throw new SamlException("recipient is not matched: " + data.getRecipient()); if (now.isAfter(data.getNotOnOrAfter())) { throw new SamlException("response has been expired: " + data.getNotOnOrAfter());
/** * Validates the <code>NotOnOrAfter</code> condition of the {@link SubjectConfirmationData}, if any is present. * * @param confirmation confirmation method, with {@link SubjectConfirmationData}, being validated * @param assertion assertion bearing the confirmation method * @param context current validation context * * @return the result of the validation evaluation * * @throws AssertionValidationException thrown if there is a problem determining the validity of the NotOnOrAFter */ @Nonnull protected ValidationResult validateNotOnOrAfter(@Nonnull final SubjectConfirmation confirmation, @Nonnull final Assertion assertion, @Nonnull final ValidationContext context) throws AssertionValidationException { DateTime skewedNow = new DateTime(ISOChronology.getInstanceUTC()).minus(SAML20AssertionValidator .getClockSkew(context)); DateTime notOnOrAfter = confirmation.getSubjectConfirmationData().getNotOnOrAfter(); log.debug("Evaluating SubjectConfirmationData NotOnOrAfter '{}' against 'skewed now' time '{}'", notOnOrAfter, skewedNow); if (notOnOrAfter != null && notOnOrAfter.isBefore(skewedNow)) { context.setValidationFailureMessage(String.format( "Subject confirmation, in assertion '%s', with NotOnOrAfter condition of '%s' is no longer valid", assertion.getID(), notOnOrAfter)); return ValidationResult.INVALID; } return ValidationResult.VALID; }
/** {@inheritDoc} */ protected void marshallAttributes(XMLObject samlObject, Element domElement) throws MarshallingException { SubjectConfirmationData subjectCD = (SubjectConfirmationData) samlObject; if (subjectCD.getNotBefore() != null) { String notBeforeStr = SAMLConfigurationSupport.getSAMLDateFormatter().print(subjectCD.getNotBefore()); domElement.setAttributeNS(null, SubjectConfirmationData.NOT_BEFORE_ATTRIB_NAME, notBeforeStr); } if (subjectCD.getNotOnOrAfter() != null) { String notOnOrAfterStr = SAMLConfigurationSupport.getSAMLDateFormatter().print(subjectCD.getNotOnOrAfter()); domElement.setAttributeNS(null, SubjectConfirmationData.NOT_ON_OR_AFTER_ATTRIB_NAME, notOnOrAfterStr); } if (subjectCD.getRecipient() != null) { domElement.setAttributeNS(null, SubjectConfirmationData.RECIPIENT_ATTRIB_NAME, subjectCD.getRecipient()); } if (subjectCD.getInResponseTo() != null) { domElement.setAttributeNS(null, SubjectConfirmationData.IN_RESPONSE_TO_ATTRIB_NAME, subjectCD .getInResponseTo()); } if (subjectCD.getAddress() != null) { domElement.setAttributeNS(null, SubjectConfirmationData.ADDRESS_ATTRIB_NAME, subjectCD.getAddress()); } marshallUnknownAttributes(subjectCD, domElement); } }
if (data.getNotOnOrAfter() == null) { logger.debug("SubjectConfirmationData notOnOrAfter cannot be null for Bearer confirmation"); return false; if (data.getNotOnOrAfter().plusSeconds(acceptedSkew).isBeforeNow()) { logger.debug("SubjectConfirmationData notOnOrAfter is too old"); return false;
if (subjectConfData.getNotOnOrAfter() == null || subjectConfData.getNotOnOrAfter().isBeforeNow()) { LOG.fine("Subject Conf Data does not contain NotOnOrAfter or it has expired"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); Instant expires = Instant.ofEpochMilli(subjectConfData.getNotOnOrAfter().toDate().getTime()); Instant currentTime = Instant.now(); long ttl = Duration.between(currentTime, expires).getSeconds();
/** * Validate a (Bearer) Subject Confirmation */ private void validateSubjectConfirmation(Message m, Conditions cs, SubjectConfirmationData subjectConfData) { if (subjectConfData == null) { if (!subjectConfirmationDataRequired && cs.getNotOnOrAfter() != null && !cs.getNotOnOrAfter().isBeforeNow()) { return; } throw ExceptionUtils.toNotAuthorizedException(null, null); } // Recipient must match assertion consumer URL String recipient = subjectConfData.getRecipient(); if (recipient == null || !recipient.equals(getAbsoluteTargetAddress(m))) { throw ExceptionUtils.toNotAuthorizedException(null, null); } // We must have a NotOnOrAfter timestamp if (subjectConfData.getNotOnOrAfter() == null || subjectConfData.getNotOnOrAfter().isBeforeNow()) { throw ExceptionUtils.toNotAuthorizedException(null, null); } //TODO: replay cache, same as with SAML SSO case // Check address if (subjectConfData.getAddress() != null && (clientAddress == null || !subjectConfData.getAddress().equals(clientAddress))) { throw ExceptionUtils.toNotAuthorizedException(null, null); } }
/** * Validate a (Bearer) Subject Confirmation */ private void validateSubjectConfirmation(Message m, Conditions cs, SubjectConfirmationData subjectConfData) { if (subjectConfData == null) { if (!subjectConfirmationDataRequired && cs.getNotOnOrAfter() != null && !cs.getNotOnOrAfter().isBeforeNow()) { return; } throw ExceptionUtils.toNotAuthorizedException(null, null); } // Recipient must match assertion consumer URL String recipient = subjectConfData.getRecipient(); if (recipient == null || !recipient.equals(getAbsoluteTargetAddress(m))) { throw ExceptionUtils.toNotAuthorizedException(null, null); } // We must have a NotOnOrAfter timestamp if (subjectConfData.getNotOnOrAfter() == null || subjectConfData.getNotOnOrAfter().isBeforeNow()) { throw ExceptionUtils.toNotAuthorizedException(null, null); } //TODO: replay cache, same as with SAML SSO case // Check address if (subjectConfData.getAddress() != null && (clientAddress == null || !subjectConfData.getAddress().equals(clientAddress))) { throw ExceptionUtils.toNotAuthorizedException(null, null); } }
sessionNotOnOrAfter = Instant.ofEpochMilli(subjectConf.getSubjectConfirmationData() .getNotOnOrAfter().toDate().getTime());
/** * Create an efficient field-wise copy of a {@link SubjectConfirmation}. * * @param confirmation the object to clone * * @return the copy */ @Nonnull private SubjectConfirmation cloneConfirmation(@Nonnull final SubjectConfirmation confirmation) { final SubjectConfirmation clone = confirmationBuilder.buildObject(); clone.setMethod(confirmation.getMethod()); final SubjectConfirmationData data = confirmation.getSubjectConfirmationData(); if (data != null) { final SubjectConfirmationData cloneData = confirmationDataBuilder.buildObject(); cloneData.setAddress(data.getAddress()); cloneData.setInResponseTo(data.getInResponseTo()); cloneData.setRecipient(data.getRecipient()); cloneData.setNotBefore(data.getNotBefore()); cloneData.setNotOnOrAfter(data.getNotOnOrAfter()); clone.setSubjectConfirmationData(cloneData); } return clone; }
throw new SamlException("recipient is not matched: " + data.getRecipient()); if (now.isAfter(data.getNotOnOrAfter())) { throw new SamlException("response has been expired: " + data.getNotOnOrAfter());
protected List<SubjectConfirmation> getConfirmations( List<org.opensaml.saml.saml2.core .SubjectConfirmation> subjectConfirmations, List<SimpleKey> localKeys ) { List<SubjectConfirmation> result = new LinkedList<>(); for (org.opensaml.saml.saml2.core.SubjectConfirmation s : subjectConfirmations) { NameID nameID = getNameID(s.getNameID(), s.getEncryptedID(), localKeys); result.add( new SubjectConfirmation() .setNameId(nameID != null ? nameID.getValue() : null) .setFormat(nameID != null ? NameId.fromUrn(nameID.getFormat()) : null) .setMethod(SubjectConfirmationMethod.fromUrn(s.getMethod())) .setConfirmationData( new SubjectConfirmationData() .setRecipient(s.getSubjectConfirmationData().getRecipient()) .setNotOnOrAfter(s.getSubjectConfirmationData().getNotOnOrAfter()) .setNotBefore(s.getSubjectConfirmationData().getNotBefore()) .setInResponseTo(s.getSubjectConfirmationData().getInResponseTo()) ) ); } return result; }