Package org.opensaml.saml.saml2.profile.impl

Class DefaultAssertionValidationContextBuilder

    • Field Detail

      • log

        @Nullable
private Logger log
        Logger.

      • signatureCriteriaSetFunction

        private Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.saml.saml2.core.Assertion>,​net.shibboleth.utilities.java.support.resolver.CriteriaSet> signatureCriteriaSetFunction
        A function for resolving the signature validation CriteriaSet for a particular function.

      • signatureRequired

        private Predicate<org.opensaml.profile.context.ProfileRequestContext> signatureRequired
        Predicate for determining whether an Assertion signature is required.

      • checkAddress

        private Predicate<org.opensaml.profile.context.ProfileRequestContext> checkAddress
        Predicate for determining whether an Assertion's network address(es) should be checked.

      • maximumTimeSinceAuthn

        private Function<org.opensaml.profile.context.ProfileRequestContext,​Duration> maximumTimeSinceAuthn
        Function for determining the max allowed time since authentication.

      • includeSelfEntityIDAsRecipient

        private Predicate<org.opensaml.profile.context.ProfileRequestContext> includeSelfEntityIDAsRecipient
        Predicate for determining whether to include the self entityID as a valid Recipient.

      • additionalAudiences

        private Function<org.opensaml.profile.context.ProfileRequestContext,​Set<String>> additionalAudiences
        Function for determining additional valid audience values.

      • validIssuers

        private Function<org.opensaml.profile.context.ProfileRequestContext,​Set<String>> validIssuers
        Function for determining additional valid Issuer values.

      • inResponseTo

        private Function<org.opensaml.profile.context.ProfileRequestContext,​String> inResponseTo
        Function for determining the valid InResponseTo value.

      • inResponseToRequired

        private Predicate<org.opensaml.profile.context.ProfileRequestContext> inResponseToRequired
        Predicate for determining whether an Assertion SubjectConfirmationData InResponseTo is required.

      • recipientRequired

        private Predicate<org.opensaml.profile.context.ProfileRequestContext> recipientRequired
        Predicate for determining whether an Assertion SubjectConfirmationData Recipient is required.

      • notBeforeRequired

        private Predicate<org.opensaml.profile.context.ProfileRequestContext> notBeforeRequired
        Predicate for determining whether an Assertion SubjectConfirmationData NotBefore is required.

      • notOnOrAfterRequired

        private Predicate<org.opensaml.profile.context.ProfileRequestContext> notOnOrAfterRequired
        Predicate for determining whether an Assertion SubjectConfirmationData NotOnOrAfter is required.

      • addressRequired

        private Predicate<org.opensaml.profile.context.ProfileRequestContext> addressRequired
        Predicate for determining whether an Assertion SubjectConfirmationData Address is required.

      • requiredConditions

        private Set<QName> requiredConditions
        The set of required Conditions.

      • securityParametersLookupStrategy

        private Function<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.xmlsec.context.SecurityParametersContext> securityParametersLookupStrategy
        Resolver for security parameters context.

    • Constructor Detail

      • DefaultAssertionValidationContextBuilder

        public DefaultAssertionValidationContextBuilder()
        Constructor.

    • Method Detail

      • getSecurityParametersLookupStrategy

        @Nonnull
public Function<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.xmlsec.context.SecurityParametersContext> getSecurityParametersLookupStrategy()
        Get the strategy by which to resolve a SecurityParametersContext.
        Returns:
        the lookup strategy

      • setSecurityParametersLookupStrategy

        public void setSecurityParametersLookupStrategy​(@Nonnull
                                                Function<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.xmlsec.context.SecurityParametersContext> strategy)
        Set the strategy by which to resolve a SecurityParametersContext.
        Parameters:
        strategy - the strategy function

      • getRequiredConditions

        @Nonnull
public Set<QName> getRequiredConditions()
        Get the set of required Conditions.
        Returns:
        the required conditions, may be null

      • setRequiredConditions

        public void setRequiredConditions​(@Nullable
                                  Set<QName> conditions)
        Set the set of required Conditions.
        Parameters:
        conditions - the required conditions

      • getIncludeSelfEntityIDAsRecipient

        public Predicate<org.opensaml.profile.context.ProfileRequestContext> getIncludeSelfEntityIDAsRecipient()
        Get the predicate which determines whether to include the self entityID as a valid Recipient.

        Defaults to an always false predicate;

        Returns:
        the predicate

      • setIncludeSelfEntityIDAsRecipient

        public void setIncludeSelfEntityIDAsRecipient​(@Nonnull
                                              Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate)
        Set the predicate which determines whether to include the self entityID as a valid Recipient.

        Defaults to an always false predicate.

        Parameters:
        predicate - the predicate, must be non-null

      • getSignatureRequired

        public Predicate<org.opensaml.profile.context.ProfileRequestContext> getSignatureRequired()
        Get the predicate which determines whether an Assertion signature is required.

        Defaults to an always true predicate;

        Returns:
        the predicate

      • setSignatureRequired

        public void setSignatureRequired​(@Nonnull
                                 Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate)
        Set the predicate which determines whether an Assertion signature is required.

        Defaults to an always true predicate.

        Parameters:
        predicate - the predicate, must be non-null

      • setInResponseTo

        public void setInResponseTo​(@Nonnull
                            Function<org.opensaml.profile.context.ProfileRequestContext,​String> function)
        Set the function for determining the valid InResponseTo.

        Defaults to null.

        Parameters:
        function - the function, may be null

      • getInResponseTo

        public Function<org.opensaml.profile.context.ProfileRequestContext,​String> getInResponseTo()
        Get the function for determining the valid InResponseTo.

        Defaults to null.

        Returns:
        the function

      • getInResponseToRequired

        public Predicate<org.opensaml.profile.context.ProfileRequestContext> getInResponseToRequired()
        Get the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.

        Defaults to an always false predicate;

        Returns:
        the predicate

      • setInResponseToRequired

        public void setInResponseToRequired​(@Nonnull
                                    Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate)
        Set the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.

        Defaults to an always false predicate.

        Parameters:
        predicate - the predicate, must be non-null

      • getRecipientRequired

        public Predicate<org.opensaml.profile.context.ProfileRequestContext> getRecipientRequired()
        Get the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.

        Defaults to an always false predicate;

        Returns:
        the predicate

      • setRecipientRequired

        public void setRecipientRequired​(@Nonnull
                                 Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate)
        Set the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.

        Defaults to an always false predicate.

        Parameters:
        predicate - the predicate, must be non-null

      • getNotBeforeRequired

        public Predicate<org.opensaml.profile.context.ProfileRequestContext> getNotBeforeRequired()
        Get the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.

        Defaults to an always false predicate;

        Returns:
        the predicate

      • setNotBeforeRequired

        public void setNotBeforeRequired​(@Nonnull
                                 Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate)
        Set the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.

        Defaults to an always false predicate.

        Parameters:
        predicate - the predicate, must be non-null

      • getNotOnOrAfterRequired

        public Predicate<org.opensaml.profile.context.ProfileRequestContext> getNotOnOrAfterRequired()
        Get the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.

        Defaults to an always false predicate;

        Returns:
        the predicate

      • setNotOnOrAfterRequired

        public void setNotOnOrAfterRequired​(@Nonnull
                                    Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate)
        Set the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.

        Defaults to an always false predicate.

        Parameters:
        predicate - the predicate, must be non-null

      • getAddressRequired

        public Predicate<org.opensaml.profile.context.ProfileRequestContext> getAddressRequired()
        Get the predicate which determines whether an Assertion SubjectConfirmationData Address is required.

        Defaults to an always false predicate;

        Returns:
        the predicate

      • setAddressRequired

        public void setAddressRequired​(@Nonnull
                               Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate)
        Set the predicate which determines whether an Assertion SubjectConfirmationData Address is required.

        Defaults to an always false predicate.

        Parameters:
        predicate - the predicate, must be non-null

      • getCheckAddress

        public Predicate<org.opensaml.profile.context.ProfileRequestContext> getCheckAddress()
        Get the predicate which determines whether an Assertion's network address(es) should be checked.

        Defaults to an always true predicate;

        Returns:
        the predicate

      • setCheckAddress

        public void setCheckAddress​(@Nonnull
                            Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate)
        Set the predicate which determines whether an Assertion's network address(es) should be checked.

        Defaults to an always true predicate.

        Parameters:
        predicate - the predicate, must be non-null

      • getAdditionalAudiences

        public Function<org.opensaml.profile.context.ProfileRequestContext,​Set<String>> getAdditionalAudiences()
        Get the function for determining additional audience values.

        Defaults to null.

        Returns:
        the function

      • setAdditionalAudiences

        public void setAdditionalAudiences​(@Nonnull
                                   Function<org.opensaml.profile.context.ProfileRequestContext,​Set<String>> function)
        Set the function for determining additional audience values.

        Defaults to null.

        Parameters:
        function - the function, may be null

      • getValidIssuers

        public Function<org.opensaml.profile.context.ProfileRequestContext,​Set<String>> getValidIssuers()
        Get the function for determining the valid Issuer values

        Defaults to an implementation which resolves the outbound SAML peer entityID.

        Returns:
        the function

      • setValidIssuers

        public void setValidIssuers​(@Nonnull
                            Function<org.opensaml.profile.context.ProfileRequestContext,​Set<String>> function)
        Set the function for determining the valid Issuer values

        Defaults to an implementation which resolves the outbound SAML peer entityID.

        Parameters:
        function - the function, may be null

      • getMaximumTimeSinceAuthn

        public Function<org.opensaml.profile.context.ProfileRequestContext,​Duration> getMaximumTimeSinceAuthn()
        Get the function for determining the max allowed time since authentication.

        Defaults to null.

        Returns:
        the function

      • setMaximumTimeSinceAuthn

        public void setMaximumTimeSinceAuthn​(@Nonnull
                                     Function<org.opensaml.profile.context.ProfileRequestContext,​Duration> function)
        Set the function for determining the max allowed time since authentication.

        Defaults to null.

        Parameters:
        function - the function, may be null

      • getSignatureCriteriaSetFunction

        @Nullable
public Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.saml.saml2.core.Assertion>,​net.shibboleth.utilities.java.support.resolver.CriteriaSet> getSignatureCriteriaSetFunction()
        Get the function for resolving the signature validation CriteriaSet for a particular function.

        Defaults to: null.

        Returns:
        a criteria set instance, or null

      • setSignatureCriteriaSetFunction

        public void setSignatureCriteriaSetFunction​(@Nullable
                                            Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.saml.saml2.core.Assertion>,​net.shibboleth.utilities.java.support.resolver.CriteriaSet> function)
        Set the function for resolving the signature validation CriteriaSet for a particular function.

        Defaults to: null.

        Parameters:
        function - the resolving function, may be null

      • buildStaticParameters

        @Nonnull
protected Map<String,​Object> buildStaticParameters​(@Nonnull
                                                         ValidateAssertions.AssertionValidationInput input)
        Build the static parameters map for input to the ValidationContext.
        Parameters:
        input - the assertion validation input
        Returns:
        the static parameters map

      • populateSignatureParameters

        private void populateSignatureParameters​(@Nonnull
                                         Map<String,​Object> staticParams,
                                         @Nonnull
                                         ValidateAssertions.AssertionValidationInput input)
        Populate the static signature parameters.
        Parameters:
        staticParams - the parameters being populated
        input - validation input

      • populateConditionsParameters

        private void populateConditionsParameters​(@Nonnull
                                          Map<String,​Object> staticParams,
                                          @Nonnull
                                          ValidateAssertions.AssertionValidationInput input)
        Populate the static Conditions parameters.
        Parameters:
        staticParams - the parameters being populated
        input - validation input

      • populateSubjectConfirmationParameters

        private void populateSubjectConfirmationParameters​(@Nonnull
                                                   Map<String,​Object> staticParams,
                                                   @Nonnull
                                                   ValidateAssertions.AssertionValidationInput input,
                                                   @Nonnull
                                                   Set<InetAddress> validAddresses,
                                                   @Nonnull
                                                   Boolean checkAddressEnabled)
        Populate the static SubjectConfirmation parameters.
        Parameters:
        staticParams - the parameters being populated
        input - validation input
        validAddresses - the valid addresses
        checkAddressEnabled - whether address checking is enabled

      • populateStatementParams

        private void populateStatementParams​(@Nonnull
                                     Map<String,​Object> staticParams,
                                     @Nonnull
                                     ValidateAssertions.AssertionValidationInput input,
                                     @Nonnull
                                     Set<InetAddress> validAddresses,
                                     @Nonnull
                                     Boolean checkAddressEnabled)
        Populate the static Statement params.
        Parameters:
        staticParams - the parameters being populated
        input - validation input
        validAddresses - the valid addresses
        checkAddressEnabled - whether address checking is enabled

      • getRequiredConditions

        @Nonnull
protected Set<QName> getRequiredConditions​(@Nonnull
                                           ValidateAssertions.AssertionValidationInput input)
        Get the set of required Conditions.

        The default behavior is to return the locally-configured data via getRequiredConditions().

        Parameters:
        input - the assertion validation input
        Returns:
        the set of required Condition names, may be null

      • getSignatureCriteriaSet

        @Nonnull
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet getSignatureCriteriaSet​(@Nonnull
                                                                                             ValidateAssertions.AssertionValidationInput input)
        Get the signature validation criteria set.

        This implementation first evaluates the result of applying the function getSignatureCriteriaSetFunction(), if configured. If that evaluation did not produce an EntityIdCriterion, one is added based on the issuer of the Assertion. If that evaluation did not produce an instance of UsageCriterion, one is added with the value of UsageType.SIGNING.

        Finally the following criteria are added if not already present and if the corresponding data is available in the inbound MessageContext:

        • RoleDescriptorCriterion
        • EntityRoleCriterion
        • ProtocolCriterion
        Parameters:
        input - the assertion validation input
        Returns:
        the criteria set based on the message context data

      • populateSignatureCriteriaFromInboundContext

        protected void populateSignatureCriteriaFromInboundContext​(@Nonnull
                                                           net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
                                                           @Nonnull
                                                           org.opensaml.messaging.context.MessageContext inboundContext)
        Populate signature criteria from the specified MessageContext.
        • RoleDescriptorCriterion
        • EntityRoleCriterion
        • ProtocolCriterion
        Parameters:
        criteriaSet - the criteria set to populate
        inboundContext - the inbound message context

      • getAttesterCertificate

        @Nullable
protected X509Certificate getAttesterCertificate​(@Nonnull
                                                 ValidateAssertions.AssertionValidationInput input)
        Get the attesting entity's X509Certificate.

        This implementation returns the client TLS certificate present in the HttpServletRequest, or null if one is not present.

        Parameters:
        input - the assertion validation input
        Returns:
        the entity certificate, or null

      • getAttesterPublicKey

        @Nullable
protected PublicKey getAttesterPublicKey​(@Nonnull
                                         ValidateAssertions.AssertionValidationInput input)
        Get the attesting entity's PublicKey.

        This implementation returns null. Subclasses should override to implement specific logic.

        Parameters:
        input - the assertion validation input
        Returns:
        the entity public key, or null

      • getAttesterIPAddress

        @Nonnull
protected String getAttesterIPAddress​(@Nonnull
                                      ValidateAssertions.AssertionValidationInput input)
        Get the attester's IP address.

        This implementation returns the value of ServletRequest.getRemoteAddr().

        Parameters:
        input - the assertion validation input
        Returns:
        the IP address of the attester

      • getSelfEntityID

        @Nullable
protected String getSelfEntityID​(@Nonnull
                                 ValidateAssertions.AssertionValidationInput input)
        Get the self entityID.
        Parameters:
        input - the assertion validation input
        Returns:
        the self entityID, or null if could not be resolved