public class SAML20AssertionValidator extends Object
Assertion
instances.
Supports the following ValidationContext
static parameters:
SAML2AssertionValidationParameters.SIGNATURE_REQUIRED
:
Optional.
If not supplied, defaults to 'true'. If an Assertion is signed, the signature is always evaluated
and the result factored into the overall validation result, regardless of the value of this setting.
SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_CRITERIA_SET
:
Optional.
If not supplied, a minimal criteria set will be constructed which contains an EntityIDCriteria
containing the Assertion Issuer entityID, and a UsageCriteria
of UsageType.SIGNING
.
If it is supplied, but either of those criteria are absent from the criteria set, they will be added
with the above values.
SAML2AssertionValidationParameters.CLOCK_SKEW
:
Optional.
If not present the default clock skew of DEFAULT_CLOCK_SKEW
milliseconds
will be used.
Supports the following ValidationContext
dynamic parameters:
SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION
:
Optional.
Will be present after validation iff subject confirmation was successfully performed.
Modifier and Type | Field and Description |
---|---|
private net.shibboleth.utilities.java.support.collection.LazyMap<QName,ConditionValidator> |
conditionValidators
Registered
Condition validators. |
static long |
DEFAULT_CLOCK_SKEW
Default clock skew; 300000L milliseconds.
|
private org.slf4j.Logger |
log
Class logger.
|
private SignaturePrevalidator |
signaturePrevalidator
SAML signature profile validator.
|
private net.shibboleth.utilities.java.support.collection.LazyMap<QName,StatementValidator> |
statementValidators
Registered
Statement validators. |
private net.shibboleth.utilities.java.support.collection.LazyMap<String,SubjectConfirmationValidator> |
subjectConfirmationValidators
Registered
SubjectConfirmation validators. |
private SignatureTrustEngine |
trustEngine
Trust engine for signature evaluation.
|
Constructor and Description |
---|
SAML20AssertionValidator(Collection<ConditionValidator> newConditionValidators,
Collection<SubjectConfirmationValidator> newConfirmationValidators,
Collection<StatementValidator> newStatementValidators,
SignatureTrustEngine newTrustEngine,
SignaturePrevalidator newSignaturePrevalidator)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
static long |
getClockSkew(ValidationContext context)
Gets the clock skew from the
ValidationContext.getStaticParameters() parameters. |
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet |
getSignatureValidationCriteriaSet(Assertion token,
ValidationContext context)
Get the criteria set that will be used in evaluating the Assertion signature via the supplied trust engine.
|
protected void |
log(Assertion assertion,
ValidationContext context)
Log the Assertion which is being validated, along with the supplied validation context parameters.
|
protected ValidationResult |
performSignatureValidation(Assertion token,
ValidationContext context)
Handle the actual signature validation.
|
ValidationResult |
validate(Assertion assertion,
ValidationContext context)
Validate the supplied SAML 2
Assertion , using the parameters from the supplied ValidationContext . |
protected ValidationResult |
validateConditions(Assertion assertion,
ValidationContext context)
Validates the conditions on the assertion.
|
protected ValidationResult |
validateConditionsTimeBounds(Assertion assertion,
ValidationContext context)
Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.
|
protected ValidationResult |
validateSignature(Assertion token,
ValidationContext context)
Validates the signature of the assertion, if it is signed.
|
protected ValidationResult |
validateStatements(Assertion assertion,
ValidationContext context)
Validates the statements within the assertion.
|
protected ValidationResult |
validateSubjectConfirmation(Assertion assertion,
ValidationContext context)
Validates the subject confirmations of the assertion.
|
protected ValidationResult |
validateVersion(Assertion assertion,
ValidationContext context)
Validates that the assertion is a
SAMLVersion.VERSION_20 assertion. |
public static final long DEFAULT_CLOCK_SKEW
private final org.slf4j.Logger log
private net.shibboleth.utilities.java.support.collection.LazyMap<QName,ConditionValidator> conditionValidators
Condition
validators.private net.shibboleth.utilities.java.support.collection.LazyMap<String,SubjectConfirmationValidator> subjectConfirmationValidators
SubjectConfirmation
validators.private net.shibboleth.utilities.java.support.collection.LazyMap<QName,StatementValidator> statementValidators
Statement
validators.private SignatureTrustEngine trustEngine
private SignaturePrevalidator signaturePrevalidator
public SAML20AssertionValidator(@Nullable Collection<ConditionValidator> newConditionValidators, @Nullable Collection<SubjectConfirmationValidator> newConfirmationValidators, @Nullable Collection<StatementValidator> newStatementValidators, @Nullable SignatureTrustEngine newTrustEngine, @Nullable SignaturePrevalidator newSignaturePrevalidator)
newConditionValidators
- validators used to validate the Condition
s within the assertionnewConfirmationValidators
- validators used to validate SubjectConfirmation
methods within the
assertionnewStatementValidators
- validators used to validate Statement
s within the assertionnewTrustEngine
- the trust used to validate the Assertion signaturenewSignaturePrevalidator
- the signature pre-validator used to pre-validate the Assertion signaturepublic static long getClockSkew(@Nonnull ValidationContext context)
ValidationContext.getStaticParameters()
parameters. If the parameter is not
set or is not a positive Long
then the DEFAULT_CLOCK_SKEW
is used.context
- current validation context@Nonnull public ValidationResult validate(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
Assertion
, using the parameters from the supplied ValidationContext
.assertion
- the assertion being evaluatedcontext
- the current validation contextAssertionValidationException
- if there is a fatal error evaluating the validity of the assertionprotected void log(@Nonnull Assertion assertion, @Nonnull ValidationContext context)
assertion
- the SAML 2 Assertion being validatedcontext
- @Nonnull protected ValidationResult validateVersion(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
SAMLVersion.VERSION_20
assertion.assertion
- the assertion to validatecontext
- current validation contextAssertionValidationException
- thrown if there is a problem validating the version@Nonnull protected ValidationResult validateSignature(@Nonnull Assertion token, @Nonnull ValidationContext context) throws AssertionValidationException
token
- assertion whose signature will be validatedcontext
- current validation contextAssertionValidationException
- thrown if there is a problem determining the validity of the signature@Nonnull protected ValidationResult performSignatureValidation(@Nonnull Assertion token, @Nonnull ValidationContext context) throws AssertionValidationException
token
- assertion whose signature will be validatedcontext
- current validation contextAssertionValidationException
- thrown if there is a problem determining the validity of the signature@Nonnull protected net.shibboleth.utilities.java.support.resolver.CriteriaSet getSignatureValidationCriteriaSet(@Nonnull Assertion token, @Nonnull ValidationContext context)
token
- assertion whose signature will be validatedcontext
- current validation context@Nonnull protected ValidationResult validateConditions(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
assertion
- the assertion whose conditions will be validatedcontext
- current validation contextAssertionValidationException
- thrown if there is a problem determining the validity of the conditions@Nonnull protected ValidationResult validateConditionsTimeBounds(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
assertion
- the assertion whose conditions will be validatedcontext
- current validation contextAssertionValidationException
- thrown if there is a problem determining the validity of the conditions@Nonnull protected ValidationResult validateSubjectConfirmation(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
assertion
- assertion whose subject is being confirmedcontext
- current validation contextAssertionValidationException
- thrown if there is a problem determining the validity the subject@Nonnull protected ValidationResult validateStatements(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
assertion
- assertion whose statements are being validatedcontext
- current validation contextAssertionValidationException
- thrown if there is a problem determining the validity the statementsCopyright © 1999–2020 Shibboleth Consortium. All rights reserved.