Package org.opensaml.saml.saml2.assertion

Class SAML20AssertionValidator

java.lang.Object
org.opensaml.saml.saml2.assertion.SAML20AssertionValidator
public class SAML20AssertionValidator extends Object
A component capable of performing core validation of SAML version 2.0 Assertion instances.

Supports the following ValidationContext static parameters:

Supports the following ValidationContext dynamic parameters:

  • Field Details

  • Constructor Details

  • Method Details

    • getLifetime

      @Nonnull public static Duration getLifetime(@Nonnull ValidationContext context)
      Gets the lifetime duration from the ValidationContext.getStaticParameters() parameters. If the parameter is not set or is not a non-zero Duration then the DEFAULT_LIFETIME is used.
      Parameters:
      context - current validation context
      Returns:
      the lifetime duration

    • getClockSkew

      @Nonnull public static Duration getClockSkew(@Nonnull ValidationContext context)
      Gets the clock skew from the ValidationContext.getStaticParameters() parameters. If the parameter is not set or is not a non-zero Duration then the DEFAULT_CLOCK_SKEW is used.
      Parameters:
      context - current validation context
      Returns:
      the clock skew

    • getDurationParam

      private static Duration getDurationParam(@Nonnull ValidationContext context, @Nonnull String paramName, @Nonnull Duration defaultDuration)
      Gets the clock skew from the ValidationContext.getStaticParameters() parameters. If the parameter is not set or is not a non-zero Duration then the DEFAULT_CLOCK_SKEW is used.
      Parameters:
      context - current validation context
      paramName - name of the duration parameter to process
      defaultDuration - the default duration to use if not parameter not present in context
      Returns:
      the clock skew

    • validate

      @Nonnull public ValidationResult validate(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
      Validate the supplied SAML 2 Assertion, using the parameters from the supplied ValidationContext.
      Parameters:
      assertion - the assertion being evaluated
      context - the current validation context
      Returns:
      the validation result
      Throws:
      AssertionValidationException - if there is a fatal error evaluating the validity of the assertion

    • log

      protected void log(@Nonnull Assertion assertion, @Nonnull ValidationContext context)
      Log the Assertion which is being validated, along with the supplied validation context parameters.
      Parameters:
      assertion - the SAML 2 Assertion being validated
      context - current validation context

    • validateBasicData

      @Nonnull protected ValidationResult validateBasicData(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
      Validate basic Assertion data, such as version, issuer and issue instant.
      Parameters:
      assertion - the assertion being evaluated
      context - the current validation context
      Returns:
      the validation result
      Throws:
      AssertionValidationException - if there is a fatal error evaluating the validity of the assertion

    • validateVersion

      @Nonnull protected ValidationResult validateVersion(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
      Validates that the assertion is a SAMLVersion.VERSION_20 assertion.
      Parameters:
      assertion - the assertion to validate
      context - current validation context
      Returns:
      result of the validation evaluation
      Throws:
      AssertionValidationException - thrown if there is a problem validating the version

    • validateIssueInstant

      protected ValidationResult validateIssueInstant(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
      Validates the Assertion IssueInstant.
      Parameters:
      assertion - the assertion to validate
      context - current validation context
      Returns:
      the result of the validation evaluation
      Throws:
      AssertionValidationException - if there is a problem validating the IssueInstant

    • validateIssuer

      protected ValidationResult validateIssuer(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
      Validates the Assertion Issuer.
      Parameters:
      assertion - the assertion to validate
      context - current validation context
      Returns:
      the result of the validation evaluation
      Throws:
      AssertionValidationException - if there is a problem validating the Issuer

    • validateSignature

      @Nonnull protected ValidationResult validateSignature(@Nonnull Assertion token, @Nonnull ValidationContext context) throws AssertionValidationException
      Validates the signature of the assertion, if it is signed.
      Parameters:
      token - assertion whose signature will be validated
      context - current validation context
      Returns:
      the result of the signature validation
      Throws:
      AssertionValidationException - thrown if there is a problem determining the validity of the signature

    • performSignatureValidation

      @Nonnull protected ValidationResult performSignatureValidation(@Nonnull Assertion token, @Nonnull ValidationContext context) throws AssertionValidationException
      Handle the actual signature validation.
      Parameters:
      token - assertion whose signature will be validated
      context - current validation context
      Returns:
      the validation result
      Throws:
      AssertionValidationException - thrown if there is a problem determining the validity of the signature

    • getSignatureValidationTrustEngine

      @Nonnull protected SignatureTrustEngine getSignatureValidationTrustEngine(@Nonnull Assertion token, @Nonnull ValidationContext context)
      Get the signature trust engine that will be used in evaluating the Assertion signature.
      Parameters:
      token - assertion whose signature will be validated
      context - current validation context
      Returns:
      the criteria set to use

    • getSignatureValidationPrevalidator

      @Nonnull protected SignaturePrevalidator getSignatureValidationPrevalidator(@Nonnull Assertion token, @Nonnull ValidationContext context)
      Get the signature trust engine that will be used in evaluating the Assertion signature.
      Parameters:
      token - assertion whose signature will be validated
      context - current validation context
      Returns:
      the criteria set to use

    • getSignatureValidationCriteriaSet

      @Nonnull protected CriteriaSet getSignatureValidationCriteriaSet(@Nonnull Assertion token, @Nonnull ValidationContext context)
      Get the criteria set that will be used in evaluating the Assertion signature via the supplied trust engine.
      Parameters:
      token - assertion whose signature will be validated
      context - current validation context
      Returns:
      the criteria set to use

    • validateConditions

      @Nonnull protected ValidationResult validateConditions(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
      Validates the conditions on the assertion. Condition validators are looked up by the element QName and, if present, the schema type of the condition. If no validator can be found for the Condition the validation process fails.
      Parameters:
      assertion - the assertion whose conditions will be validated
      context - current validation context
      Returns:
      the result of the validation evaluation
      Throws:
      AssertionValidationException - thrown if there is a problem determining the validity of the conditions

    • validateRequiredConditions

      protected ValidationResult validateRequiredConditions(@Nonnull Assertion assertion, @Nonnull ValidationContext context)
      Validate that all conditions indicated to be required are present in the assertion.
      Parameters:
      assertion - the assertion whose conditions will be evaluated
      context - current validation context
      Returns:
      the result of the validation evaluation

    • validateConditionsTimeBounds

      @Nonnull protected ValidationResult validateConditionsTimeBounds(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
      Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.
      Parameters:
      assertion - the assertion whose conditions will be validated
      context - current validation context
      Returns:
      the result of the validation evaluation
      Throws:
      AssertionValidationException - thrown if there is a problem determining the validity of the conditions

    • validateSubjectConfirmation

      @Nonnull protected ValidationResult validateSubjectConfirmation(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
      Validates the subject confirmations of the assertion. Validators are looked up by the subject confirmation method. If any one subject confirmation is met the subject is considered confirmed per the SAML specification.
      Parameters:
      assertion - assertion whose subject is being confirmed
      context - current validation context
      Returns:
      the result of the validation
      Throws:
      AssertionValidationException - thrown if there is a problem determining the validity the subject

    • validateStatements

      @Nonnull protected ValidationResult validateStatements(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
      Validates the statements within the assertion. Validators are looked up by the Statement's element QName or, if present, its schema type. Any statement for which a validator can not be found is simply ignored.
      Parameters:
      assertion - assertion whose statements are being validated
      context - current validation context
      Returns:
      result of the validation
      Throws:
      AssertionValidationException - thrown if there is a problem determining the validity the statements