which we received the response message. Is used when theDestination
attribute is validated.CoreValidatorParameters.EXPECTED_ISSUER
: Optional. If set, is used when the issuer of the response is validated.
- Author:
- Martin Lindström (martin.lindstrom@litsec.se)
-
Field Summary
Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator
signaturePrevalidator, trustEngine
Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator
DEFAULT_MAX_AGE_RECEIVED_MESSAGE
-
Constructor Summary
ConstructorDescriptionResponseValidator
(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator) Constructor. -
Method Summary
Modifier and TypeMethodDescriptionprotected String
getID
(org.opensaml.saml.saml2.core.Response signableObject) Returns the ID of the signable object.protected String
getIssuer
(org.opensaml.saml.saml2.core.Response signableObject) Returns the issuer of the signable object.protected String
Returns the name of the object being validated, e.g.void
setUriComparator
(net.shibboleth.shared.net.URIComparator uriComparator) Assigns a customURIComparator
to be used when checking URL:s against eachother.org.opensaml.saml.common.assertion.ValidationResult
validate
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates the given object.protected org.opensaml.saml.common.assertion.ValidationResult
validateAssertions
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates theAssertion
and/orEncryptedAssertion
element.protected org.opensaml.saml.common.assertion.ValidationResult
validateConsent
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates theConsent
attribute.protected org.opensaml.saml.common.assertion.ValidationResult
validateDestination
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Ensures that theDestination
attribute is present and matches the URL on which we received the message.protected org.opensaml.saml.common.assertion.ValidationResult
validateExtensions
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates theExtensions
element.protected org.opensaml.saml.common.assertion.ValidationResult
validateID
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theResponse
object has an ID attribute.protected org.opensaml.saml.common.assertion.ValidationResult
validateInResponseTo
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Ensures that theInResponseTo
attribute is present and that it matches the ID of theAuthnRequest
.protected org.opensaml.saml.common.assertion.ValidationResult
validateIssueInstant
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theResponse
object has a IssueInstant attribute and that it is not too old given theCoreValidatorParameters.MAX_AGE_MESSAGE
andCoreValidatorParameters.RECEIVE_INSTANT
context parameters.protected org.opensaml.saml.common.assertion.ValidationResult
validateIssuer
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Ensures that theIssuer
element is present and matches the expected issuer (if set in the context under theCoreValidatorParameters.EXPECTED_ISSUER
key).protected org.opensaml.saml.common.assertion.ValidationResult
validateStatus
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theResponse
object has aStatus
attribute.protected org.opensaml.saml.common.assertion.ValidationResult
validateVersion
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theResponse
object has a valid Version attribute.Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator
getSignatureValidationCriteriaSet, performSignatureValidation, validateSignature
Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator
getAllowedClockSkew, getMaxAgeReceivedMessage, getReceiveInstant, isStrictValidation
-
Constructor Details
-
ResponseValidator
public ResponseValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator) Constructor.- Parameters:
trustEngine
- the trust used to validate the object's signaturesignaturePrevalidator
- the signature pre-validator used to pre-validate the object's signature
-
-
Method Details
-
validate
public org.opensaml.saml.common.assertion.ValidationResult validate(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates the given object.- Parameters:
response
- object to be evaluatedcontext
- current validation context- Returns:
- the result of the evaluation
-
validateID
protected org.opensaml.saml.common.assertion.ValidationResult validateID(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theResponse
object has an ID attribute.- Parameters:
response
- the responsecontext
- the validation context- Returns:
- a validation result
-
validateVersion
protected org.opensaml.saml.common.assertion.ValidationResult validateVersion(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theResponse
object has a valid Version attribute.- Parameters:
response
- the responsecontext
- the validation context- Returns:
- a validation result
-
validateStatus
protected org.opensaml.saml.common.assertion.ValidationResult validateStatus(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theResponse
object has aStatus
attribute.- Parameters:
response
- the responsecontext
- the validation context- Returns:
- a validation result
-
validateIssueInstant
protected org.opensaml.saml.common.assertion.ValidationResult validateIssueInstant(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates that theResponse
object has a IssueInstant attribute and that it is not too old given theCoreValidatorParameters.MAX_AGE_MESSAGE
andCoreValidatorParameters.RECEIVE_INSTANT
context parameters.- Parameters:
response
- the responsecontext
- the validation context- Returns:
- a validation result
-
validateInResponseTo
protected org.opensaml.saml.common.assertion.ValidationResult validateInResponseTo(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Ensures that theInResponseTo
attribute is present and that it matches the ID of theAuthnRequest
. The ID is found in thecontext
parameter under the keyCoreValidatorParameters.AUTHN_REQUEST_ID
or from the object stored underCoreValidatorParameters.AUTHN_REQUEST
.- Parameters:
response
- the responsecontext
- the validation context- Returns:
- a validation result
-
validateDestination
protected org.opensaml.saml.common.assertion.ValidationResult validateDestination(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Ensures that theDestination
attribute is present and matches the URL on which we received the message. This value is found in the context under theCoreValidatorParameters.RECEIVE_URL
key.- Parameters:
response
- the responsecontext
- the validation context- Returns:
- a validation result
-
validateConsent
protected org.opensaml.saml.common.assertion.ValidationResult validateConsent(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates theConsent
attribute. The default implementation returnsValidationResult.VALID
since the attribute is optional according to the SAML 2.0 Core specifications.- Parameters:
response
- the responsecontext
- the validation context- Returns:
- a validation result
-
validateIssuer
protected org.opensaml.saml.common.assertion.ValidationResult validateIssuer(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Ensures that theIssuer
element is present and matches the expected issuer (if set in the context under theCoreValidatorParameters.EXPECTED_ISSUER
key).- Parameters:
response
- the responsecontext
- the validation context- Returns:
- a validation result
-
validateAssertions
protected org.opensaml.saml.common.assertion.ValidationResult validateAssertions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates theAssertion
and/orEncryptedAssertion
element. The default implementation checks:- If status is success - At least of assertion (or encrypted assertion) is present.
- Else - No assertions are present.
- Parameters:
response
- the responsecontext
- the validation context- Returns:
- a validation result
-
validateExtensions
protected org.opensaml.saml.common.assertion.ValidationResult validateExtensions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context) Validates theExtensions
element. The default implementation returnsValidationResult.VALID
since the element is optional according to the SAML 2.0 Core specifications.- Parameters:
response
- the responsecontext
- the validation context- Returns:
- a validation result
-
getIssuer
Returns the issuer of the signable object.- Specified by:
getIssuer
in classAbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>
- Parameters:
signableObject
- the object being verified- Returns:
- the issuer
-
getID
Returns the ID of the signable object.- Specified by:
getID
in classAbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>
- Parameters:
signableObject
- the object being verified- Returns:
- the ID
-
getObjectName
Returns the name of the object being validated, e.g. "Assertion". Used for logging.- Specified by:
getObjectName
in classAbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>
- Returns:
- the object name