Class AuthnStatementValidator
- java.lang.Object
-
- se.litsec.opensaml.saml2.common.assertion.AuthnStatementValidator
-
- All Implemented Interfaces:
StatementValidator
public class AuthnStatementValidator extends Object implements StatementValidator
Core statement validator forAuthnStatements.Supports the following
ValidationContextstatic parameters:CoreValidatorParameters.AUTHN_REQUEST: Optional. If supplied will be used in a number of validations when information from the correspondingAuthnRequestis needed. If not supplied, other, more detailed parameters must be given.AUTHN_REQUEST_FORCE_AUTHN: If the aboveCoreValidatorParameters.AUTHN_REQUESTis not assigned, this parameter gives theForceAuthnflag. This is used to determine if a valid assertion was issued based on SSO/non-SSO.AUTHN_REQUEST_ISSUE_INSTANT: If the aboveCoreValidatorParameters.AUTHN_REQUESTis not assigned, this parameter gives the issue instant of the authentication request. This is used to determine if a valid assertion was issued based on SSO/non-SSO.MAX_ACCEPTED_SSO_SESSION_TIME: For SSO, we may want to assert that the authentication is not too old. If so, this parameter gives the maximum accepted session time.
- Author:
- Martin Lindström (martin.lindstrom@litsec.se)
-
-
Field Summary
Fields Modifier and Type Field Description static StringAUTHN_REQUEST_FORCE_AUTHNKey for a validation context parameter.static StringAUTHN_REQUEST_ISSUE_INSTANTKey for a validation context parameter.static StringMAX_ACCEPTED_SSO_SESSION_TIMEKey for a validation context parameter.
-
Constructor Summary
Constructors Constructor Description AuthnStatementValidator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected LonggetAuthnRequestIssueInstant(ValidationContext context)Gets the issue instant of theAuthnRequestfrom the validation context.protected BooleangetForceAuthnFlag(ValidationContext context)Gets theForceAuthnflag from the validation context.QNamegetServicedStatement()protected ValidationResultvalidate(AuthnStatement statement, Assertion assertion, ValidationContext context)Validates theAuthnStatement.ValidationResultvalidate(Statement statement, Assertion assertion, ValidationContext context)protected ValidationResultvalidateAuthnContext(AuthnStatement statement, Assertion assertion, ValidationContext context)Default implementation will only assert that theAuthnContextelement is present.protected ValidationResultvalidateAuthnInstant(AuthnStatement statement, Assertion assertion, ValidationContext context)Validates theAuthnInstantof theAuthnStatement.protected ValidationResultvalidateSessionIndex(AuthnStatement statement, Assertion assertion, ValidationContext context)Default implementation does not perform any checks and returnsValidationResult.VALID.protected ValidationResultvalidateSessionNotOnOrAfter(AuthnStatement statement, Assertion assertion, ValidationContext context)Default implementation does not perform any checks and returnsValidationResult.VALID.protected ValidationResultvalidateSsoAndSession(Instant authnInstant, AuthnStatement statement, Assertion assertion, ValidationContext context)Makes checks for SSO and session lengths.protected ValidationResultvalidateSubjectLocality(AuthnStatement statement, Assertion assertion, ValidationContext context)Default implementation does not perform any checks and returnsValidationResult.VALID.
-
-
-
Field Detail
-
AUTHN_REQUEST_FORCE_AUTHN
public static final String AUTHN_REQUEST_FORCE_AUTHN
Key for a validation context parameter. Carries aBooleanholding the value of the ForceAuthn flag from the AuthnRequest.- See Also:
- Constant Field Values
-
AUTHN_REQUEST_ISSUE_INSTANT
public static final String AUTHN_REQUEST_ISSUE_INSTANT
Key for a validation context parameter. Carries aLongholding the issuance time for the AuthnRequest.- See Also:
- Constant Field Values
-
MAX_ACCEPTED_SSO_SESSION_TIME
public static final String MAX_ACCEPTED_SSO_SESSION_TIME
Key for a validation context parameter. Carries aLongholding the maximum session time that we can accept for SSO.- See Also:
- Constant Field Values
-
-
Method Detail
-
getServicedStatement
public QName getServicedStatement()
- Specified by:
getServicedStatementin interfaceStatementValidator
-
validate
public final ValidationResult validate(Statement statement, Assertion assertion, ValidationContext context) throws AssertionValidationException
- Specified by:
validatein interfaceStatementValidator- Throws:
AssertionValidationException
-
validate
protected ValidationResult validate(AuthnStatement statement, Assertion assertion, ValidationContext context)
Validates theAuthnStatement.- Parameters:
statement- the statement to validateassertion- the assertion containing the statementcontext- validation context- Returns:
- validation result
-
validateAuthnInstant
protected ValidationResult validateAuthnInstant(AuthnStatement statement, Assertion assertion, ValidationContext context)
Validates theAuthnInstantof theAuthnStatement.- Parameters:
statement- the statementassertion- the assertion containing the statementcontext- validation context- Returns:
- validation result
-
validateSsoAndSession
protected ValidationResult validateSsoAndSession(Instant authnInstant, AuthnStatement statement, Assertion assertion, ValidationContext context)
Makes checks for SSO and session lengths.- Parameters:
authnInstant- the authentication instantstatement- the statementassertion- the assertion containing the statementcontext- validation context- Returns:
- validation result
-
getForceAuthnFlag
protected Boolean getForceAuthnFlag(ValidationContext context)
Gets theForceAuthnflag from the validation context. The method primarily checks for theAUTHN_REQUEST_FORCE_AUTHNparameter, and that does not exist, tries with theCoreValidatorParameters.AUTHN_REQUESTparameter.- Parameters:
context- the validation context- Returns:
- the
ForceAuthnflag ornullif this is not set
-
getAuthnRequestIssueInstant
protected Long getAuthnRequestIssueInstant(ValidationContext context)
Gets the issue instant of theAuthnRequestfrom the validation context. The method primarily checks for theAUTHN_REQUEST_ISSUE_INSTANTparameter, and that does not exist, tries with theCoreValidatorParameters.AUTHN_REQUESTparameter.- Parameters:
context- the validation context- Returns:
- the issuance time
-
validateSessionIndex
protected ValidationResult validateSessionIndex(AuthnStatement statement, Assertion assertion, ValidationContext context)
Default implementation does not perform any checks and returnsValidationResult.VALID.- Parameters:
statement- the statementassertion- the assertioncontext- the validation context- Returns:
- validation result
-
validateSessionNotOnOrAfter
protected ValidationResult validateSessionNotOnOrAfter(AuthnStatement statement, Assertion assertion, ValidationContext context)
Default implementation does not perform any checks and returnsValidationResult.VALID.- Parameters:
statement- the statementassertion- the assertioncontext- the validation context- Returns:
- validation result
-
validateSubjectLocality
protected ValidationResult validateSubjectLocality(AuthnStatement statement, Assertion assertion, ValidationContext context)
Default implementation does not perform any checks and returnsValidationResult.VALID.- Parameters:
statement- the statementassertion- the assertioncontext- the validation context- Returns:
- validation result
-
validateAuthnContext
protected ValidationResult validateAuthnContext(AuthnStatement statement, Assertion assertion, ValidationContext context)
Default implementation will only assert that theAuthnContextelement is present.- Parameters:
statement- the statementassertion- the assertioncontext- the validation context- Returns:
- validation result
-
-