Package org.apache.wss4j.dom.validate

Class SamlAssertionValidator

java.lang.Object
org.apache.wss4j.dom.validate.SignatureTrustValidator
org.apache.wss4j.dom.validate.SamlAssertionValidator
All Implemented Interfaces:
Validator
public class SamlAssertionValidator extends SignatureTrustValidator
This class validates a SAML Assertion, which is wrapped in an "SamlAssertionWrapper" instance. It assumes that the SamlAssertionWrapper instance has already verified the signature on the assertion (done by the SAMLTokenProcessor). It verifies trust in the signature, and also checks that the Subject contains a KeyInfo (and processes it) for the holder-of-key case, and verifies that the Assertion is signed as well for holder-of-key.

  • Constructor Details

    • SamlAssertionValidator

      public SamlAssertionValidator()

  • Method Details

    • setFutureTTL

      public void setFutureTTL(int newFutureTTL)
      Set the time in seconds in the future within which the NotBefore time of an incoming Assertion is valid. The default is 60 seconds.

    • validate

      public Credential validate(Credential credential, RequestData data) throws WSSecurityException
      Validate the credential argument. It must contain a non-null SamlAssertionWrapper. A Crypto and a CallbackHandler implementation is also required to be set.
      Specified by:
      validate in interface Validator
      Overrides:
      validate in class SignatureTrustValidator
      Parameters:
      credential - the Credential to be validated
      data - the RequestData associated with the request
      Returns:
      a validated Credential
      Throws:
      WSSecurityException - on a failed validation

    • verifySubjectConfirmationMethod

      protected void verifySubjectConfirmationMethod(SamlAssertionWrapper samlAssertion) throws WSSecurityException
      Check the Subject Confirmation method requirements
      Throws:
      WSSecurityException

    • verifySignedAssertion

      protected Credential verifySignedAssertion(SamlAssertionWrapper samlAssertion, RequestData data) throws WSSecurityException
      Verify trust in the signature of a signed Assertion. This method is separate so that the user can override if if they want.
      Parameters:
      samlAssertion - The signed Assertion
      data - The RequestData context
      Returns:
      A Credential instance
      Throws:
      WSSecurityException

    • checkConditions

      protected void checkConditions(SamlAssertionWrapper samlAssertion, List<String> audienceRestrictions) throws WSSecurityException
      Check the Conditions of the Assertion.
      Throws:
      WSSecurityException

    • checkConditions

      protected void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException
      Check the Conditions of the Assertion.
      Throws:
      WSSecurityException

    • checkAuthnStatements

      protected void checkAuthnStatements(SamlAssertionWrapper samlAssertion) throws WSSecurityException
      Check the AuthnStatements of the Assertion (if any)
      Throws:
      WSSecurityException

    • checkOneTimeUse

      protected void checkOneTimeUse(SamlAssertionWrapper samlAssertion, RequestData data) throws WSSecurityException
      Check the "OneTimeUse" Condition of the Assertion. If this is set then the Assertion is cached (if a cache is defined), and must not have been previously cached
      Throws:
      WSSecurityException

    • validateAssertion

      protected void validateAssertion(SamlAssertionWrapper samlAssertion) throws WSSecurityException
      Validate the samlAssertion against schemas/profiles
      Throws:
      WSSecurityException

    • isValidateSignatureAgainstProfile

      public boolean isValidateSignatureAgainstProfile()
      Whether to validate the signature of the Assertion (if it exists) against the relevant profile. Default is true.

    • setValidateSignatureAgainstProfile

      public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)
      Whether to validate the signature of the Assertion (if it exists) against the relevant profile. Default is true.

    • getRequiredSubjectConfirmationMethod

      public String getRequiredSubjectConfirmationMethod()

    • setRequiredSubjectConfirmationMethod

      public void setRequiredSubjectConfirmationMethod(String requiredSubjectConfirmationMethod)

    • isRequireStandardSubjectConfirmationMethod

      public boolean isRequireStandardSubjectConfirmationMethod()

    • setRequireStandardSubjectConfirmationMethod

      public void setRequireStandardSubjectConfirmationMethod(boolean requireStandardSubjectConfirmationMethod)

    • isRequireBearerSignature

      public boolean isRequireBearerSignature()

    • setRequireBearerSignature

      public void setRequireBearerSignature(boolean requireBearerSignature)

    • getTtl

      public int getTtl()

    • setTtl

      public void setTtl(int ttl)