Package org.opensaml.saml.saml2.assertion.impl

Class OneTimeUseConditionValidator

java.lang.Object

org.opensaml.saml.saml2.assertion.impl.OneTimeUseConditionValidator

All Implemented Interfaces:

org.opensaml.saml.saml2.assertion.ConditionValidator

@ThreadSafe
public class OneTimeUseConditionValidator
extends Object
implements org.opensaml.saml.saml2.assertion.ConditionValidator

ConditionValidator used for OneTimeUse conditions.

Supports the following ValidationContext static parameters:

• SAML2AssertionValidationParameters.COND_ONE_TIME_USE_EXPIRES: Optional. If not supplied, defaults to the validator-wide value supplied at construction, or the default value, as retrieved via getReplayCacheExpires().

Supports the following ValidationContext dynamic parameters:

• None.

Field Summary

Fields

Modifier and Type	Field	Description
static String	CACHE_CONTEXT	Cache context name.
private Logger	log	Logger.
private org.opensaml.storage.ReplayCache	replayCache	Replay cache used to track which assertions have been used.
private Duration	replayCacheExpires	Time for disposal of value from cache.

Constructor Summary

Constructors

Constructor	Description
OneTimeUseConditionValidator(org.opensaml.storage.ReplayCache replay, Duration expires)	Constructor.

Method Summary

Modifier and Type	Method	Description
protected String	getCacheValue(org.opensaml.saml.saml2.core.Assertion assertion)	Get the string value which will be tracked in the cache for purposes of one-time use detection.
protected Instant	getExpires(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)	Get the one-time use expiration time for the assertion being evaluated.
protected Duration	getReplayCacheExpires()	Get the configured validator cache expiration interval.
QName	getServicedCondition()
org.opensaml.saml.common.assertion.ValidationResult	validate(org.opensaml.saml.saml2.core.Condition condition, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CACHE_CONTEXT

@Nonnull
@NotEmpty
public static final String CACHE_CONTEXT

Cache context name.

log

@Nonnull
private Logger log

Logger.

replayCache

@Nonnull
private final org.opensaml.storage.ReplayCache replayCache

Replay cache used to track which assertions have been used.

replayCacheExpires

@Nonnull
private Duration replayCacheExpires

Time for disposal of value from cache.

Constructor Detail

OneTimeUseConditionValidator

public OneTimeUseConditionValidator(@Nonnull
                                    org.opensaml.storage.ReplayCache replay,
                                    @Nullable
                                    Duration expires)

Constructor.

Parameters:

replay - reply cache used to track which assertions have been used

expires - time for disposal of tracked assertion from the replay cache. May be null, then defaults to 8 hours

Method Detail

getServicedCondition

@Nonnull
public QName getServicedCondition()

Specified by:

getServicedCondition in interface org.opensaml.saml.saml2.assertion.ConditionValidator

validate

@Nonnull
public org.opensaml.saml.common.assertion.ValidationResult validate(@Nonnull
                                                                    org.opensaml.saml.saml2.core.Condition condition,
                                                                    @Nonnull
                                                                    org.opensaml.saml.saml2.core.Assertion assertion,
                                                                    @Nonnull
                                                                    org.opensaml.saml.common.assertion.ValidationContext context)
                                                             throws org.opensaml.saml.common.assertion.AssertionValidationException

Specified by:

validate in interface org.opensaml.saml.saml2.assertion.ConditionValidator

Throws:

org.opensaml.saml.common.assertion.AssertionValidationException

getReplayCacheExpires

@Nonnull
protected Duration getReplayCacheExpires()

Get the configured validator cache expiration interval.

Returns:

the configured cache expiration interval

getExpires

@Nonnull
protected Instant getExpires(org.opensaml.saml.saml2.core.Assertion assertion,
                             org.opensaml.saml.common.assertion.ValidationContext context)

Get the one-time use expiration time for the assertion being evaluated.

Defaults to Instant.now().plus(getReplayCacheExpires()).

A subclass might override this to base expiration on data from the assertion or the validation context.

Parameters:

assertion - the SAML 2 Assertion being evaluated

context - the current validation context

Returns:

the effective one-time use expiration for the assertion being evaluated

getCacheValue

@Nonnull
protected String getCacheValue(@Nonnull
                               org.opensaml.saml.saml2.core.Assertion assertion)
                        throws org.opensaml.saml.common.assertion.AssertionValidationException

Get the string value which will be tracked in the cache for purposes of one-time use detection.

Parameters:

assertion - the SAML 2 Assertion to evaluate

Returns:

the cache value

Throws:

org.opensaml.saml.common.assertion.AssertionValidationException - thrown if there is a problem calculating the cached value