Package org.projecthusky.xua.validation

Class ChEprAssertionValidator

java.lang.Object

org.projecthusky.xua.validation.ChEprAssertionValidator

@ThreadSafe
public class ChEprAssertionValidator
extends Object

A component capable of performing core validation of SAML version 2.0 Assertion instances in use in the CH-EPR domain.

The calling application needs to initiate the SAML library by calling InitializationService.initialize().

Supports all static validation parameters (see SAML2AssertionValidationParameters). The following are recommended:

• SAML2AssertionValidationParameters.CLOCK_SKEW: Optional. If not present the default clock skew of Duration.ZERO will be used. The SAML 2.0 specification recommend supporting a clock skew.
• SAML2AssertionValidationParameters.COND_VALID_AUDIENCES: Optional. The set of allowed audiences.

The required conditions and attributes are extracted, verified then put in the ValidationContext dynamic parameters and can easily be retrieved after validation. See ChEprAssertionValidationParameters for the list.

Author:

Quentin Ligier

Field Summary

Fields

Modifier and Type	Field	Description
static final String	ERRMSG_ATTRIBUTE
static final String	ERRMSG_IS_MISSING
static final String	ERRMSG_SUBJECT_CONFIRMATION_MISSING
static final String	NAMESPACE_GS1_GLN

Constructor Summary

Constructors

Constructor	Description
ChEprAssertionValidator(@Nullable Duration oneTimeUseConditionExpires, @Nullable org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine)	Constructor.

Method Summary

Modifier and Type	Method	Description
ChEprValidationResult	validate(org.opensaml.saml.saml2.core.Assertion assertion, @Nullable Map<String,@Nullable Object> staticParameters)	Validate the supplied SAML 2 Assertion, using the parameters from the supplied ValidationContext.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

ERRMSG_ATTRIBUTE

public static final String ERRMSG_ATTRIBUTE

See Also:

• Constant Field Values

ERRMSG_IS_MISSING

public static final String ERRMSG_IS_MISSING

See Also:

• Constant Field Values

NAMESPACE_GS1_GLN

public static final String NAMESPACE_GS1_GLN

See Also:

• Constant Field Values

ERRMSG_SUBJECT_CONFIRMATION_MISSING

public static final String ERRMSG_SUBJECT_CONFIRMATION_MISSING

See Also:

• Constant Field Values

Constructor Details

ChEprAssertionValidator

public ChEprAssertionValidator(@Nullable Duration oneTimeUseConditionExpires,
 @Nullable org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine)
                        throws net.shibboleth.shared.component.ComponentInitializationException

Constructor.

Parameters:

oneTimeUseConditionExpires - The time for disposal of tracked assertion from the replay cache. If null, the OneTimeUseCondition is not enforced.

signatureTrustEngine - The trust engine to use to validate signatures. This can be an ExplicitKeySignatureTrustEngine or any other implementation. A KeyInfoCredentialResolver is not needed, as we don't expect a KeyInfo in the CH:XUA assertions.

Throws:

net.shibboleth.shared.component.ComponentInitializationException - if the ReplayCache of the OneTimeUseConditionValidator fails to initialize.

Method Details

validate

public ChEprValidationResult validate(org.opensaml.saml.saml2.core.Assertion assertion,
 @Nullable Map<String,@Nullable Object> staticParameters)
                               throws org.opensaml.saml.common.assertion.AssertionValidationException

Validate the supplied SAML 2 Assertion, using the parameters from the supplied ValidationContext.

Parameters:

assertion - The assertion being evaluated.

staticParameters - ?? or null.

Returns:

the validation result.

Throws:

org.opensaml.saml.common.assertion.AssertionValidationException - if there is a fatal error evaluating the validity of the assertion.