org.apache.wss4j.dom.validate

Class SamlAssertionValidator

java.lang.Object

org.apache.wss4j.dom.validate.SignatureTrustValidator

org.apache.wss4j.dom.validate.SamlAssertionValidator

All Implemented Interfaces:

Validator

Direct Known Subclasses:

STSSamlAssertionValidator

public class SamlAssertionValidator
extends SignatureTrustValidator

This class validates a SAML Assertion, which is wrapped in an "SamlAssertionWrapper" instance. It assumes that the SamlAssertionWrapper instance has already verified the signature on the assertion (done by the SAMLTokenProcessor). It verifies trust in the signature, and also checks that the Subject contains a KeyInfo (and processes it) for the holder-of-key case, and verifies that the Assertion is signed as well for holder-of-key.

Constructor Summary

Constructors

Constructor and Description
SamlAssertionValidator()

Method Summary

Modifier and Type	Method and Description
protected void	checkAuthnStatements(SamlAssertionWrapper samlAssertion) Check the AuthnStatements of the Assertion (if any)
protected void	checkConditions(SamlAssertionWrapper samlAssertion) Check the Conditions of the Assertion.
protected void	checkConditions(SamlAssertionWrapper samlAssertion, List<String> audienceRestrictions) Check the Conditions of the Assertion.
protected void	checkOneTimeUse(SamlAssertionWrapper samlAssertion, RequestData data) Check the "OneTimeUse" Condition of the Assertion.
String	getRequiredSubjectConfirmationMethod()
int	getTtl()
boolean	isRequireBearerSignature()
boolean	isRequireStandardSubjectConfirmationMethod()
boolean	isValidateSignatureAgainstProfile() Whether to validate the signature of the Assertion (if it exists) against the relevant profile.
void	setFutureTTL(int newFutureTTL) Set the time in seconds in the future within which the NotBefore time of an incoming Assertion is valid.
void	setRequireBearerSignature(boolean requireBearerSignature)
void	setRequiredSubjectConfirmationMethod(String requiredSubjectConfirmationMethod)
void	setRequireStandardSubjectConfirmationMethod(boolean requireStandardSubjectConfirmationMethod)
void	setTtl(int ttl)
void	setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile) Whether to validate the signature of the Assertion (if it exists) against the relevant profile.
Credential	validate(Credential credential, RequestData data) Validate the credential argument.
protected void	validateAssertion(SamlAssertionWrapper samlAssertion) Validate the samlAssertion against schemas/profiles
protected Credential	verifySignedAssertion(SamlAssertionWrapper samlAssertion, RequestData data) Verify trust in the signature of a signed Assertion.
protected void	verifySubjectConfirmationMethod(SamlAssertionWrapper samlAssertion) Check the Subject Confirmation method requirements

Methods inherited from class org.apache.wss4j.dom.validate.SignatureTrustValidator

getCrypto, validateCertificates, validatePublicKey, verifyTrustInCerts

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SamlAssertionValidator

public SamlAssertionValidator()

Method Detail

setFutureTTL

public void setFutureTTL(int newFutureTTL)

Set the time in seconds in the future within which the NotBefore time of an incoming Assertion is valid. The default is 60 seconds.

validate

public Credential validate(Credential credential,
                           RequestData data)
                    throws WSSecurityException

Validate the credential argument. It must contain a non-null SamlAssertionWrapper. A Crypto and a CallbackHandler implementation is also required to be set.

Specified by:

validate in interface Validator

Overrides:

validate in class SignatureTrustValidator

Parameters:

credential - the Credential to be validated

data - the RequestData associated with the request

Returns:

a validated Credential

Throws:

WSSecurityException - on a failed validation

verifySubjectConfirmationMethod

protected void verifySubjectConfirmationMethod(SamlAssertionWrapper samlAssertion)
                                        throws WSSecurityException

Check the Subject Confirmation method requirements

Throws:

WSSecurityException

verifySignedAssertion

protected Credential verifySignedAssertion(SamlAssertionWrapper samlAssertion,
                                           RequestData data)
                                    throws WSSecurityException

Verify trust in the signature of a signed Assertion. This method is separate so that the user can override if if they want.

Parameters:

samlAssertion - The signed Assertion

data - The RequestData context

Returns:

A Credential instance

Throws:

WSSecurityException

checkConditions

protected void checkConditions(SamlAssertionWrapper samlAssertion,
                               List<String> audienceRestrictions)
                        throws WSSecurityException

Check the Conditions of the Assertion.

Throws:

WSSecurityException

checkConditions

protected void checkConditions(SamlAssertionWrapper samlAssertion)
                        throws WSSecurityException

Check the Conditions of the Assertion.

Throws:

WSSecurityException

checkAuthnStatements

protected void checkAuthnStatements(SamlAssertionWrapper samlAssertion)
                             throws WSSecurityException

Check the AuthnStatements of the Assertion (if any)

Throws:

WSSecurityException

checkOneTimeUse

protected void checkOneTimeUse(SamlAssertionWrapper samlAssertion,
                               RequestData data)
                        throws WSSecurityException

Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion is cached (if a cache is defined), and must not have been previously cached

Throws:

WSSecurityException

validateAssertion

protected void validateAssertion(SamlAssertionWrapper samlAssertion)
                          throws WSSecurityException

Validate the samlAssertion against schemas/profiles

Throws:

WSSecurityException

isValidateSignatureAgainstProfile

public boolean isValidateSignatureAgainstProfile()

Whether to validate the signature of the Assertion (if it exists) against the relevant profile. Default is true.

setValidateSignatureAgainstProfile

public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)

Whether to validate the signature of the Assertion (if it exists) against the relevant profile. Default is true.

getRequiredSubjectConfirmationMethod

public String getRequiredSubjectConfirmationMethod()

setRequiredSubjectConfirmationMethod

public void setRequiredSubjectConfirmationMethod(String requiredSubjectConfirmationMethod)

isRequireStandardSubjectConfirmationMethod

public boolean isRequireStandardSubjectConfirmationMethod()

setRequireStandardSubjectConfirmationMethod

public void setRequireStandardSubjectConfirmationMethod(boolean requireStandardSubjectConfirmationMethod)

isRequireBearerSignature

public boolean isRequireBearerSignature()

setRequireBearerSignature

public void setRequireBearerSignature(boolean requireBearerSignature)

getTtl

public int getTtl()

setTtl

public void setTtl(int ttl)