Class SAML20AssertionValidator
- java.lang.Object
-
- org.opensaml.saml.saml2.assertion.SAML20AssertionValidator
-
public class SAML20AssertionValidator extends Object
A component capable of performing core validation of SAML version 2.0Assertion
instances.Supports the following
ValidationContext
static parameters:-
SAML2AssertionValidationParameters.VALID_ISSUERS
: Optional. -
SAML2AssertionValidationParameters.SIGNATURE_REQUIRED
: Optional. If not supplied, defaults to 'true'. If an Assertion is signed, the signature is always evaluated and the result factored into the overall validation result, regardless of the value of this setting. -
SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_CRITERIA_SET
: Optional. If not supplied, a minimal criteria set will be constructed which contains anEntityIdCriterion
containing the Assertion Issuer entityID, and aUsageCriterion
ofUsageType.SIGNING
. If it is supplied, but either of those criteria are absent from the criteria set, they will be added with the above values. -
SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_TRUST_ENGINE
: Optional. If not supplied, defaults to the locally-injected instance. -
SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_PREVALIDATOR
: Optional. If not supplied, defaults to the locally-injected instance. -
SAML2AssertionValidationParameters.CLOCK_SKEW
: Optional. If not present the default clock skew ofDEFAULT_CLOCK_SKEW
will be used. -
SAML2AssertionValidationParameters.COND_REQUIRED_CONDITIONS
: Optional.
Supports the following
ValidationContext
dynamic parameters:-
SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION
: Optional. Will be present after validation iff subject confirmation was successfully performed.
-
-
-
Field Summary
Fields Modifier and Type Field Description private net.shibboleth.utilities.java.support.collection.LazyMap<QName,ConditionValidator>
conditionValidators
RegisteredCondition
validators.static Duration
DEFAULT_CLOCK_SKEW
Default clock skew of 5 minutes.private org.slf4j.Logger
log
Class logger.private org.opensaml.xmlsec.signature.support.SignaturePrevalidator
signaturePrevalidator
SAML signature profile validator.private net.shibboleth.utilities.java.support.collection.LazyMap<QName,StatementValidator>
statementValidators
RegisteredStatement
validators.private net.shibboleth.utilities.java.support.collection.LazyMap<String,SubjectConfirmationValidator>
subjectConfirmationValidators
RegisteredSubjectConfirmation
validators.private org.opensaml.xmlsec.signature.support.SignatureTrustEngine
trustEngine
Trust engine for signature evaluation.
-
Constructor Summary
Constructors Constructor Description SAML20AssertionValidator(Collection<ConditionValidator> newConditionValidators, Collection<SubjectConfirmationValidator> newConfirmationValidators, Collection<StatementValidator> newStatementValidators, org.opensaml.xmlsec.signature.support.SignatureTrustEngine newTrustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator newSignaturePrevalidator)
Constructor.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static Duration
getClockSkew(ValidationContext context)
Gets the clock skew from theValidationContext.getStaticParameters()
parameters.protected net.shibboleth.utilities.java.support.resolver.CriteriaSet
getSignatureValidationCriteriaSet(Assertion token, ValidationContext context)
Get the criteria set that will be used in evaluating the Assertion signature via the supplied trust engine.protected org.opensaml.xmlsec.signature.support.SignaturePrevalidator
getSignatureValidationPrevalidator(Assertion token, ValidationContext context)
Get the signature trust engine that will be used in evaluating the Assertion signature.protected org.opensaml.xmlsec.signature.support.SignatureTrustEngine
getSignatureValidationTrustEngine(Assertion token, ValidationContext context)
Get the signature trust engine that will be used in evaluating the Assertion signature.protected void
log(Assertion assertion, ValidationContext context)
Log the Assertion which is being validated, along with the supplied validation context parameters.protected ValidationResult
performSignatureValidation(Assertion token, ValidationContext context)
Handle the actual signature validation.ValidationResult
validate(Assertion assertion, ValidationContext context)
Validate the supplied SAML 2Assertion
, using the parameters from the suppliedValidationContext
.protected ValidationResult
validateConditions(Assertion assertion, ValidationContext context)
Validates the conditions on the assertion.protected ValidationResult
validateConditionsTimeBounds(Assertion assertion, ValidationContext context)
Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.protected ValidationResult
validateIssuer(Assertion assertion, ValidationContext context)
Validates the AssertionIssuer
.protected ValidationResult
validateRequiredConditions(Assertion assertion, ValidationContext context)
Validate that all conditions indicated to be required are present in the assertion.protected ValidationResult
validateSignature(Assertion token, ValidationContext context)
Validates the signature of the assertion, if it is signed.protected ValidationResult
validateStatements(Assertion assertion, ValidationContext context)
Validates the statements within the assertion.protected ValidationResult
validateSubjectConfirmation(Assertion assertion, ValidationContext context)
Validates the subject confirmations of the assertion.protected ValidationResult
validateVersion(Assertion assertion, ValidationContext context)
Validates that the assertion is aSAMLVersion.VERSION_20
assertion.
-
-
-
Field Detail
-
DEFAULT_CLOCK_SKEW
@Nonnull public static final Duration DEFAULT_CLOCK_SKEW
Default clock skew of 5 minutes.
-
log
@Nonnull private final org.slf4j.Logger log
Class logger.
-
conditionValidators
private net.shibboleth.utilities.java.support.collection.LazyMap<QName,ConditionValidator> conditionValidators
RegisteredCondition
validators.
-
subjectConfirmationValidators
private net.shibboleth.utilities.java.support.collection.LazyMap<String,SubjectConfirmationValidator> subjectConfirmationValidators
RegisteredSubjectConfirmation
validators.
-
statementValidators
private net.shibboleth.utilities.java.support.collection.LazyMap<QName,StatementValidator> statementValidators
RegisteredStatement
validators.
-
trustEngine
private org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine
Trust engine for signature evaluation.
-
signaturePrevalidator
private org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator
SAML signature profile validator.
-
-
Constructor Detail
-
SAML20AssertionValidator
public SAML20AssertionValidator(@Nullable Collection<ConditionValidator> newConditionValidators, @Nullable Collection<SubjectConfirmationValidator> newConfirmationValidators, @Nullable Collection<StatementValidator> newStatementValidators, @Nullable org.opensaml.xmlsec.signature.support.SignatureTrustEngine newTrustEngine, @Nullable org.opensaml.xmlsec.signature.support.SignaturePrevalidator newSignaturePrevalidator)
Constructor.- Parameters:
newConditionValidators
- validators used to validate theCondition
s within the assertionnewConfirmationValidators
- validators used to validateSubjectConfirmation
methods within the assertionnewStatementValidators
- validators used to validateStatement
s within the assertionnewTrustEngine
- the trust used to validate the Assertion signaturenewSignaturePrevalidator
- the signature pre-validator used to pre-validate the Assertion signature
-
-
Method Detail
-
getClockSkew
public static Duration getClockSkew(@Nonnull ValidationContext context)
Gets the clock skew from theValidationContext.getStaticParameters()
parameters. If the parameter is not set or is not a non-zeroDuration
then theDEFAULT_CLOCK_SKEW
is used.- Parameters:
context
- current validation context- Returns:
- the clock skew
-
validate
@Nonnull public ValidationResult validate(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validate the supplied SAML 2Assertion
, using the parameters from the suppliedValidationContext
.- Parameters:
assertion
- the assertion being evaluatedcontext
- the current validation context- Returns:
- the validation result
- Throws:
AssertionValidationException
- if there is a fatal error evaluating the validity of the assertion
-
log
protected void log(@Nonnull Assertion assertion, @Nonnull ValidationContext context)
Log the Assertion which is being validated, along with the supplied validation context parameters.- Parameters:
assertion
- the SAML 2 Assertion being validatedcontext
- current validation context
-
validateVersion
@Nonnull protected ValidationResult validateVersion(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates that the assertion is aSAMLVersion.VERSION_20
assertion.- Parameters:
assertion
- the assertion to validatecontext
- current validation context- Returns:
- result of the validation evaluation
- Throws:
AssertionValidationException
- thrown if there is a problem validating the version
-
validateIssuer
protected ValidationResult validateIssuer(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the AssertionIssuer
.- Parameters:
assertion
- the assertion to validatecontext
- current validation context- Returns:
- the result of the validation evaluation
- Throws:
AssertionValidationException
- if there is a problem validating the Issuer
-
validateSignature
@Nonnull protected ValidationResult validateSignature(@Nonnull Assertion token, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the signature of the assertion, if it is signed.- Parameters:
token
- assertion whose signature will be validatedcontext
- current validation context- Returns:
- the result of the signature validation
- Throws:
AssertionValidationException
- thrown if there is a problem determining the validity of the signature
-
performSignatureValidation
@Nonnull protected ValidationResult performSignatureValidation(@Nonnull Assertion token, @Nonnull ValidationContext context) throws AssertionValidationException
Handle the actual signature validation.- Parameters:
token
- assertion whose signature will be validatedcontext
- current validation context- Returns:
- the validation result
- Throws:
AssertionValidationException
- thrown if there is a problem determining the validity of the signature
-
getSignatureValidationTrustEngine
@Nonnull protected org.opensaml.xmlsec.signature.support.SignatureTrustEngine getSignatureValidationTrustEngine(@Nonnull Assertion token, @Nonnull ValidationContext context)
Get the signature trust engine that will be used in evaluating the Assertion signature.- Parameters:
token
- assertion whose signature will be validatedcontext
- current validation context- Returns:
- the criteria set to use
-
getSignatureValidationPrevalidator
@Nonnull protected org.opensaml.xmlsec.signature.support.SignaturePrevalidator getSignatureValidationPrevalidator(@Nonnull Assertion token, @Nonnull ValidationContext context)
Get the signature trust engine that will be used in evaluating the Assertion signature.- Parameters:
token
- assertion whose signature will be validatedcontext
- current validation context- Returns:
- the criteria set to use
-
getSignatureValidationCriteriaSet
@Nonnull protected net.shibboleth.utilities.java.support.resolver.CriteriaSet getSignatureValidationCriteriaSet(@Nonnull Assertion token, @Nonnull ValidationContext context)
Get the criteria set that will be used in evaluating the Assertion signature via the supplied trust engine.- Parameters:
token
- assertion whose signature will be validatedcontext
- current validation context- Returns:
- the criteria set to use
-
validateConditions
@Nonnull protected ValidationResult validateConditions(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the conditions on the assertion. Condition validators are looked up by the element QName and, if present, the schema type of the condition. If no validator can be found for the Condition the validation process fails.- Parameters:
assertion
- the assertion whose conditions will be validatedcontext
- current validation context- Returns:
- the result of the validation evaluation
- Throws:
AssertionValidationException
- thrown if there is a problem determining the validity of the conditions
-
validateRequiredConditions
protected ValidationResult validateRequiredConditions(@Nonnull Assertion assertion, @Nonnull ValidationContext context)
Validate that all conditions indicated to be required are present in the assertion.- Parameters:
assertion
- the assertion whose conditions will be evaluatedcontext
- current validation context- Returns:
- the result of the validation evaluation
-
validateConditionsTimeBounds
@Nonnull protected ValidationResult validateConditionsTimeBounds(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.- Parameters:
assertion
- the assertion whose conditions will be validatedcontext
- current validation context- Returns:
- the result of the validation evaluation
- Throws:
AssertionValidationException
- thrown if there is a problem determining the validity of the conditions
-
validateSubjectConfirmation
@Nonnull protected ValidationResult validateSubjectConfirmation(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the subject confirmations of the assertion. Validators are looked up by the subject confirmation method. If any one subject confirmation is met the subject is considered confirmed per the SAML specification.- Parameters:
assertion
- assertion whose subject is being confirmedcontext
- current validation context- Returns:
- the result of the validation
- Throws:
AssertionValidationException
- thrown if there is a problem determining the validity the subject
-
validateStatements
@Nonnull protected ValidationResult validateStatements(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Validates the statements within the assertion. Validators are looked up by the Statement's element QName or, if present, its schema type. Any statement for which a validator can not be found is simply ignored.- Parameters:
assertion
- assertion whose statements are being validatedcontext
- current validation context- Returns:
- result of the validation
- Throws:
AssertionValidationException
- thrown if there is a problem determining the validity the statements
-
-