org.apache.ws.security.validate
Class SamlAssertionValidator

java.lang.Object
  extended by org.apache.ws.security.validate.SignatureTrustValidator
      extended by org.apache.ws.security.validate.SamlAssertionValidator
All Implemented Interfaces:
Validator

public class SamlAssertionValidator
extends SignatureTrustValidator

This class validates a SAML Assertion, which is wrapped in an "AssertionWrapper" instance. It assumes that the AssertionWrapper instance has already verified the signature on the assertion (done by the SAMLTokenProcessor). It verifies trust in the signature, and also checks that the Subject contains a KeyInfo (and processes it) for the holder-of-key case, and verifies that the Assertion is signed as well for holder-of-key.


Constructor Summary
SamlAssertionValidator()
           
 
Method Summary
 void checkAudienceRestrictions(AssertionWrapper assertion, List<String> audienceRestrictions)
          Check the AudienceRestrictions of the Assertion
protected  void checkAuthnStatements(AssertionWrapper assertion)
          Check the AuthnStatements of the Assertion (if any)
protected  void checkConditions(AssertionWrapper assertion)
          Check the Conditions of the Assertion.
protected  void checkOneTimeUse(AssertionWrapper samlAssertion, RequestData data)
          Check the "OneTimeUse" Condition of the Assertion.
 String getRequiredSubjectConfirmationMethod()
           
 int getTtl()
           
 boolean isRequireBearerSignature()
           
 boolean isRequireStandardSubjectConfirmationMethod()
           
 boolean isValidateSignatureAgainstProfile()
          Whether to validate the signature of the Assertion (if it exists) against the relevant profile.
 void setFutureTTL(int newFutureTTL)
          Set the time in seconds in the future within which the NotBefore time of an incoming Assertion is valid.
 void setRequireBearerSignature(boolean requireBearerSignature)
           
 void setRequiredSubjectConfirmationMethod(String requiredSubjectConfirmationMethod)
           
 void setRequireStandardSubjectConfirmationMethod(boolean requireStandardSubjectConfirmationMethod)
           
 void setTtl(int ttl)
           
 void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)
          Whether to validate the signature of the Assertion (if it exists) against the relevant profile.
 Credential validate(Credential credential, RequestData data)
          Validate the credential argument.
protected  void validateAssertion(AssertionWrapper assertion)
          Validate the assertion against schemas/profiles
protected  Credential verifySignedAssertion(AssertionWrapper assertion, RequestData data)
          Verify trust in the signature of a signed Assertion.
protected  void verifySubjectConfirmationMethod(AssertionWrapper samlAssertion)
          Check the Subject Confirmation method requirements
 
Methods inherited from class org.apache.ws.security.validate.SignatureTrustValidator
getCrypto, isCertificateInKeyStore, matches, validateCertificates, validatePublicKey, verifyTrustInCert, verifyTrustInCert, verifyTrustInCert, verifyTrustInCerts, verifyTrustInCerts, verifyTrustInCerts
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SamlAssertionValidator

public SamlAssertionValidator()
Method Detail

setFutureTTL

public void setFutureTTL(int newFutureTTL)
Set the time in seconds in the future within which the NotBefore time of an incoming Assertion is valid. The default is 60 seconds.


validate

public Credential validate(Credential credential,
                           RequestData data)
                    throws WSSecurityException
Validate the credential argument. It must contain a non-null AssertionWrapper. A Crypto and a CallbackHandler implementation is also required to be set.

Specified by:
validate in interface Validator
Overrides:
validate in class SignatureTrustValidator
Parameters:
credential - the Credential to be validated
data - the RequestData associated with the request
Returns:
a validated Credential
Throws:
WSSecurityException - on a failed validation

verifySubjectConfirmationMethod

protected void verifySubjectConfirmationMethod(AssertionWrapper samlAssertion)
                                        throws WSSecurityException
Check the Subject Confirmation method requirements

Throws:
WSSecurityException

verifySignedAssertion

protected Credential verifySignedAssertion(AssertionWrapper assertion,
                                           RequestData data)
                                    throws WSSecurityException
Verify trust in the signature of a signed Assertion. This method is separate so that the user can override if if they want.

Parameters:
assertion - The signed Assertion
data - The RequestData context
Returns:
A Credential instance
Throws:
WSSecurityException

checkConditions

protected void checkConditions(AssertionWrapper assertion)
                        throws WSSecurityException
Check the Conditions of the Assertion.

Throws:
WSSecurityException

checkAudienceRestrictions

public void checkAudienceRestrictions(AssertionWrapper assertion,
                                      List<String> audienceRestrictions)
                               throws WSSecurityException
Check the AudienceRestrictions of the Assertion

Throws:
WSSecurityException

checkAuthnStatements

protected void checkAuthnStatements(AssertionWrapper assertion)
                             throws WSSecurityException
Check the AuthnStatements of the Assertion (if any)

Throws:
WSSecurityException

checkOneTimeUse

protected void checkOneTimeUse(AssertionWrapper samlAssertion,
                               RequestData data)
                        throws WSSecurityException
Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion is cached (if a cache is defined), and must not have been previously cached

Throws:
WSSecurityException

validateAssertion

protected void validateAssertion(AssertionWrapper assertion)
                          throws WSSecurityException
Validate the assertion against schemas/profiles

Throws:
WSSecurityException

isValidateSignatureAgainstProfile

public boolean isValidateSignatureAgainstProfile()
Whether to validate the signature of the Assertion (if it exists) against the relevant profile. Default is true.


setValidateSignatureAgainstProfile

public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)
Whether to validate the signature of the Assertion (if it exists) against the relevant profile. Default is true.


getRequiredSubjectConfirmationMethod

public String getRequiredSubjectConfirmationMethod()

setRequiredSubjectConfirmationMethod

public void setRequiredSubjectConfirmationMethod(String requiredSubjectConfirmationMethod)

isRequireStandardSubjectConfirmationMethod

public boolean isRequireStandardSubjectConfirmationMethod()

setRequireStandardSubjectConfirmationMethod

public void setRequireStandardSubjectConfirmationMethod(boolean requireStandardSubjectConfirmationMethod)

isRequireBearerSignature

public boolean isRequireBearerSignature()

setRequireBearerSignature

public void setRequireBearerSignature(boolean requireBearerSignature)

getTtl

public int getTtl()

setTtl

public void setTtl(int ttl)


Copyright © 2004–2015 The Apache Software Foundation. All rights reserved.