Class ResponseValidator

java.lang.Object
se.swedenconnect.opensaml.common.validation.AbstractObjectValidator<org.opensaml.saml.saml2.core.Response>
se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>
se.swedenconnect.opensaml.saml2.response.validation.ResponseValidator
All Implemented Interfaces:
ObjectValidator<org.opensaml.saml.saml2.core.Response>

public class ResponseValidator extends AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>
Response validator that ensures that a Response element is valid according to the 2.0 SAML Core specification and makes checks based on the supplied validation context parameters described below.

Supports the following ValidationContext static parameters:

Author:
Martin Lindström (martin.lindstrom@litsec.se)
  • Field Summary

    Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator

    signaturePrevalidator, trustEngine

    Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator

    DEFAULT_MAX_AGE_RECEIVED_MESSAGE
  • Constructor Summary

    Constructors
    Constructor
    Description
    ResponseValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator)
    Constructor.
  • Method Summary

    Modifier and Type
    Method
    Description
    protected String
    getID(org.opensaml.saml.saml2.core.Response signableObject)
    Returns the ID of the signable object.
    protected String
    getIssuer(org.opensaml.saml.saml2.core.Response signableObject)
    Returns the issuer of the signable object.
    protected String
    Returns the name of the object being validated, e.g.
    void
    setUriComparator(net.shibboleth.shared.net.URIComparator uriComparator)
    Assigns a custom URIComparator to be used when checking URL:s against eachother.
    org.opensaml.saml.common.assertion.ValidationResult
    validate(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the given object.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateAssertions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the Assertion and/or EncryptedAssertion element.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateConsent(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the Consent attribute.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateDestination(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
    Ensures that the Destination attribute is present and matches the URL on which we received the message.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateExtensions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the Extensions element.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateID(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates that the Response object has an ID attribute.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateInResponseTo(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
    Ensures that the InResponseTo attribute is present and that it matches the ID of the AuthnRequest.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateIssueInstant(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates that the Response object has a IssueInstant attribute and that it is not too old given the CoreValidatorParameters.MAX_AGE_MESSAGE and CoreValidatorParameters.RECEIVE_INSTANT context parameters.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateIssuer(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
    Ensures that the Issuer element is present and matches the expected issuer (if set in the context under the CoreValidatorParameters.EXPECTED_ISSUER key).
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateStatus(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates that the Response object has a Status attribute.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateVersion(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates that the Response object has a valid Version attribute.

    Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator

    getSignatureValidationCriteriaSet, performSignatureValidation, validateSignature

    Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator

    getAllowedClockSkew, getMaxAgeReceivedMessage, getReceiveInstant, isStrictValidation

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Constructor Details

    • ResponseValidator

      public ResponseValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator)
      Constructor.
      Parameters:
      trustEngine - the trust used to validate the object's signature
      signaturePrevalidator - the signature pre-validator used to pre-validate the object's signature
  • Method Details

    • setUriComparator

      public void setUriComparator(net.shibboleth.shared.net.URIComparator uriComparator)
      Assigns a custom URIComparator to be used when checking URL:s against eachother. The default is BasicURLComparator.
      Parameters:
      uriComparator - the customized URIComparator
    • validate

      public org.opensaml.saml.common.assertion.ValidationResult validate(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the given object.
      Parameters:
      response - object to be evaluated
      context - current validation context
      Returns:
      the result of the evaluation
    • validateID

      protected org.opensaml.saml.common.assertion.ValidationResult validateID(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates that the Response object has an ID attribute.
      Parameters:
      response - the response
      context - the validation context
      Returns:
      a validation result
    • validateVersion

      protected org.opensaml.saml.common.assertion.ValidationResult validateVersion(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates that the Response object has a valid Version attribute.
      Parameters:
      response - the response
      context - the validation context
      Returns:
      a validation result
    • validateStatus

      protected org.opensaml.saml.common.assertion.ValidationResult validateStatus(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates that the Response object has a Status attribute.
      Parameters:
      response - the response
      context - the validation context
      Returns:
      a validation result
    • validateIssueInstant

      protected org.opensaml.saml.common.assertion.ValidationResult validateIssueInstant(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates that the Response object has a IssueInstant attribute and that it is not too old given the CoreValidatorParameters.MAX_AGE_MESSAGE and CoreValidatorParameters.RECEIVE_INSTANT context parameters.
      Parameters:
      response - the response
      context - the validation context
      Returns:
      a validation result
    • validateInResponseTo

      protected org.opensaml.saml.common.assertion.ValidationResult validateInResponseTo(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
      Ensures that the InResponseTo attribute is present and that it matches the ID of the AuthnRequest. The ID is found in the context parameter under the key CoreValidatorParameters.AUTHN_REQUEST_ID or from the object stored under CoreValidatorParameters.AUTHN_REQUEST.
      Parameters:
      response - the response
      context - the validation context
      Returns:
      a validation result
    • validateDestination

      protected org.opensaml.saml.common.assertion.ValidationResult validateDestination(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
      Ensures that the Destination attribute is present and matches the URL on which we received the message. This value is found in the context under the CoreValidatorParameters.RECEIVE_URL key.
      Parameters:
      response - the response
      context - the validation context
      Returns:
      a validation result
    • validateConsent

      protected org.opensaml.saml.common.assertion.ValidationResult validateConsent(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the Consent attribute. The default implementation returns ValidationResult.VALID since the attribute is optional according to the SAML 2.0 Core specifications.
      Parameters:
      response - the response
      context - the validation context
      Returns:
      a validation result
    • validateIssuer

      protected org.opensaml.saml.common.assertion.ValidationResult validateIssuer(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
      Ensures that the Issuer element is present and matches the expected issuer (if set in the context under the CoreValidatorParameters.EXPECTED_ISSUER key).
      Parameters:
      response - the response
      context - the validation context
      Returns:
      a validation result
    • validateAssertions

      protected org.opensaml.saml.common.assertion.ValidationResult validateAssertions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the Assertion and/or EncryptedAssertion element. The default implementation checks:
      • If status is success - At least of assertion (or encrypted assertion) is present.
      • Else - No assertions are present.
      Parameters:
      response - the response
      context - the validation context
      Returns:
      a validation result
    • validateExtensions

      protected org.opensaml.saml.common.assertion.ValidationResult validateExtensions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the Extensions element. The default implementation returns ValidationResult.VALID since the element is optional according to the SAML 2.0 Core specifications.
      Parameters:
      response - the response
      context - the validation context
      Returns:
      a validation result
    • getIssuer

      protected String getIssuer(org.opensaml.saml.saml2.core.Response signableObject)
      Returns the issuer of the signable object.
      Specified by:
      getIssuer in class AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>
      Parameters:
      signableObject - the object being verified
      Returns:
      the issuer
    • getID

      protected String getID(org.opensaml.saml.saml2.core.Response signableObject)
      Returns the ID of the signable object.
      Specified by:
      getID in class AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>
      Parameters:
      signableObject - the object being verified
      Returns:
      the ID
    • getObjectName

      protected String getObjectName()
      Returns the name of the object being validated, e.g. "Assertion". Used for logging.
      Specified by:
      getObjectName in class AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>
      Returns:
      the object name