Class AuthnStatementValidator
- java.lang.Object
-
- org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
-
- se.litsec.opensaml.saml2.common.assertion.AuthnStatementValidator
-
- All Implemented Interfaces:
StatementValidator
public class AuthnStatementValidator extends AuthnStatementValidator
Core statement validator forAuthnStatements.Supports the following
ValidationContextstatic parameters:CoreValidatorParameters.AUTHN_REQUEST: Optional. If supplied will be used in a number of validations when information from the correspondingAuthnRequestis needed. If not supplied, other, more detailed parameters must be given.AUTHN_REQUEST_FORCE_AUTHN: If the aboveCoreValidatorParameters.AUTHN_REQUESTis not assigned, this parameter gives theForceAuthnflag. This is used to determine if a valid assertion was issued based on SSO/non-SSO.AUTHN_REQUEST_ISSUE_INSTANT: If the aboveCoreValidatorParameters.AUTHN_REQUESTis not assigned, this parameter gives the issue instant of the authentication request. This is used to determine if a valid assertion was issued based on SSO/non-SSO.MAX_ACCEPTED_SSO_SESSION_TIME: For SSO, we may want to assert that the authentication is not too old. If so, this parameter gives the maximum accepted session time.
- Author:
- Martin Lindström (martin.lindstrom@litsec.se)
-
-
Field Summary
Fields Modifier and Type Field Description static StringAUTHN_REQUEST_FORCE_AUTHNKey for a validation context parameter.static StringAUTHN_REQUEST_ISSUE_INSTANTKey for a validation context parameter.static StringMAX_ACCEPTED_SSO_SESSION_TIMEKey for a validation context parameter.
-
Constructor Summary
Constructors Constructor Description AuthnStatementValidator()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description protected static InstantgetAuthnRequestIssueInstant(ValidationContext context)Gets the issue instant of theAuthnRequestfrom the validation context.protected static BooleangetForceAuthnFlag(ValidationContext context)Gets theForceAuthnflag from the validation context.protected static DurationgetMaxAcceptedSsoSessionTime(ValidationContext context)Gets the maximum time we allow for SSO sessions.protected ValidationResultvalidate(AuthnStatement statement, Assertion assertion, ValidationContext context)Validates theAuthnStatement.ValidationResultvalidate(Statement statement, Assertion assertion, ValidationContext context)protected ValidationResultvalidateAuthnContext(AuthnStatement statement, Assertion assertion, ValidationContext context)Default implementation will only assert that theAuthnContextelement is present.protected ValidationResultvalidateAuthnInstant(AuthnStatement statement, Assertion assertion, ValidationContext context)Validates theAuthnInstantof theAuthnStatement.protected ValidationResultvalidateSessionIndex(AuthnStatement statement, Assertion assertion, ValidationContext context)Default implementation does not perform any checks and returnsValidationResult.VALID.protected ValidationResultvalidateSessionNotOnOrAfter(AuthnStatement statement, Assertion assertion, ValidationContext context)Default implementation does not perform any checks and returnsValidationResult.VALID.protected ValidationResultvalidateSsoAndSession(Instant authnInstant, AuthnStatement statement, Assertion assertion, ValidationContext context)Makes checks for SSO and session lengths.-
Methods inherited from class org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
getServicedStatement, validateSubjectLocality
-
-
-
-
Field Detail
-
AUTHN_REQUEST_FORCE_AUTHN
public static final String AUTHN_REQUEST_FORCE_AUTHN
Key for a validation context parameter. Carries aBooleanholding the value of the ForceAuthn flag from the AuthnRequest.- See Also:
- Constant Field Values
-
AUTHN_REQUEST_ISSUE_INSTANT
public static final String AUTHN_REQUEST_ISSUE_INSTANT
Key for a validation context parameter. Carries aInstantholding the issuance time for the AuthnRequest.- See Also:
- Constant Field Values
-
MAX_ACCEPTED_SSO_SESSION_TIME
public static final String MAX_ACCEPTED_SSO_SESSION_TIME
Key for a validation context parameter. Carries aDurationholding the maximum session time that we can accept for SSO.- See Also:
- Constant Field Values
-
-
Method Detail
-
validate
public final ValidationResult validate(Statement statement, Assertion assertion, ValidationContext context) throws AssertionValidationException
- Specified by:
validatein interfaceStatementValidator- Overrides:
validatein classAuthnStatementValidator- Throws:
AssertionValidationException
-
validate
protected ValidationResult validate(AuthnStatement statement, Assertion assertion, ValidationContext context) throws AssertionValidationException
Validates theAuthnStatement.- Parameters:
statement- the statement to validateassertion- the assertion containing the statementcontext- validation context- Returns:
- validation result
- Throws:
AssertionValidationException- for internal validation errors
-
validateAuthnInstant
protected ValidationResult validateAuthnInstant(AuthnStatement statement, Assertion assertion, ValidationContext context)
Validates theAuthnInstantof theAuthnStatement.- Overrides:
validateAuthnInstantin classAuthnStatementValidator- Parameters:
statement- the statementassertion- the assertion containing the statementcontext- validation context- Returns:
- validation result
-
validateSsoAndSession
protected ValidationResult validateSsoAndSession(Instant authnInstant, AuthnStatement statement, Assertion assertion, ValidationContext context)
Makes checks for SSO and session lengths.- Parameters:
authnInstant- the authentication instantstatement- the statementassertion- the assertion containing the statementcontext- validation context- Returns:
- validation result
-
getMaxAcceptedSsoSessionTime
protected static Duration getMaxAcceptedSsoSessionTime(ValidationContext context)
Gets the maximum time we allow for SSO sessions.- Parameters:
context- the validation context- Returns:
- the max time, or null if the time is not set
-
getForceAuthnFlag
protected static Boolean getForceAuthnFlag(ValidationContext context)
Gets theForceAuthnflag from the validation context. The method primarily checks for theAUTHN_REQUEST_FORCE_AUTHNparameter, and that does not exist, tries with theCoreValidatorParameters.AUTHN_REQUESTparameter.- Parameters:
context- the validation context- Returns:
- the
ForceAuthnflag ornullif this is not set
-
getAuthnRequestIssueInstant
protected static Instant getAuthnRequestIssueInstant(ValidationContext context)
Gets the issue instant of theAuthnRequestfrom the validation context. The method primarily checks for theAUTHN_REQUEST_ISSUE_INSTANTparameter, and that does not exist, tries with theCoreValidatorParameters.AUTHN_REQUESTparameter.- Parameters:
context- the validation context- Returns:
- the issuance time or null if not set
-
validateSessionIndex
protected ValidationResult validateSessionIndex(AuthnStatement statement, Assertion assertion, ValidationContext context)
Default implementation does not perform any checks and returnsValidationResult.VALID.- Parameters:
statement- the statementassertion- the assertioncontext- the validation context- Returns:
- validation result
-
validateSessionNotOnOrAfter
protected ValidationResult validateSessionNotOnOrAfter(AuthnStatement statement, Assertion assertion, ValidationContext context)
Default implementation does not perform any checks and returnsValidationResult.VALID.- Parameters:
statement- the statementassertion- the assertioncontext- the validation context- Returns:
- validation result
-
validateAuthnContext
protected ValidationResult validateAuthnContext(AuthnStatement statement, Assertion assertion, ValidationContext context)
Default implementation will only assert that theAuthnContextelement is present.- Overrides:
validateAuthnContextin classAuthnStatementValidator- Parameters:
statement- the statementassertion- the assertioncontext- the validation context- Returns:
- validation result
-
-