Package org.opensaml.saml.security.impl
Class SAMLSignatureProfileValidator
- java.lang.Object
-
- org.opensaml.saml.security.impl.SAMLSignatureProfileValidator
-
- All Implemented Interfaces:
org.opensaml.xmlsec.signature.support.SignaturePrevalidator
public class SAMLSignatureProfileValidator extends Object implements org.opensaml.xmlsec.signature.support.SignaturePrevalidator
A validator for instances ofSignature, which validates that the signature meets security-related requirements indicated by the SAML profile of XML Signature.
-
-
Field Summary
Fields Modifier and Type Field Description private org.slf4j.LoggerlogClass logger.
-
Constructor Summary
Constructors Constructor Description SAMLSignatureProfileValidator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voidvalidate(org.opensaml.xmlsec.signature.Signature signature)protected voidvalidateObjectChildren(org.apache.xml.security.signature.XMLSignature apacheSig)Validate that the Signature instance does not contain any ds:Object children.protected org.apache.xml.security.signature.ReferencevalidateReference(org.apache.xml.security.signature.XMLSignature apacheSig)Validate the Signature's SignedInfo Reference.protected voidvalidateReferenceURI(String uri, String id)Validate the Reference URI and parent ID attribute values.protected voidvalidateReferenceURI(String uri, org.opensaml.saml.common.SignableSAMLObject signableObject)Validate the Signature's Reference URI.protected voidvalidateSignatureImpl(org.opensaml.xmlsec.signature.impl.SignatureImpl sigImpl)Validate an instance ofSignatureImpl, which is in turn based on underlying Apache XML SecurityXMLSignatureinstance.protected voidvalidateTransforms(org.apache.xml.security.signature.Reference reference)Validate the transforms included in the Signature Reference.
-
-
-
Method Detail
-
validate
public void validate(@Nonnull org.opensaml.xmlsec.signature.Signature signature) throws org.opensaml.xmlsec.signature.support.SignatureException- Specified by:
validatein interfaceorg.opensaml.xmlsec.signature.support.SignaturePrevalidator- Throws:
org.opensaml.xmlsec.signature.support.SignatureException
-
validateSignatureImpl
protected void validateSignatureImpl(org.opensaml.xmlsec.signature.impl.SignatureImpl sigImpl) throws org.opensaml.xmlsec.signature.support.SignatureExceptionValidate an instance ofSignatureImpl, which is in turn based on underlying Apache XML SecurityXMLSignatureinstance.- Parameters:
sigImpl- the signature implementation object to validate- Throws:
org.opensaml.xmlsec.signature.support.SignatureException- thrown if the signature is not valid with respect to the profile
-
validateReference
protected org.apache.xml.security.signature.Reference validateReference(org.apache.xml.security.signature.XMLSignature apacheSig) throws org.opensaml.xmlsec.signature.support.SignatureExceptionValidate the Signature's SignedInfo Reference. The SignedInfo must contain exactly 1 Reference.- Parameters:
apacheSig- the Apache XML Signature instance- Returns:
- the valid Reference contained within the SignedInfo
- Throws:
org.opensaml.xmlsec.signature.support.SignatureException- thrown if the Signature does not contain exactly 1 Reference, or if there is an error obtaining the Reference instance
-
validateReferenceURI
protected void validateReferenceURI(String uri, org.opensaml.saml.common.SignableSAMLObject signableObject) throws org.opensaml.xmlsec.signature.support.SignatureException
Validate the Signature's Reference URI. First validate the Reference URI against the parent's ID itself. Then validate that the URI (if non-empty) resolves to the same Element node as is cached by the SignableSAMLObject.- Parameters:
uri- the Signature Reference URI attribute valuesignableObject- the SignableSAMLObject whose signature is being validated- Throws:
org.opensaml.xmlsec.signature.support.SignatureException- if the URI is invalid or doesn't resolve to the expected DOM node
-
validateReferenceURI
protected void validateReferenceURI(String uri, String id) throws org.opensaml.xmlsec.signature.support.SignatureException
Validate the Reference URI and parent ID attribute values. The URI must either be null or empty (indicating that the entire enclosing document was signed), or else it must be a local document fragment reference and point to the SAMLObject parent via the latter's ID attribute value.- Parameters:
uri- the Signature Reference URI attribute valueid- the Signature parents ID attribute value- Throws:
org.opensaml.xmlsec.signature.support.SignatureException- thrown if the URI or ID attribute values are invalid
-
validateTransforms
protected void validateTransforms(org.apache.xml.security.signature.Reference reference) throws org.opensaml.xmlsec.signature.support.SignatureExceptionValidate the transforms included in the Signature Reference. The Reference may contain at most 2 transforms. One of them must be the Enveloped signature transform. An Exclusive Canonicalization transform (with or without comments) may also be present. No other transforms are allowed.- Parameters:
reference- the Signature reference containing the transforms to evaluate- Throws:
org.opensaml.xmlsec.signature.support.SignatureException- thrown if the set of transforms is invalid
-
validateObjectChildren
protected void validateObjectChildren(org.apache.xml.security.signature.XMLSignature apacheSig) throws org.opensaml.xmlsec.signature.support.SignatureExceptionValidate that the Signature instance does not contain any ds:Object children.- Parameters:
apacheSig- the Apache XML Signature instance- Throws:
org.opensaml.xmlsec.signature.support.SignatureException- if the signature contains ds:Object children
-
-