Package se.swedenconnect.opensaml.saml2.response.validation

Class ResponseValidator

java.lang.Object

se.swedenconnect.opensaml.common.validation.AbstractObjectValidator<org.opensaml.saml.saml2.core.Response>

se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>

se.swedenconnect.opensaml.saml2.response.validation.ResponseValidator

All Implemented Interfaces:

ObjectValidator<org.opensaml.saml.saml2.core.Response>

public class ResponseValidator
extends AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>

Response validator that ensures that a Response element is valid according to the 2.0 SAML Core specification and makes checks based on the supplied validation context parameters described below.

Supports the following ValidationContext static parameters:

• The static parameters defined for AbstractSignableObjectValidator.
• CoreValidatorParameters.STRICT_VALIDATION: Optional. If not supplied, defaults to 'false'. Tells whether strict validation should be performed.
• SAML2AssertionValidationParameters.CLOCK_SKEW: Optional. Gives the duration that is the maximum allowed clock skew. If not given SAML20AssertionValidator.DEFAULT_CLOCK_SKEW is used.
• CoreValidatorParameters.MAX_AGE_MESSAGE: Optional. Gives the maximum age (difference between issuance time and the validation time). If not given, the AbstractObjectValidator.DEFAULT_MAX_AGE_RECEIVED_MESSAGE is used.
• CoreValidatorParameters.RECEIVE_INSTANT: Optional. Gives the timestamp (milliseconds since epoch) for when the response message was received. If not given the current time is used.
• CoreValidatorParameters.AUTHN_REQUEST: Optional. If supplied will be used in a number of validations when information from the corresponding AuthnRequest is needed. If not supplied, other, more detailed parameters must be given.
• CoreValidatorParameters.AUTHN_REQUEST_ID: Required if the CoreValidatorParameters.AUTHN_REQUEST is not assigned. Is used when validating the InResponseTo attribute of the response.
• CoreValidatorParameters.RECEIVE_URL: Required. A String holding the URL on which we received the response message. Is used when the Destination attribute is validated.
• CoreValidatorParameters.EXPECTED_ISSUER: Optional. If set, is used when the issuer of the response is validated.

Author:

Martin Lindström (martin.lindstrom@litsec.se)

Field Summary

Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator

signaturePrevalidator, trustEngine

Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator

DEFAULT_MAX_AGE_RECEIVED_MESSAGE

Constructor Summary

Constructors

Constructor	Description
ResponseValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator)	Constructor.

Method Summary

Modifier and Type	Method	Description
protected String	getID(org.opensaml.saml.saml2.core.Response signableObject)	Returns the ID of the signable object.
protected String	getIssuer(org.opensaml.saml.saml2.core.Response signableObject)	Returns the issuer of the signable object.
protected String	getObjectName()	Returns the name of the object being validated, e.g.
void	setUriComparator(net.shibboleth.shared.net.URIComparator uriComparator)	Assigns a custom URIComparator to be used when checking URL:s against eachother.
org.opensaml.saml.common.assertion.ValidationResult	validate(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)	Validates the given object.
protected org.opensaml.saml.common.assertion.ValidationResult	validateAssertions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)	Validates the Assertion and/or EncryptedAssertion element.
protected org.opensaml.saml.common.assertion.ValidationResult	validateConsent(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)	Validates the Consent attribute.
protected org.opensaml.saml.common.assertion.ValidationResult	validateDestination(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)	Ensures that the Destination attribute is present and matches the URL on which we received the message.
protected org.opensaml.saml.common.assertion.ValidationResult	validateExtensions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)	Validates the Extensions element.
protected org.opensaml.saml.common.assertion.ValidationResult	validateID(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)	Validates that the Response object has an ID attribute.
protected org.opensaml.saml.common.assertion.ValidationResult	validateInResponseTo(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)	Ensures that the InResponseTo attribute is present and that it matches the ID of the AuthnRequest.
protected org.opensaml.saml.common.assertion.ValidationResult	validateIssueInstant(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)	Validates that the Response object has a IssueInstant attribute and that it is not too old given the CoreValidatorParameters.MAX_AGE_MESSAGE and CoreValidatorParameters.RECEIVE_INSTANT context parameters.
protected org.opensaml.saml.common.assertion.ValidationResult	validateIssuer(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)	Ensures that the Issuer element is present and matches the expected issuer (if set in the context under the CoreValidatorParameters.EXPECTED_ISSUER key).
protected org.opensaml.saml.common.assertion.ValidationResult	validateStatus(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)	Validates that the Response object has a Status attribute.
protected org.opensaml.saml.common.assertion.ValidationResult	validateVersion(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.common.assertion.ValidationContext context)	Validates that the Response object has a valid Version attribute.

Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator

getSignatureValidationCriteriaSet, performSignatureValidation, validateSignature

Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator

getAllowedClockSkew, getMaxAgeReceivedMessage, getReceiveInstant, isStrictValidation

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

ResponseValidator

public ResponseValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine,
 org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator)

Constructor.

Parameters:

trustEngine - the trust used to validate the object's signature

signaturePrevalidator - the signature pre-validator used to pre-validate the object's signature

Method Details

setUriComparator

public void setUriComparator(net.shibboleth.shared.net.URIComparator uriComparator)

Assigns a custom URIComparator to be used when checking URL:s against eachother. The default is BasicURLComparator.

Parameters:

uriComparator - the customized URIComparator

validate

public org.opensaml.saml.common.assertion.ValidationResult validate(org.opensaml.saml.saml2.core.Response response,
 org.opensaml.saml.common.assertion.ValidationContext context)

Validates the given object.

Parameters:

response - object to be evaluated

context - current validation context

Returns:

the result of the evaluation

validateID

protected org.opensaml.saml.common.assertion.ValidationResult validateID(org.opensaml.saml.saml2.core.Response response,
 org.opensaml.saml.common.assertion.ValidationContext context)

Validates that the Response object has an ID attribute.

Parameters:

response - the response

context - the validation context

Returns:

a validation result

validateVersion

protected org.opensaml.saml.common.assertion.ValidationResult validateVersion(org.opensaml.saml.saml2.core.Response response,
 org.opensaml.saml.common.assertion.ValidationContext context)

Validates that the Response object has a valid Version attribute.

Parameters:

response - the response

context - the validation context

Returns:

a validation result

validateStatus

protected org.opensaml.saml.common.assertion.ValidationResult validateStatus(org.opensaml.saml.saml2.core.Response response,
 org.opensaml.saml.common.assertion.ValidationContext context)

Validates that the Response object has a Status attribute.

Parameters:

response - the response

context - the validation context

Returns:

a validation result

validateIssueInstant

protected org.opensaml.saml.common.assertion.ValidationResult validateIssueInstant(org.opensaml.saml.saml2.core.Response response,
 org.opensaml.saml.common.assertion.ValidationContext context)

Validates that the Response object has a IssueInstant attribute and that it is not too old given the CoreValidatorParameters.MAX_AGE_MESSAGE and CoreValidatorParameters.RECEIVE_INSTANT context parameters.

Parameters:

response - the response

context - the validation context

Returns:

a validation result

validateInResponseTo

protected org.opensaml.saml.common.assertion.ValidationResult validateInResponseTo(org.opensaml.saml.saml2.core.Response response,
 org.opensaml.saml.common.assertion.ValidationContext context)

Ensures that the InResponseTo attribute is present and that it matches the ID of the AuthnRequest. The ID is found in the context parameter under the key CoreValidatorParameters.AUTHN_REQUEST_ID or from the object stored under CoreValidatorParameters.AUTHN_REQUEST.

Parameters:

response - the response

context - the validation context

Returns:

a validation result

validateDestination

protected org.opensaml.saml.common.assertion.ValidationResult validateDestination(org.opensaml.saml.saml2.core.Response response,
 org.opensaml.saml.common.assertion.ValidationContext context)

Ensures that the Destination attribute is present and matches the URL on which we received the message. This value is found in the context under the CoreValidatorParameters.RECEIVE_URL key.

Parameters:

response - the response

context - the validation context

Returns:

a validation result

validateConsent

protected org.opensaml.saml.common.assertion.ValidationResult validateConsent(org.opensaml.saml.saml2.core.Response response,
 org.opensaml.saml.common.assertion.ValidationContext context)

Validates the Consent attribute. The default implementation returns ValidationResult.VALID since the attribute is optional according to the SAML 2.0 Core specifications.

Parameters:

response - the response

context - the validation context

Returns:

a validation result

validateIssuer

protected org.opensaml.saml.common.assertion.ValidationResult validateIssuer(org.opensaml.saml.saml2.core.Response response,
 org.opensaml.saml.common.assertion.ValidationContext context)

Ensures that the Issuer element is present and matches the expected issuer (if set in the context under the CoreValidatorParameters.EXPECTED_ISSUER key).

Parameters:

response - the response

context - the validation context

Returns:

a validation result

validateAssertions

protected org.opensaml.saml.common.assertion.ValidationResult validateAssertions(org.opensaml.saml.saml2.core.Response response,
 org.opensaml.saml.common.assertion.ValidationContext context)

Validates the Assertion and/or EncryptedAssertion element. The default implementation checks:

• If status is success - At least of assertion (or encrypted assertion) is present.
• Else - No assertions are present.

Parameters:

response - the response

context - the validation context

Returns:

a validation result

validateExtensions

protected org.opensaml.saml.common.assertion.ValidationResult validateExtensions(org.opensaml.saml.saml2.core.Response response,
 org.opensaml.saml.common.assertion.ValidationContext context)

Validates the Extensions element. The default implementation returns ValidationResult.VALID since the element is optional according to the SAML 2.0 Core specifications.

Parameters:

response - the response

context - the validation context

Returns:

a validation result

getIssuer

protected String getIssuer(org.opensaml.saml.saml2.core.Response signableObject)

Returns the issuer of the signable object.

Specified by:

getIssuer in class AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>

Parameters:

signableObject - the object being verified

Returns:

the issuer

getID

protected String getID(org.opensaml.saml.saml2.core.Response signableObject)

Returns the ID of the signable object.

Specified by:

getID in class AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>

Parameters:

signableObject - the object being verified

Returns:

the ID

getObjectName

protected String getObjectName()

Returns the name of the object being validated, e.g. "Assertion". Used for logging.

Specified by:

getObjectName in class AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Response>

Returns:

the object name