Class SAML20AssertionValidator
- java.lang.Object
-
- org.opensaml.saml.saml2.assertion.SAML20AssertionValidator
-
public class SAML20AssertionValidator extends Object
A component capable of performing core validation of SAML version 2.0Assertioninstances.Supports the following
ValidationContextstatic parameters:-
SAML2AssertionValidationParameters.VALID_ISSUERS: Optional. -
SAML2AssertionValidationParameters.SIGNATURE_REQUIRED: Optional. If not supplied, defaults to 'true'. If an Assertion is signed, the signature is always evaluated and the result factored into the overall validation result, regardless of the value of this setting. -
SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_CRITERIA_SET: Optional. If not supplied, a minimal criteria set will be constructed which contains anEntityIdCriterioncontaining the Assertion Issuer entityID, and aUsageCriterionofUsageType.SIGNING. If it is supplied, but either of those criteria are absent from the criteria set, they will be added with the above values. -
SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_TRUST_ENGINE: Optional. If not supplied, defaults to the locally-injected instance. -
SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_PREVALIDATOR: Optional. If not supplied, defaults to the locally-injected instance. -
SAML2AssertionValidationParameters.CLOCK_SKEW: Optional. If not present the default clock skew ofDEFAULT_CLOCK_SKEWwill be used. -
SAML2AssertionValidationParameters.LIFETIME: Optional. If not present the default lifetime ofDEFAULT_LIFETIMEwill be used. -
SAML2AssertionValidationParameters.COND_REQUIRED_CONDITIONS: Optional.
Supports the following
ValidationContextdynamic parameters:-
SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION: Optional. Will be present after validation iff subject confirmation was successfully performed.
-
-
-
Field Summary
Fields Modifier and Type Field Description private AssertionValidatorassertionValidatorGeneric validator.private LazyMap<QName,ConditionValidator>conditionValidatorsRegisteredConditionvalidators.static DurationDEFAULT_CLOCK_SKEWDefault clock skew of 5 minutes.static DurationDEFAULT_LIFETIMEDefault lifetime for IssueInstant of 5 minutes.private org.slf4j.LoggerlogClass logger.private SignaturePrevalidatorsignaturePrevalidatorSAML signature profile validator.private LazyMap<QName,StatementValidator>statementValidatorsRegisteredStatementvalidators.private LazyMap<String,SubjectConfirmationValidator>subjectConfirmationValidatorsRegisteredSubjectConfirmationvalidators.private SignatureTrustEnginetrustEngineTrust engine for signature evaluation.
-
Constructor Summary
Constructors Constructor Description SAML20AssertionValidator(Collection<ConditionValidator> newConditionValidators, Collection<SubjectConfirmationValidator> newConfirmationValidators, Collection<StatementValidator> newStatementValidators, AssertionValidator newAssertionValidator, SignatureTrustEngine newTrustEngine, SignaturePrevalidator newSignaturePrevalidator)Constructor.SAML20AssertionValidator(Collection<ConditionValidator> newConditionValidators, Collection<SubjectConfirmationValidator> newConfirmationValidators, Collection<StatementValidator> newStatementValidators, SignatureTrustEngine newTrustEngine, SignaturePrevalidator newSignaturePrevalidator)Deprecated.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static DurationgetClockSkew(ValidationContext context)Gets the clock skew from theValidationContext.getStaticParameters()parameters.private static DurationgetDurationParam(ValidationContext context, String paramName, Duration defaultDuration)Gets the clock skew from theValidationContext.getStaticParameters()parameters.static DurationgetLifetime(ValidationContext context)Gets the lifetime duration from theValidationContext.getStaticParameters()parameters.protected CriteriaSetgetSignatureValidationCriteriaSet(Assertion token, ValidationContext context)Get the criteria set that will be used in evaluating the Assertion signature via the supplied trust engine.protected SignaturePrevalidatorgetSignatureValidationPrevalidator(Assertion token, ValidationContext context)Get the signature trust engine that will be used in evaluating the Assertion signature.protected SignatureTrustEnginegetSignatureValidationTrustEngine(Assertion token, ValidationContext context)Get the signature trust engine that will be used in evaluating the Assertion signature.protected voidlog(Assertion assertion, ValidationContext context)Log the Assertion which is being validated, along with the supplied validation context parameters.protected ValidationResultperformSignatureValidation(Assertion token, ValidationContext context)Handle the actual signature validation.ValidationResultvalidate(Assertion assertion, ValidationContext context)Validate the supplied SAML 2Assertion, using the parameters from the suppliedValidationContext.protected ValidationResultvalidateBasicData(Assertion assertion, ValidationContext context)Validate basic Assertion data, such as version, issuer and issue instant.protected ValidationResultvalidateConditions(Assertion assertion, ValidationContext context)Validates the conditions on the assertion.protected ValidationResultvalidateConditionsTimeBounds(Assertion assertion, ValidationContext context)Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.protected ValidationResultvalidateIssueInstant(Assertion assertion, ValidationContext context)Validates the Assertion IssueInstant.protected ValidationResultvalidateIssuer(Assertion assertion, ValidationContext context)Validates the AssertionIssuer.protected ValidationResultvalidateRequiredConditions(Assertion assertion, ValidationContext context)Validate that all conditions indicated to be required are present in the assertion.protected ValidationResultvalidateSignature(Assertion token, ValidationContext context)Validates the signature of the assertion, if it is signed.protected ValidationResultvalidateStatements(Assertion assertion, ValidationContext context)Validates the statements within the assertion.protected ValidationResultvalidateSubjectConfirmation(Assertion assertion, ValidationContext context)Validates the subject confirmations of the assertion.protected ValidationResultvalidateVersion(Assertion assertion, ValidationContext context)Validates that the assertion is aSAMLVersion.VERSION_20assertion.
-
-
-
Field Detail
-
DEFAULT_CLOCK_SKEW
@Nonnull public static final Duration DEFAULT_CLOCK_SKEW
Default clock skew of 5 minutes.
-
DEFAULT_LIFETIME
@Nonnull public static final Duration DEFAULT_LIFETIME
Default lifetime for IssueInstant of 5 minutes.
-
log
@Nonnull private final org.slf4j.Logger log
Class logger.
-
conditionValidators
@Nonnull @NonnullElements private LazyMap<QName,ConditionValidator> conditionValidators
RegisteredConditionvalidators.
-
subjectConfirmationValidators
@Nonnull @NonnullElements private LazyMap<String,SubjectConfirmationValidator> subjectConfirmationValidators
RegisteredSubjectConfirmationvalidators.
-
statementValidators
@Nonnull @NonnullElements private LazyMap<QName,StatementValidator> statementValidators
RegisteredStatementvalidators.
-
assertionValidator
@Nullable private AssertionValidator assertionValidator
Generic validator.
-
trustEngine
@Nullable private SignatureTrustEngine trustEngine
Trust engine for signature evaluation.
-
signaturePrevalidator
@Nullable private SignaturePrevalidator signaturePrevalidator
SAML signature profile validator.
-
-
Constructor Detail
-
SAML20AssertionValidator
public SAML20AssertionValidator(@Nullable Collection<ConditionValidator> newConditionValidators, @Nullable Collection<SubjectConfirmationValidator> newConfirmationValidators, @Nullable Collection<StatementValidator> newStatementValidators, @Nullable AssertionValidator newAssertionValidator, @Nullable SignatureTrustEngine newTrustEngine, @Nullable SignaturePrevalidator newSignaturePrevalidator)Constructor.- Parameters:
newConditionValidators- validators used to validate theConditions within the assertionnewConfirmationValidators- validators used to validateSubjectConfirmationmethods within the assertionnewStatementValidators- validators used to validateStatements within the assertionnewAssertionValidator- generic validator extension pointnewTrustEngine- the trust used to validate the Assertion signaturenewSignaturePrevalidator- the signature pre-validator used to pre-validate the Assertion signature- Since:
- 4.1.0
-
SAML20AssertionValidator
@Deprecated public SAML20AssertionValidator(@Nullable Collection<ConditionValidator> newConditionValidators, @Nullable Collection<SubjectConfirmationValidator> newConfirmationValidators, @Nullable Collection<StatementValidator> newStatementValidators, @Nullable SignatureTrustEngine newTrustEngine, @Nullable SignaturePrevalidator newSignaturePrevalidator)
Deprecated.Constructor.- Parameters:
newConditionValidators- validators used to validate theConditions within the assertionnewConfirmationValidators- validators used to validateSubjectConfirmationmethods within the assertionnewStatementValidators- validators used to validateStatements within the assertionnewTrustEngine- the trust used to validate the Assertion signaturenewSignaturePrevalidator- the signature pre-validator used to pre-validate the Assertion signature
-
-
Method Detail
-
getLifetime
@Nonnull public static Duration getLifetime(@Nonnull ValidationContext context)
Gets the lifetime duration from theValidationContext.getStaticParameters()parameters. If the parameter is not set or is not a non-zeroDurationthen theDEFAULT_LIFETIMEis used.- Parameters:
context- current validation context- Returns:
- the lifetime duration
-
getClockSkew
@Nonnull public static Duration getClockSkew(@Nonnull ValidationContext context)
Gets the clock skew from theValidationContext.getStaticParameters()parameters. If the parameter is not set or is not a non-zeroDurationthen theDEFAULT_CLOCK_SKEWis used.- Parameters:
context- current validation context- Returns:
- the clock skew
-
getDurationParam
private static Duration getDurationParam(@Nonnull ValidationContext context, @Nonnull String paramName, @Nonnull Duration defaultDuration)
Gets the clock skew from theValidationContext.getStaticParameters()parameters. If the parameter is not set or is not a non-zeroDurationthen theDEFAULT_CLOCK_SKEWis used.- Parameters:
context- current validation contextparamName- name of the duration parameter to processdefaultDuration- the default duration to use if not parameter not present in context- Returns:
- the clock skew
-
validate
@Nonnull public ValidationResult validate(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validate the supplied SAML 2Assertion, using the parameters from the suppliedValidationContext.- Parameters:
assertion- the assertion being evaluatedcontext- the current validation context- Returns:
- the validation result
- Throws:
AssertionValidationException- if there is a fatal error evaluating the validity of the assertion
-
log
protected void log(@Nonnull Assertion assertion, @Nonnull ValidationContext context)Log the Assertion which is being validated, along with the supplied validation context parameters.- Parameters:
assertion- the SAML 2 Assertion being validatedcontext- current validation context
-
validateBasicData
@Nonnull protected ValidationResult validateBasicData(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validate basic Assertion data, such as version, issuer and issue instant.- Parameters:
assertion- the assertion being evaluatedcontext- the current validation context- Returns:
- the validation result
- Throws:
AssertionValidationException- if there is a fatal error evaluating the validity of the assertion
-
validateVersion
@Nonnull protected ValidationResult validateVersion(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates that the assertion is aSAMLVersion.VERSION_20assertion.- Parameters:
assertion- the assertion to validatecontext- current validation context- Returns:
- result of the validation evaluation
- Throws:
AssertionValidationException- thrown if there is a problem validating the version
-
validateIssueInstant
protected ValidationResult validateIssueInstant(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the Assertion IssueInstant.- Parameters:
assertion- the assertion to validatecontext- current validation context- Returns:
- the result of the validation evaluation
- Throws:
AssertionValidationException- if there is a problem validating the IssueInstant
-
validateIssuer
protected ValidationResult validateIssuer(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the AssertionIssuer.- Parameters:
assertion- the assertion to validatecontext- current validation context- Returns:
- the result of the validation evaluation
- Throws:
AssertionValidationException- if there is a problem validating the Issuer
-
validateSignature
@Nonnull protected ValidationResult validateSignature(@Nonnull Assertion token, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the signature of the assertion, if it is signed.- Parameters:
token- assertion whose signature will be validatedcontext- current validation context- Returns:
- the result of the signature validation
- Throws:
AssertionValidationException- thrown if there is a problem determining the validity of the signature
-
performSignatureValidation
@Nonnull protected ValidationResult performSignatureValidation(@Nonnull Assertion token, @Nonnull ValidationContext context) throws AssertionValidationException
Handle the actual signature validation.- Parameters:
token- assertion whose signature will be validatedcontext- current validation context- Returns:
- the validation result
- Throws:
AssertionValidationException- thrown if there is a problem determining the validity of the signature
-
getSignatureValidationTrustEngine
@Nonnull protected SignatureTrustEngine getSignatureValidationTrustEngine(@Nonnull Assertion token, @Nonnull ValidationContext context)
Get the signature trust engine that will be used in evaluating the Assertion signature.- Parameters:
token- assertion whose signature will be validatedcontext- current validation context- Returns:
- the criteria set to use
-
getSignatureValidationPrevalidator
@Nonnull protected SignaturePrevalidator getSignatureValidationPrevalidator(@Nonnull Assertion token, @Nonnull ValidationContext context)
Get the signature trust engine that will be used in evaluating the Assertion signature.- Parameters:
token- assertion whose signature will be validatedcontext- current validation context- Returns:
- the criteria set to use
-
getSignatureValidationCriteriaSet
@Nonnull protected CriteriaSet getSignatureValidationCriteriaSet(@Nonnull Assertion token, @Nonnull ValidationContext context)
Get the criteria set that will be used in evaluating the Assertion signature via the supplied trust engine.- Parameters:
token- assertion whose signature will be validatedcontext- current validation context- Returns:
- the criteria set to use
-
validateConditions
@Nonnull protected ValidationResult validateConditions(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the conditions on the assertion. Condition validators are looked up by the element QName and, if present, the schema type of the condition. If no validator can be found for the Condition the validation process fails.- Parameters:
assertion- the assertion whose conditions will be validatedcontext- current validation context- Returns:
- the result of the validation evaluation
- Throws:
AssertionValidationException- thrown if there is a problem determining the validity of the conditions
-
validateRequiredConditions
protected ValidationResult validateRequiredConditions(@Nonnull Assertion assertion, @Nonnull ValidationContext context)
Validate that all conditions indicated to be required are present in the assertion.- Parameters:
assertion- the assertion whose conditions will be evaluatedcontext- current validation context- Returns:
- the result of the validation evaluation
-
validateConditionsTimeBounds
@Nonnull protected ValidationResult validateConditionsTimeBounds(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.- Parameters:
assertion- the assertion whose conditions will be validatedcontext- current validation context- Returns:
- the result of the validation evaluation
- Throws:
AssertionValidationException- thrown if there is a problem determining the validity of the conditions
-
validateSubjectConfirmation
@Nonnull protected ValidationResult validateSubjectConfirmation(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the subject confirmations of the assertion. Validators are looked up by the subject confirmation method. If any one subject confirmation is met the subject is considered confirmed per the SAML specification.- Parameters:
assertion- assertion whose subject is being confirmedcontext- current validation context- Returns:
- the result of the validation
- Throws:
AssertionValidationException- thrown if there is a problem determining the validity the subject
-
validateStatements
@Nonnull protected ValidationResult validateStatements(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the statements within the assertion. Validators are looked up by the Statement's element QName or, if present, its schema type. Any statement for which a validator can not be found is simply ignored.- Parameters:
assertion- assertion whose statements are being validatedcontext- current validation context- Returns:
- result of the validation
- Throws:
AssertionValidationException- thrown if there is a problem determining the validity the statements
-
-