Class SwedishEidAssertionValidator
java.lang.Object
se.swedenconnect.opensaml.common.validation.AbstractObjectValidator<org.opensaml.saml.saml2.core.Assertion>
se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Assertion>
se.swedenconnect.opensaml.saml2.assertion.validation.AssertionValidator
se.swedenconnect.opensaml.sweid.saml2.validation.SwedishEidAssertionValidator
- All Implemented Interfaces:
ObjectValidator<org.opensaml.saml.saml2.core.Assertion>
An assertion validator that makes checks based on what is required by the Swedish eID Framework.
Apart from the validation parameters documented for AssertionValidator, the following static parameters are
handled:
SAML2AssertionValidationParameters.SC_VALID_ADDRESSES: Optional. If the set ofInetAddressobjects are given, the Address-attribute found in the Subject confirmation will be compared against these.SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS: Required. A set of valid recipient URL:s.SAML2AssertionValidationParameters.COND_VALID_AUDIENCES: Required. A set of valid audiences of the assertion.
- Author:
- Martin Lindström (martin@idsec.se)
-
Field Summary
Fields inherited from class se.swedenconnect.opensaml.saml2.assertion.validation.AssertionValidator
conditionValidators, HOK_PROFILE_ACTIVE, RESPONSE_ISSUE_INSTANT, subjectConfirmationValidatorsFields inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator
signaturePrevalidator, trustEngineFields inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator
DEFAULT_MAX_AGE_RECEIVED_MESSAGE -
Constructor Summary
ConstructorsConstructorDescriptionSwedishEidAssertionValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator) Constructor setting up the validator with the following validators: confirmationValidators:BearerSubjectConfirmationValidator,HolderOfKeySubjectConfirmationValidatorconditionValidators:AudienceRestrictionConditionValidatorstatementValidators:SwedishEidAuthnStatementValidator,SwedishEidAttributeStatementValidator.SwedishEidAssertionValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator, Collection<org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator> confirmationValidators, Collection<org.opensaml.saml.saml2.assertion.ConditionValidator> conditionValidators, Collection<org.opensaml.saml.saml2.assertion.StatementValidator> statementValidators) Constructor. -
Method Summary
Modifier and TypeMethodDescriptionprotected org.opensaml.saml.common.assertion.ValidationResultvalidateConditions(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Extends the base implementation with requirements from the Swedish eID Framework.protected org.opensaml.saml.common.assertion.ValidationResultvalidateStatements(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Overrides the default implementation with checks to ensure the theAuthnStatementandAttributeStatementelements are in place.protected org.opensaml.saml.common.assertion.ValidationResultvalidateSubject(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) ASubjectelement in the Assertion is required by the Swedish eID Framework.Methods inherited from class se.swedenconnect.opensaml.saml2.assertion.validation.AssertionValidator
getID, getIssuer, getObjectName, getResponseIssueInstant, validate, validateConditionsTimeBounds, validateHolderOfKeyRequirement, validateID, validateIssueInstant, validateIssuer, validateSubjectConfirmations, validateVersionMethods inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator
getSignatureValidationCriteriaSet, performSignatureValidation, validateSignatureMethods inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator
getAllowedClockSkew, getMaxAgeReceivedMessage, getReceiveInstant, isStrictValidation
-
Constructor Details
-
SwedishEidAssertionValidator
public SwedishEidAssertionValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator) Constructor setting up the validator with the following validators:- confirmationValidators:
BearerSubjectConfirmationValidator,HolderOfKeySubjectConfirmationValidator - conditionValidators:
AudienceRestrictionConditionValidator - statementValidators:
SwedishEidAuthnStatementValidator,SwedishEidAttributeStatementValidator.
- Parameters:
trustEngine- the trust used to validate the object's signaturesignaturePrevalidator- the signature pre-validator used to pre-validate the object's signature
- confirmationValidators:
-
SwedishEidAssertionValidator
public SwedishEidAssertionValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator, Collection<org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator> confirmationValidators, Collection<org.opensaml.saml.saml2.assertion.ConditionValidator> conditionValidators, Collection<org.opensaml.saml.saml2.assertion.StatementValidator> statementValidators) Constructor.- Parameters:
trustEngine- the trust used to validate the object's signaturesignaturePrevalidator- the signature pre-validator used to pre-validate the object's signatureconfirmationValidators- validators used to validate SubjectConfirmation methods within the assertionconditionValidators- validators used to validate the Condition elements within the assertionstatementValidators- validators used to validate Statements within the assertion
-
-
Method Details
-
validateSubject
protected org.opensaml.saml.common.assertion.ValidationResult validateSubject(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) ASubjectelement in the Assertion is required by the Swedish eID Framework. We assert that and that it holds a NameID value of the correct format. We also check that there is aSubjectConfirmationelement for the bearer method. After that, the base implementation may execute.- Overrides:
validateSubjectin classAssertionValidator
-
validateConditions
protected org.opensaml.saml.common.assertion.ValidationResult validateConditions(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Extends the base implementation with requirements from the Swedish eID Framework.- Overrides:
validateConditionsin classAssertionValidator
-
validateStatements
protected org.opensaml.saml.common.assertion.ValidationResult validateStatements(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) Overrides the default implementation with checks to ensure the theAuthnStatementandAttributeStatementelements are in place.- Overrides:
validateStatementsin classAssertionValidator
-