Package org.opensaml.saml.saml2.profile.impl

Class DefaultAssertionValidationContextBuilder

java.lang.Object

org.opensaml.saml.saml2.profile.impl.DefaultAssertionValidationContextBuilder

All Implemented Interfaces:

Function<ValidateAssertions.AssertionValidationInput,ValidationContext>

public class DefaultAssertionValidationContextBuilder
extends Object
implements Function<ValidateAssertions.AssertionValidationInput,ValidationContext>

Function which implements default behavior for building an instance of ValidationContext from an instance of ValidateAssertions.AssertionValidationInput.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	DefaultAssertionValidationContextBuilder.DefaultValidInResponseToLookupFunction	Default strategy for resolving the valid InResponseTo value.
static class	DefaultAssertionValidationContextBuilder.DefaultValidIssuersLookupFunction	Default strategy for resolving the valid Issuers.

Field Summary

Fields

Modifier and Type	Field	Description
private Function<ProfileRequestContext,Set<String>>	additionalAudiences	Function for determining additional valid audience values.
private Predicate<ProfileRequestContext>	addressRequired	Predicate for determining whether an Assertion SubjectConfirmationData Address is required.
private Predicate<ProfileRequestContext>	checkAddress	Predicate for determining whether an Assertion's network address(es) should be checked.
private Function<ProfileRequestContext,Duration>	clockSkew	A function for resolving the clock skew to apply.
private Predicate<ProfileRequestContext>	includeSelfEntityIDAsRecipient	Predicate for determining whether to include the self entityID as a valid Recipient.
private Function<ProfileRequestContext,String>	inResponseTo	Function for determining the valid InResponseTo value.
private Predicate<ProfileRequestContext>	inResponseToRequired	Predicate for determining whether an Assertion SubjectConfirmationData InResponseTo is required.
private Function<ProfileRequestContext,Duration>	lifetime	A function for resolving the lifetime to apply.
private org.slf4j.Logger	log	Logger.
private Function<ProfileRequestContext,Duration>	maximumTimeSinceAuthn	Function for determining the max allowed time since authentication.
private Predicate<ProfileRequestContext>	notBeforeRequired	Predicate for determining whether an Assertion SubjectConfirmationData NotBefore is required.
private Predicate<ProfileRequestContext>	notOnOrAfterRequired	Predicate for determining whether an Assertion SubjectConfirmationData NotOnOrAfter is required.
private Predicate<ProfileRequestContext>	recipientRequired	Predicate for determining whether an Assertion SubjectConfirmationData Recipient is required.
private Set<QName>	requiredConditions	The set of required Conditions.
private Function<ProfileRequestContext,SecurityParametersContext>	securityParametersLookupStrategy	Resolver for security parameters context.
private Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet>	signatureCriteriaSetFunction	A function for resolving the signature validation CriteriaSet for a particular function.
private Predicate<ProfileRequestContext>	signatureRequired	Predicate for determining whether an Assertion signature is required.
private Function<ProfileRequestContext,Set<String>>	validIssuers	Function for determining additional valid Issuer values.

Constructor Summary

Constructors

Constructor	Description
DefaultAssertionValidationContextBuilder()	Constructor.

Method Summary

Modifier and Type	Method	Description
ValidationContext	apply(ValidateAssertions.AssertionValidationInput input)
protected Map<String,Object>	buildStaticParameters(ValidateAssertions.AssertionValidationInput input)	Build the static parameters map for input to the ValidationContext.
Function<ProfileRequestContext,Set<String>>	getAdditionalAudiences()	Get the function for determining additional audience values.
Predicate<ProfileRequestContext>	getAddressRequired()	Get the predicate which determines whether an Assertion SubjectConfirmationData Address is required.
protected X509Certificate	getAttesterCertificate(ValidateAssertions.AssertionValidationInput input)	Get the attesting entity's X509Certificate.
protected String	getAttesterIPAddress(ValidateAssertions.AssertionValidationInput input)	Get the attester's IP address.
protected PublicKey	getAttesterPublicKey(ValidateAssertions.AssertionValidationInput input)	Get the attesting entity's PublicKey.
Predicate<ProfileRequestContext>	getCheckAddress()	Get the predicate which determines whether an Assertion's network address(es) should be checked.
Function<ProfileRequestContext,Duration>	getClockSkew()	Get the strategy by which to resolve the clock skew.
Predicate<ProfileRequestContext>	getIncludeSelfEntityIDAsRecipient()	Get the predicate which determines whether to include the self entityID as a valid Recipient.
Function<ProfileRequestContext,String>	getInResponseTo()	Get the function for determining the valid InResponseTo.
Predicate<ProfileRequestContext>	getInResponseToRequired()	Get the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.
Function<ProfileRequestContext,Duration>	getLifetime()	Get the strategy by which to resolve the lifetime.
Function<ProfileRequestContext,Duration>	getMaximumTimeSinceAuthn()	Get the function for determining the max allowed time since authentication.
Predicate<ProfileRequestContext>	getNotBeforeRequired()	Get the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.
Predicate<ProfileRequestContext>	getNotOnOrAfterRequired()	Get the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.
Predicate<ProfileRequestContext>	getRecipientRequired()	Get the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.
Set<QName>	getRequiredConditions()	Get the set of required Conditions.
protected Set<QName>	getRequiredConditions(ValidateAssertions.AssertionValidationInput input)	Get the set of required Conditions.
Function<ProfileRequestContext,SecurityParametersContext>	getSecurityParametersLookupStrategy()	Get the strategy by which to resolve a SecurityParametersContext.
protected String	getSelfEntityID(ValidateAssertions.AssertionValidationInput input)	Get the self entityID.
protected CriteriaSet	getSignatureCriteriaSet(ValidateAssertions.AssertionValidationInput input)	Get the signature validation criteria set.
Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet>	getSignatureCriteriaSetFunction()	Get the function for resolving the signature validation CriteriaSet for a particular function.
Predicate<ProfileRequestContext>	getSignatureRequired()	Get the predicate which determines whether an Assertion signature is required.
protected Set<InetAddress>	getValidAddresses(ValidateAssertions.AssertionValidationInput input)	Get the set of addresses which are valid for subject confirmation.
protected Set<String>	getValidAudiences(ValidateAssertions.AssertionValidationInput input)	Get the valid audiences for attestation.
Function<ProfileRequestContext,Set<String>>	getValidIssuers()	Get the function for determining the valid Issuer values
protected Set<String>	getValidRecipients(ValidateAssertions.AssertionValidationInput input)	Get the valid recipient endpoints for attestation.
private void	populateConditionsParameters(Map<String,Object> staticParams, ValidateAssertions.AssertionValidationInput input)	Populate the static Conditions parameters.
protected void	populateSignatureCriteriaFromInboundContext(CriteriaSet criteriaSet, MessageContext inboundContext)	Populate signature criteria from the specified MessageContext.
private void	populateSignatureParameters(Map<String,Object> staticParams, ValidateAssertions.AssertionValidationInput input)	Populate the static signature parameters.
private void	populateStatementParams(Map<String,Object> staticParams, ValidateAssertions.AssertionValidationInput input, Set<InetAddress> validAddresses, Boolean checkAddressEnabled)	Populate the static Statement params.
private void	populateSubjectConfirmationParameters(Map<String,Object> staticParams, ValidateAssertions.AssertionValidationInput input, Set<InetAddress> validAddresses, Boolean checkAddressEnabled)	Populate the static SubjectConfirmation parameters.
void	setAdditionalAudiences(Function<ProfileRequestContext,Set<String>> function)	Set the function for determining additional audience values.
void	setAddressRequired(Predicate<ProfileRequestContext> predicate)	Set the predicate which determines whether an Assertion SubjectConfirmationData Address is required.
void	setCheckAddress(Predicate<ProfileRequestContext> predicate)	Set the predicate which determines whether an Assertion's network address(es) should be checked.
void	setClockSkew(Duration skew)	Set the clock skew.
void	setClockSkewLookupStrategy(Function<ProfileRequestContext,Duration> strategy)	Set the strategy by which to resolve the clock skew.
void	setIncludeSelfEntityIDAsRecipient(Predicate<ProfileRequestContext> predicate)	Set the predicate which determines whether to include the self entityID as a valid Recipient.
void	setInResponseTo(Function<ProfileRequestContext,String> function)	Set the function for determining the valid InResponseTo.
void	setInResponseToRequired(Predicate<ProfileRequestContext> predicate)	Set the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.
void	setLifetime(Duration duration)	Set the lifetime.
void	setLifetimeLookupStrategy(Function<ProfileRequestContext,Duration> strategy)	Set the strategy by which to resolve the lifetime.
void	setMaximumTimeSinceAuthn(Function<ProfileRequestContext,Duration> function)	Set the function for determining the max allowed time since authentication.
void	setNotBeforeRequired(Predicate<ProfileRequestContext> predicate)	Set the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.
void	setNotOnOrAfterRequired(Predicate<ProfileRequestContext> predicate)	Set the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.
void	setRecipientRequired(Predicate<ProfileRequestContext> predicate)	Set the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.
void	setRequiredConditions(Set<QName> conditions)	Set the set of required Conditions.
void	setSecurityParametersLookupStrategy(Function<ProfileRequestContext,SecurityParametersContext> strategy)	Set the strategy by which to resolve a SecurityParametersContext.
void	setSignatureCriteriaSetFunction(Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet> function)	Set the function for resolving the signature validation CriteriaSet for a particular function.
void	setSignatureRequired(Predicate<ProfileRequestContext> predicate)	Set the predicate which determines whether an Assertion signature is required.
void	setValidIssuers(Function<ProfileRequestContext,Set<String>> function)	Set the function for determining the valid Issuer values

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.util.function.Function

andThen, compose

Field Detail

log

@Nonnull
private org.slf4j.Logger log

Logger.

clockSkew

@Nullable
private Function<ProfileRequestContext,Duration> clockSkew

A function for resolving the clock skew to apply.

lifetime

@Nullable
private Function<ProfileRequestContext,Duration> lifetime

A function for resolving the lifetime to apply.

signatureCriteriaSetFunction

@Nullable
private Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet> signatureCriteriaSetFunction

A function for resolving the signature validation CriteriaSet for a particular function.

signatureRequired

@Nonnull
private Predicate<ProfileRequestContext> signatureRequired

Predicate for determining whether an Assertion signature is required.

checkAddress

@Nonnull
private Predicate<ProfileRequestContext> checkAddress

Predicate for determining whether an Assertion's network address(es) should be checked.

maximumTimeSinceAuthn

@Nullable
private Function<ProfileRequestContext,Duration> maximumTimeSinceAuthn

Function for determining the max allowed time since authentication.

includeSelfEntityIDAsRecipient

@Nonnull
private Predicate<ProfileRequestContext> includeSelfEntityIDAsRecipient

Predicate for determining whether to include the self entityID as a valid Recipient.

additionalAudiences

@Nullable
private Function<ProfileRequestContext,Set<String>> additionalAudiences

Function for determining additional valid audience values.

validIssuers

@Nonnull
private Function<ProfileRequestContext,Set<String>> validIssuers

Function for determining additional valid Issuer values.

inResponseTo

@Nullable
private Function<ProfileRequestContext,String> inResponseTo

Function for determining the valid InResponseTo value.

inResponseToRequired

@Nonnull
private Predicate<ProfileRequestContext> inResponseToRequired

Predicate for determining whether an Assertion SubjectConfirmationData InResponseTo is required.

recipientRequired

@Nonnull
private Predicate<ProfileRequestContext> recipientRequired

Predicate for determining whether an Assertion SubjectConfirmationData Recipient is required.

notBeforeRequired

@Nonnull
private Predicate<ProfileRequestContext> notBeforeRequired

Predicate for determining whether an Assertion SubjectConfirmationData NotBefore is required.

notOnOrAfterRequired

@Nonnull
private Predicate<ProfileRequestContext> notOnOrAfterRequired

Predicate for determining whether an Assertion SubjectConfirmationData NotOnOrAfter is required.

addressRequired

@Nonnull
private Predicate<ProfileRequestContext> addressRequired

Predicate for determining whether an Assertion SubjectConfirmationData Address is required.

requiredConditions

@Nonnull
private Set<QName> requiredConditions

The set of required Conditions.

securityParametersLookupStrategy

@Nonnull
private Function<ProfileRequestContext,SecurityParametersContext> securityParametersLookupStrategy

Resolver for security parameters context.

Constructor Detail

DefaultAssertionValidationContextBuilder

public DefaultAssertionValidationContextBuilder()

Constructor.

Method Detail

getClockSkew

@Nullable
public Function<ProfileRequestContext,Duration> getClockSkew()

Get the strategy by which to resolve the clock skew.

Returns:

lookup strategy

Since:

4.1.0

setClockSkew

public void setClockSkew(@Nullable
                         Duration skew)

Set the clock skew.

Parameters:

skew - clock skew

Since:

4.1.0

setClockSkewLookupStrategy

public void setClockSkewLookupStrategy(@Nullable
                                       Function<ProfileRequestContext,Duration> strategy)

Set the strategy by which to resolve the clock skew.

Parameters:

strategy - lookup strategy

Since:

4.1.0

getLifetime

@Nullable
public Function<ProfileRequestContext,Duration> getLifetime()

Get the strategy by which to resolve the lifetime.

Returns:

lookup strategy

Since:

4.2.0

setLifetime

public void setLifetime(@Nullable
                        Duration duration)

Set the lifetime.

Parameters:

duration - lifetime

Since:

4.2.0

setLifetimeLookupStrategy

public void setLifetimeLookupStrategy(@Nullable
                                      Function<ProfileRequestContext,Duration> strategy)

Set the strategy by which to resolve the lifetime.

Parameters:

strategy - lookup strategy

Since:

4.2.0

getSecurityParametersLookupStrategy

@Nonnull
public Function<ProfileRequestContext,SecurityParametersContext> getSecurityParametersLookupStrategy()

Get the strategy by which to resolve a SecurityParametersContext.

Returns:

the lookup strategy

setSecurityParametersLookupStrategy

public void setSecurityParametersLookupStrategy(@Nonnull
                                                Function<ProfileRequestContext,SecurityParametersContext> strategy)

Set the strategy by which to resolve a SecurityParametersContext.

Parameters:

strategy - the strategy function

getRequiredConditions

@Nonnull
public Set<QName> getRequiredConditions()

Get the set of required Conditions.

Returns:

the required conditions, may be null

setRequiredConditions

public void setRequiredConditions(@Nullable
                                  Set<QName> conditions)

Set the set of required Conditions.

Parameters:

conditions - the required conditions

getIncludeSelfEntityIDAsRecipient

@Nonnull
public Predicate<ProfileRequestContext> getIncludeSelfEntityIDAsRecipient()

Get the predicate which determines whether to include the self entityID as a valid Recipient.

Defaults to an always false predicate;

Returns:

the predicate

setIncludeSelfEntityIDAsRecipient

public void setIncludeSelfEntityIDAsRecipient(@Nonnull
                                              Predicate<ProfileRequestContext> predicate)

Set the predicate which determines whether to include the self entityID as a valid Recipient.

Defaults to an always false predicate.

Parameters:

predicate - the predicate, must be non-null

getSignatureRequired

@Nonnull
public Predicate<ProfileRequestContext> getSignatureRequired()

Get the predicate which determines whether an Assertion signature is required.

Defaults to an always true predicate;

Returns:

the predicate

setSignatureRequired

public void setSignatureRequired(@Nonnull
                                 Predicate<ProfileRequestContext> predicate)

Set the predicate which determines whether an Assertion signature is required.

Defaults to an always true predicate.

Parameters:

predicate - the predicate, must be non-null

setInResponseTo

public void setInResponseTo(@Nullable
                            Function<ProfileRequestContext,String> function)

Set the function for determining the valid InResponseTo.

Defaults to null.

Parameters:

function - the function, may be null

getInResponseTo

@Nullable
public Function<ProfileRequestContext,String> getInResponseTo()

Get the function for determining the valid InResponseTo.

Defaults to null.

Returns:

the function

getInResponseToRequired

@Nonnull
public Predicate<ProfileRequestContext> getInResponseToRequired()

Get the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.

Defaults to an always false predicate;

Returns:

the predicate

setInResponseToRequired

public void setInResponseToRequired(@Nonnull
                                    Predicate<ProfileRequestContext> predicate)

Set the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.

Defaults to an always false predicate.

Parameters:

predicate - the predicate, must be non-null

getRecipientRequired

@Nonnull
public Predicate<ProfileRequestContext> getRecipientRequired()

Get the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.

Defaults to an always false predicate;

Returns:

the predicate

setRecipientRequired

public void setRecipientRequired(@Nonnull
                                 Predicate<ProfileRequestContext> predicate)

Set the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.

Defaults to an always false predicate.

Parameters:

predicate - the predicate, must be non-null

getNotBeforeRequired

@Nonnull
public Predicate<ProfileRequestContext> getNotBeforeRequired()

Get the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.

Defaults to an always false predicate;

Returns:

the predicate

setNotBeforeRequired

public void setNotBeforeRequired(@Nonnull
                                 Predicate<ProfileRequestContext> predicate)

Set the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.

Defaults to an always false predicate.

Parameters:

predicate - the predicate, must be non-null

getNotOnOrAfterRequired

@Nonnull
public Predicate<ProfileRequestContext> getNotOnOrAfterRequired()

Get the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.

Defaults to an always false predicate;

Returns:

the predicate

setNotOnOrAfterRequired

public void setNotOnOrAfterRequired(@Nonnull
                                    Predicate<ProfileRequestContext> predicate)

Set the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.

Defaults to an always false predicate.

Parameters:

predicate - the predicate, must be non-null

getAddressRequired

@Nonnull
public Predicate<ProfileRequestContext> getAddressRequired()

Get the predicate which determines whether an Assertion SubjectConfirmationData Address is required.

Defaults to an always false predicate;

Returns:

the predicate

setAddressRequired

public void setAddressRequired(@Nonnull
                               Predicate<ProfileRequestContext> predicate)

Set the predicate which determines whether an Assertion SubjectConfirmationData Address is required.

Defaults to an always false predicate.

Parameters:

predicate - the predicate, must be non-null

getCheckAddress

@Nonnull
public Predicate<ProfileRequestContext> getCheckAddress()

Get the predicate which determines whether an Assertion's network address(es) should be checked.

Defaults to an always true predicate;

Returns:

the predicate

setCheckAddress

public void setCheckAddress(@Nonnull
                            Predicate<ProfileRequestContext> predicate)

Set the predicate which determines whether an Assertion's network address(es) should be checked.

Defaults to an always true predicate.

Parameters:

predicate - the predicate, must be non-null

getAdditionalAudiences

@Nullable
public Function<ProfileRequestContext,Set<String>> getAdditionalAudiences()

Get the function for determining additional audience values.

Defaults to null.

Returns:

the function

setAdditionalAudiences

public void setAdditionalAudiences(@Nullable
                                   Function<ProfileRequestContext,Set<String>> function)

Set the function for determining additional audience values.

Defaults to null.

Parameters:

function - the function, may be null

getValidIssuers

@Nonnull
public Function<ProfileRequestContext,Set<String>> getValidIssuers()

Get the function for determining the valid Issuer values

Defaults to an implementation which resolves the outbound SAML peer entityID.

Returns:

the function

setValidIssuers

public void setValidIssuers(@Nonnull
                            Function<ProfileRequestContext,Set<String>> function)

Set the function for determining the valid Issuer values

Defaults to an implementation which resolves the outbound SAML peer entityID.

Parameters:

function - the function, may be null

getMaximumTimeSinceAuthn

@Nullable
public Function<ProfileRequestContext,Duration> getMaximumTimeSinceAuthn()

Get the function for determining the max allowed time since authentication.

Defaults to null.

Returns:

the function

setMaximumTimeSinceAuthn

public void setMaximumTimeSinceAuthn(@Nullable
                                     Function<ProfileRequestContext,Duration> function)

Set the function for determining the max allowed time since authentication.

Defaults to null.

Parameters:

function - the function, may be null

getSignatureCriteriaSetFunction

@Nullable
public Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet> getSignatureCriteriaSetFunction()

Get the function for resolving the signature validation CriteriaSet for a particular function.

Defaults to: null.

Returns:

a criteria set instance, or null

setSignatureCriteriaSetFunction

public void setSignatureCriteriaSetFunction(@Nullable
                                            Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet> function)

Set the function for resolving the signature validation CriteriaSet for a particular function.

Defaults to: null.

Parameters:

function - the resolving function, may be null

apply

@Nullable
public ValidationContext apply(@Nullable
                               ValidateAssertions.AssertionValidationInput input)

Specified by:

apply in interface Function<ValidateAssertions.AssertionValidationInput,ValidationContext>

buildStaticParameters

@Nonnull
protected Map<String,Object> buildStaticParameters(@Nonnull
                                                         ValidateAssertions.AssertionValidationInput input)

Build the static parameters map for input to the ValidationContext.

Parameters:

input - the assertion validation input

Returns:

the static parameters map

populateSignatureParameters

private void populateSignatureParameters(@Nonnull
                                         Map<String,Object> staticParams,
                                         @Nonnull
                                         ValidateAssertions.AssertionValidationInput input)

Populate the static signature parameters.

Parameters:

staticParams - the parameters being populated

input - validation input

populateConditionsParameters

private void populateConditionsParameters(@Nonnull
                                          Map<String,Object> staticParams,
                                          @Nonnull
                                          ValidateAssertions.AssertionValidationInput input)

Populate the static Conditions parameters.

Parameters:

staticParams - the parameters being populated

input - validation input

populateSubjectConfirmationParameters

private void populateSubjectConfirmationParameters(@Nonnull
                                                   Map<String,Object> staticParams,
                                                   @Nonnull
                                                   ValidateAssertions.AssertionValidationInput input,
                                                   @Nonnull
                                                   Set<InetAddress> validAddresses,
                                                   @Nonnull
                                                   Boolean checkAddressEnabled)

Populate the static SubjectConfirmation parameters.

Parameters:

staticParams - the parameters being populated

input - validation input

validAddresses - the valid addresses

checkAddressEnabled - whether address checking is enabled

populateStatementParams

private void populateStatementParams(@Nonnull
                                     Map<String,Object> staticParams,
                                     @Nonnull
                                     ValidateAssertions.AssertionValidationInput input,
                                     @Nonnull
                                     Set<InetAddress> validAddresses,
                                     @Nonnull
                                     Boolean checkAddressEnabled)

Populate the static Statement params.

Parameters:

staticParams - the parameters being populated

input - validation input

validAddresses - the valid addresses

checkAddressEnabled - whether address checking is enabled

getRequiredConditions

@Nonnull
protected Set<QName> getRequiredConditions(@Nonnull
                                           ValidateAssertions.AssertionValidationInput input)

Get the set of required Conditions.

The default behavior is to return the locally-configured data via getRequiredConditions().

Parameters:

input - the assertion validation input

Returns:

the set of required Condition names, may be null

getSignatureCriteriaSet

@Nonnull
protected CriteriaSet getSignatureCriteriaSet(@Nonnull
                                              ValidateAssertions.AssertionValidationInput input)

Get the signature validation criteria set.

This implementation first evaluates the result of applying the function getSignatureCriteriaSetFunction(), if configured. If that evaluation did not produce an EntityIdCriterion, one is added based on the issuer of the Assertion. If that evaluation did not produce an instance of UsageCriterion, one is added with the value of UsageType.SIGNING.

Finally the following criteria are added if not already present and if the corresponding data is available in the inbound MessageContext:

• RoleDescriptorCriterion
• EntityRoleCriterion
• ProtocolCriterion

Parameters:

input - the assertion validation input

Returns:

the criteria set based on the message context data

populateSignatureCriteriaFromInboundContext

protected void populateSignatureCriteriaFromInboundContext(@Nonnull
                                                           CriteriaSet criteriaSet,
                                                           @Nonnull
                                                           MessageContext inboundContext)

Populate signature criteria from the specified MessageContext.

• RoleDescriptorCriterion
• EntityRoleCriterion
• ProtocolCriterion

Parameters:

criteriaSet - the criteria set to populate

inboundContext - the inbound message context

getAttesterCertificate

@Nullable
protected X509Certificate getAttesterCertificate(@Nonnull
                                                 ValidateAssertions.AssertionValidationInput input)

Get the attesting entity's X509Certificate.

This implementation returns the client TLS certificate present in the HttpServletRequest, or null if one is not present.

Parameters:

input - the assertion validation input

Returns:

the entity certificate, or null

getAttesterPublicKey

@Nullable
protected PublicKey getAttesterPublicKey(@Nonnull
                                         ValidateAssertions.AssertionValidationInput input)

Get the attesting entity's PublicKey.

This implementation returns null. Subclasses should override to implement specific logic.

Parameters:

input - the assertion validation input

Returns:

the entity public key, or null

getValidRecipients

@Nonnull
protected Set<String> getValidRecipients(@Nonnull
                                         ValidateAssertions.AssertionValidationInput input)

Get the valid recipient endpoints for attestation.

This implementation returns a set containing the 2 values;

1. the result of evaluating SAMLBindingSupport.getActualReceiverEndpointURI(MessageContext, HttpServletRequest)
2. if enabled via the eval of getIncludeSelfEntityIDAsRecipient(), the value from evaluating getSelfEntityID(AssertionValidationInput) if non-null

Parameters:

input - the assertion validation input

Returns:

set of recipient endpoint URI's

getValidAddresses

@Nonnull
protected Set<InetAddress> getValidAddresses(@Nonnull
                                             ValidateAssertions.AssertionValidationInput input)

Get the set of addresses which are valid for subject confirmation.

This implementation simply returns the set based on getAttesterIPAddress(AssertionValidationInput), if that produces a value. Otherwise an empty set is returned.

Parameters:

input - the assertion validation input

Returns:

the set of valid addresses

getAttesterIPAddress

@Nonnull
protected String getAttesterIPAddress(@Nonnull
                                      ValidateAssertions.AssertionValidationInput input)

Get the attester's IP address.

This implementation returns the value of ServletRequest.getRemoteAddr().

Parameters:

input - the assertion validation input

Returns:

the IP address of the attester

getValidAudiences

@Nonnull
protected Set<String> getValidAudiences(@Nonnull
                                        ValidateAssertions.AssertionValidationInput input)

Get the valid audiences for attestation.

This implementation returns a set containing the union of:

1. the result of getSelfEntityID(AssertionValidationInput), if non-null
2. the result of evaluating getAdditionalAudiences(), if non-null

Parameters:

input - the assertion validation input

Returns:

set of audience URI's

getSelfEntityID

@Nullable
protected String getSelfEntityID(@Nonnull
                                 ValidateAssertions.AssertionValidationInput input)

Get the self entityID.

Parameters:

input - the assertion validation input

Returns:

the self entityID, or null if could not be resolved