Class SwedishEidAssertionValidator
java.lang.Object
se.swedenconnect.opensaml.common.validation.AbstractObjectValidator<Assertion>
se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator<Assertion>
se.swedenconnect.opensaml.saml2.assertion.validation.AssertionValidator
se.swedenconnect.opensaml.sweid.saml2.validation.SwedishEidAssertionValidator
- All Implemented Interfaces:
ObjectValidator<Assertion>
An assertion validator that makes checks based on what is required by the Swedish eID Framework.
Apart from the validation parameters documented for AssertionValidator, the following static parameters are
handled:
SAML2AssertionValidationParameters.SC_VALID_ADDRESSES: Optional. If the set ofInetAddressobjects are given, the Address-attribute found in the Subject confirmation will be compared against these.SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS: Required. A set of valid recipient URL:s.SAML2AssertionValidationParameters.COND_VALID_AUDIENCES: Required. A set of valid audiences of the assertion.
- Author:
- Martin Lindström (martin@idsec.se)
-
Field Summary
Fields inherited from class se.swedenconnect.opensaml.saml2.assertion.validation.AssertionValidator
conditionValidators, HOK_PROFILE_ACTIVE, RESPONSE_ISSUE_INSTANT, subjectConfirmationValidatorsFields inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator
signaturePrevalidator, trustEngineFields inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator
DEFAULT_MAX_AGE_RECEIVED_MESSAGE -
Constructor Summary
ConstructorsConstructorDescriptionSwedishEidAssertionValidator(SignatureTrustEngine trustEngine, SignaturePrevalidator signaturePrevalidator) Constructor setting up the validator with the following validators: confirmationValidators:BearerSubjectConfirmationValidator,HolderOfKeySubjectConfirmationValidatorconditionValidators:AudienceRestrictionConditionValidatorstatementValidators:SwedishEidAuthnStatementValidator,SwedishEidAttributeStatementValidator.SwedishEidAssertionValidator(SignatureTrustEngine trustEngine, SignaturePrevalidator signaturePrevalidator, Collection<SubjectConfirmationValidator> confirmationValidators, Collection<ConditionValidator> conditionValidators, Collection<StatementValidator> statementValidators) Constructor. -
Method Summary
Modifier and TypeMethodDescriptionprotected ValidationResultvalidateConditions(Assertion assertion, ValidationContext context) Extends the base implementation with requirements from the Swedish eID Framework.protected ValidationResultvalidateStatements(Assertion assertion, ValidationContext context) Overrides the default implementation with checks to ensure the theAuthnStatementandAttributeStatementelements are in place.protected ValidationResultvalidateSubject(Assertion assertion, ValidationContext context) ASubjectelement in the Assertion is required by the Swedish eID Framework.Methods inherited from class se.swedenconnect.opensaml.saml2.assertion.validation.AssertionValidator
getID, getIssuer, getObjectName, getResponseIssueInstant, validate, validateConditionsTimeBounds, validateHolderOfKeyRequirement, validateID, validateIssueInstant, validateIssuer, validateSubjectConfirmations, validateVersionMethods inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator
getSignatureValidationCriteriaSet, performSignatureValidation, validateSignatureMethods inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator
getAllowedClockSkew, getMaxAgeReceivedMessage, getReceiveInstant, isStrictValidation
-
Constructor Details
-
SwedishEidAssertionValidator
public SwedishEidAssertionValidator(SignatureTrustEngine trustEngine, SignaturePrevalidator signaturePrevalidator) Constructor setting up the validator with the following validators:- confirmationValidators:
BearerSubjectConfirmationValidator,HolderOfKeySubjectConfirmationValidator - conditionValidators:
AudienceRestrictionConditionValidator - statementValidators:
SwedishEidAuthnStatementValidator,SwedishEidAttributeStatementValidator.
- Parameters:
trustEngine- the trust used to validate the object's signaturesignaturePrevalidator- the signature pre-validator used to pre-validate the object's signature
- confirmationValidators:
-
SwedishEidAssertionValidator
public SwedishEidAssertionValidator(SignatureTrustEngine trustEngine, SignaturePrevalidator signaturePrevalidator, Collection<SubjectConfirmationValidator> confirmationValidators, Collection<ConditionValidator> conditionValidators, Collection<StatementValidator> statementValidators) Constructor.- Parameters:
trustEngine- the trust used to validate the object's signaturesignaturePrevalidator- the signature pre-validator used to pre-validate the object's signatureconfirmationValidators- validators used to validate SubjectConfirmation methods within the assertionconditionValidators- validators used to validate the Condition elements within the assertionstatementValidators- validators used to validate Statements within the assertion
-
-
Method Details
-
validateSubject
ASubjectelement in the Assertion is required by the Swedish eID Framework. We assert that and that it holds a NameID value of the correct format. We also check that there is aSubjectConfirmationelement for the bearer method. After that, the base implementation may execute.- Overrides:
validateSubjectin classAssertionValidator
-
validateConditions
Extends the base implementation with requirements from the Swedish eID Framework.- Overrides:
validateConditionsin classAssertionValidator
-
validateStatements
Overrides the default implementation with checks to ensure the theAuthnStatementandAttributeStatementelements are in place.- Overrides:
validateStatementsin classAssertionValidator
-