/** * Checks that the AuthnInstant attribute is present. * * @param authnStatement * @throws ValidationException */ protected void validateAuthnInstant(AuthnStatement authnStatement) throws ValidationException { if (authnStatement.getAuthnInstant() == null) { throw new ValidationException("AuthnInstant required"); } }
/** {@inheritDoc} */ protected void marshallAttributes(XMLObject samlObject, Element domElement) throws MarshallingException { AuthnStatement authnStatement = (AuthnStatement) samlObject; if (authnStatement.getAuthnInstant() != null) { String authnInstantStr = Configuration.getSAMLDateFormatter().print(authnStatement.getAuthnInstant()); domElement.setAttributeNS(null, AuthnStatement.AUTHN_INSTANT_ATTRIB_NAME, authnInstantStr); } if (authnStatement.getSessionIndex() != null) { domElement.setAttributeNS(null, AuthnStatement.SESSION_INDEX_ATTRIB_NAME, authnStatement.getSessionIndex()); } if (authnStatement.getSessionNotOnOrAfter() != null) { String sessionNotOnOrAfterStr = Configuration.getSAMLDateFormatter().print( authnStatement.getSessionNotOnOrAfter()); domElement.setAttributeNS(null, AuthnStatement.SESSION_NOT_ON_OR_AFTER_ATTRIB_NAME, sessionNotOnOrAfterStr); } } }
protected void verifyAuthenticationStatement(AuthnStatement auth, BasicSAMLMessageContext context) throws Exception { // Validate that user wasn't authenticated too long time ago if (!isDateTimeSkewValid(MAX_AUTHENTICATION_TIME, auth.getAuthnInstant())) { System.out.println("Authentication statement is too old to be used"+auth.getAuthnInstant()); throw new Exception("Users authentication data is too old"); } // Validate users session is still valid if (auth.getSessionNotOnOrAfter() != null && auth.getSessionNotOnOrAfter().isAfter(new Date().getTime())) { System.out.println("Authentication session is not valid anymore"+auth.getSessionNotOnOrAfter()); throw new Exception("Users authentication is expired"); } if (auth.getSubjectLocality() != null) { HTTPInTransport httpInTransport = (HTTPInTransport) context.getInboundMessageTransport(); if (auth.getSubjectLocality().getAddress() != null) { if (!httpInTransport.getPeerAddress().equals(auth.getSubjectLocality().getAddress())) { throw new Exception("User is accessing the service from invalid address"); } } } }
public AuthenticationStatement(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); Assertion assertion = credential.getAuthenticationAssertion(); List<AuthnStatement> authnStatements = assertion.getAuthnStatements(); AuthnStatement authnStatement = authnStatements.get(0); SubjectLocality subjectLocalityValue = authnStatement.getSubjectLocality(); authenticationInstance = authnStatement.getAuthnInstant(); sessionValidity = authnStatement.getSessionNotOnOrAfter(); authenticationContextClass = authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef(); sessionIndex = authnStatement.getSessionIndex(); subjectLocality = subjectLocalityValue == null ? null : subjectLocalityValue.getAddress(); }
/** * Verifies that authentication statement is valid. Checks the authInstant and sessionNotOnOrAfter fields. * * @param auth statement to check * @param requestedAuthnContext original requested context can be null for unsolicited messages or when no context was requested * @param context message context * @throws AuthenticationException in case the statement is invalid */ protected void verifyAuthenticationStatement(AuthnStatement auth, RequestedAuthnContext requestedAuthnContext, SAMLMessageContext context) throws AuthenticationException { // Validate that user wasn't authenticated too long time ago if (!isDateTimeSkewValid(getResponseSkew(), getMaxAuthenticationAge(), auth.getAuthnInstant())) { throw new CredentialsExpiredException("Authentication statement is too old to be used with value " + auth.getAuthnInstant()); } // Validate users session is still valid if (auth.getSessionNotOnOrAfter() != null && auth.getSessionNotOnOrAfter().isBeforeNow()) { throw new CredentialsExpiredException("Authentication session is not valid on or after " + auth.getSessionNotOnOrAfter()); } // Verify context verifyAuthnContext(requestedAuthnContext, auth.getAuthnContext(), context); }
if (authnStatement.getAuthnInstant() != null) { samlAuthnStatement.setAuthInstant(authnStatement.getAuthnInstant().toString()); log.debug("Assertion.samlAuthnStatement.authnInstant = " + samlAuthnStatement.getAuthInstant());
DateTime authenticationTime = authnStatement.getAuthnInstant(); AuthnContext authnContext = authnStatement.getAuthnContext(); if (null == authnContext) {
DateTime authnInstant = authnStatement.getAuthnInstant(); DateTime sessionNotOnOrAfter = authnStatement.getSessionNotOnOrAfter(); String subjectLocalityAddress = null;
DateTime authnInstant = authnStatement.getAuthnInstant(); DateTime sessionNotOnOrAfter = authnStatement.getSessionNotOnOrAfter(); String subjectLocalityAddress = null;