public class ResponseValidator extends AbstractSignableObjectValidator<Response>
Response element is valid according to the 2.0 SAML Core specification
and makes checks based on the supplied validation context parameters described below.
Supports the following ValidationContext static parameters:
AbstractSignableObjectValidator.CoreValidatorParameters.STRICT_VALIDATION: Optional. If not supplied, defaults to 'false'. Tells whether
strict validation should be performed.CoreValidatorParameters.ALLOWED_CLOCK_SKEW: Optional. Gives the number of milliseconds that is the
maximum allowed clock skew. If not given AbstractObjectValidator.DEFAULT_ALLOWED_CLOCK_SKEW is used.CoreValidatorParameters.MAX_AGE_MESSAGE: Optional. Gives the maximum age (difference between issuance
time and the validation time). If not given, the AbstractObjectValidator.DEFAULT_MAX_AGE_RECEIVED_MESSAGE is used.CoreValidatorParameters.RECEIVE_INSTANT: Optional. Gives the timestamp (milliseconds since epoch) for
when the response message was received. If not given the current time is used.CoreValidatorParameters.AUTHN_REQUEST: Optional. If supplied will be used in a number of validations when
information from the corresponding AuthnRequest is needed. If not supplied, other, more detailed parameters
must be given.CoreValidatorParameters.AUTHN_REQUEST_ID: Required if the CoreValidatorParameters.AUTHN_REQUEST
is not assigned. Is used when validating the InResponseTo attribute of the response.CoreValidatorParameters.RECEIVE_URL: Required. A String holding the URL on which we received the response
message. Is used when the Destination attribute is validated.CoreValidatorParameters.EXPECTED_ISSUER: Optional. If set, is used when the issuer of the response is
validated.signaturePrevalidator, trustEngineDEFAULT_ALLOWED_CLOCK_SKEW, DEFAULT_MAX_AGE_RECEIVED_MESSAGE| Constructor and Description |
|---|
ResponseValidator(SignatureTrustEngine trustEngine,
SignaturePrevalidator signaturePrevalidator)
Constructor.
|
| Modifier and Type | Method and Description |
|---|---|
protected String |
getID(Response signableObject)
Returns the ID of the signable object.
|
protected String |
getIssuer(Response signableObject)
Returns the issuer of the signable object.
|
protected String |
getObjectName()
Returns the name of the object being validated, e.g.
|
ValidationResult |
validate(Response response,
ValidationContext context)
Validates the given object.
|
protected ValidationResult |
validateAssertions(Response response,
ValidationContext context)
Validates the
Assertion and/or EncryptedAssertion element. |
protected ValidationResult |
validateConsent(Response response,
ValidationContext context)
Validates the
Consent attribute. |
protected ValidationResult |
validateDestination(Response response,
ValidationContext context)
Ensures that the
Destination attribute is present and matches the URL on which we received the message. |
protected ValidationResult |
validateExtensions(Response response,
ValidationContext context)
Validates the
Extensions element. |
protected ValidationResult |
validateID(Response response,
ValidationContext context)
Validates that the
Response object has an ID attribute. |
protected ValidationResult |
validateInResponseTo(Response response,
ValidationContext context)
Ensures that the
InResponseTo attribute is present and that it matches the ID of the AuthnRequest. |
protected ValidationResult |
validateIssueInstant(Response response,
ValidationContext context)
Validates that the
Response object has a IssueInstant attribute and that it is not too old given the
CoreValidatorParameters.MAX_AGE_MESSAGE and CoreValidatorParameters.RECEIVE_INSTANT context
parameters. |
protected ValidationResult |
validateIssuer(Response response,
ValidationContext context)
Ensures that the
Issuer element is present and matches the expected issuer (if set in the context under the
CoreValidatorParameters.EXPECTED_ISSUER key). |
protected ValidationResult |
validateStatus(Response response,
ValidationContext context)
Validates that the
Response object has a Status attribute. |
protected ValidationResult |
validateVersion(Response response,
ValidationContext context)
Validates that the
Response object has a valid Version attribute. |
getSignatureValidationCriteriaSet, performSignatureValidation, validateSignaturegetAllowedClockSkew, getMaxAgeReceivedMessage, getReceiveInstant, isStrictValidationpublic ResponseValidator(SignatureTrustEngine trustEngine, SignaturePrevalidator signaturePrevalidator)
trustEngine - the trust used to validate the object's signaturesignaturePrevalidator - the signature pre-validator used to pre-validate the object's signaturepublic ValidationResult validate(Response response, ValidationContext context)
response - object to be evaluatedcontext - current validation contextprotected ValidationResult validateID(Response response, ValidationContext context)
Response object has an ID attribute.response - the responsecontext - the validation contextprotected ValidationResult validateVersion(Response response, ValidationContext context)
Response object has a valid Version attribute.response - the responsecontext - the validation contextprotected ValidationResult validateStatus(Response response, ValidationContext context)
Response object has a Status attribute.response - the responsecontext - the validation contextprotected ValidationResult validateIssueInstant(Response response, ValidationContext context)
Response object has a IssueInstant attribute and that it is not too old given the
CoreValidatorParameters.MAX_AGE_MESSAGE and CoreValidatorParameters.RECEIVE_INSTANT context
parameters.response - the responsecontext - the validation contextprotected ValidationResult validateInResponseTo(Response response, ValidationContext context)
InResponseTo attribute is present and that it matches the ID of the AuthnRequest.
The ID is found in the context parameter under the key CoreValidatorParameters.AUTHN_REQUEST_ID or
from the object stored under CoreValidatorParameters.AUTHN_REQUEST.response - the responsecontext - the validation contextprotected ValidationResult validateDestination(Response response, ValidationContext context)
Destination attribute is present and matches the URL on which we received the message.
This value is found in the context under the CoreValidatorParameters.RECEIVE_URL key.response - the responsecontext - the validation contextprotected ValidationResult validateConsent(Response response, ValidationContext context)
Consent attribute. The default implementation returns ValidationResult.VALID since
the attribute is optional according to the SAML 2.0 Core specifications.response - the responsecontext - the validation contextprotected ValidationResult validateIssuer(Response response, ValidationContext context)
Issuer element is present and matches the expected issuer (if set in the context under the
CoreValidatorParameters.EXPECTED_ISSUER key).response - the responsecontext - the validation contextprotected ValidationResult validateAssertions(Response response, ValidationContext context)
Assertion and/or EncryptedAssertion element. The default implementation checks:
response - the responsecontext - the validation contextprotected ValidationResult validateExtensions(Response response, ValidationContext context)
Extensions element. The default implementation returns ValidationResult.VALID since
the element is optional according to the SAML 2.0 Core specifications.response - the responsecontext - the validation contextprotected String getIssuer(Response signableObject)
getIssuer in class AbstractSignableObjectValidator<Response>signableObject - the object being verifiedprotected String getID(Response signableObject)
getID in class AbstractSignableObjectValidator<Response>signableObject - the object being verifiedprotected String getObjectName()
getObjectName in class AbstractSignableObjectValidator<Response>Copyright © 2018 Litsec AB. All rights reserved.