/** * Parses the SAMLCredential for expiration time. Locates all AuthnStatements present within the assertion * (only one in most cases) and computes the expiration based on sessionNotOnOrAfter field. * * @param credential credential to use for expiration parsing. * @return null if no expiration is present, expiration time onOrAfter which the token is not valid anymore */ protected Date getExpirationDate(SAMLCredential credential) { List<AuthnStatement> statementList = credential.getAuthenticationAssertion().getAuthnStatements(); DateTime expiration = null; for (AuthnStatement statement : statementList) { DateTime newExpiration = statement.getSessionNotOnOrAfter(); if (newExpiration != null) { if (expiration == null || expiration.isAfter(newExpiration)) { expiration = newExpiration; } } } return expiration != null ? expiration.toDate() : null; }
/** {@inheritDoc} */ protected void marshallAttributes(XMLObject samlObject, Element domElement) throws MarshallingException { AuthnStatement authnStatement = (AuthnStatement) samlObject; if (authnStatement.getAuthnInstant() != null) { String authnInstantStr = Configuration.getSAMLDateFormatter().print(authnStatement.getAuthnInstant()); domElement.setAttributeNS(null, AuthnStatement.AUTHN_INSTANT_ATTRIB_NAME, authnInstantStr); } if (authnStatement.getSessionIndex() != null) { domElement.setAttributeNS(null, AuthnStatement.SESSION_INDEX_ATTRIB_NAME, authnStatement.getSessionIndex()); } if (authnStatement.getSessionNotOnOrAfter() != null) { String sessionNotOnOrAfterStr = Configuration.getSAMLDateFormatter().print( authnStatement.getSessionNotOnOrAfter()); domElement.setAttributeNS(null, AuthnStatement.SESSION_NOT_ON_OR_AFTER_ATTRIB_NAME, sessionNotOnOrAfterStr); } } }
protected void verifyAuthenticationStatement(AuthnStatement auth, BasicSAMLMessageContext context) throws Exception { // Validate that user wasn't authenticated too long time ago if (!isDateTimeSkewValid(MAX_AUTHENTICATION_TIME, auth.getAuthnInstant())) { System.out.println("Authentication statement is too old to be used"+auth.getAuthnInstant()); throw new Exception("Users authentication data is too old"); } // Validate users session is still valid if (auth.getSessionNotOnOrAfter() != null && auth.getSessionNotOnOrAfter().isAfter(new Date().getTime())) { System.out.println("Authentication session is not valid anymore"+auth.getSessionNotOnOrAfter()); throw new Exception("Users authentication is expired"); } if (auth.getSubjectLocality() != null) { HTTPInTransport httpInTransport = (HTTPInTransport) context.getInboundMessageTransport(); if (auth.getSubjectLocality().getAddress() != null) { if (!httpInTransport.getPeerAddress().equals(auth.getSubjectLocality().getAddress())) { throw new Exception("User is accessing the service from invalid address"); } } } }
/** * Verifies that authentication statement is valid. Checks the authInstant and sessionNotOnOrAfter fields. * * @param auth statement to check * @param requestedAuthnContext original requested context can be null for unsolicited messages or when no context was requested * @param context message context * @throws AuthenticationException in case the statement is invalid */ protected void verifyAuthenticationStatement(AuthnStatement auth, RequestedAuthnContext requestedAuthnContext, SAMLMessageContext context) throws AuthenticationException { // Validate that user wasn't authenticated too long time ago if (!isDateTimeSkewValid(getResponseSkew(), getMaxAuthenticationAge(), auth.getAuthnInstant())) { throw new CredentialsExpiredException("Authentication statement is too old to be used with value " + auth.getAuthnInstant()); } // Validate users session is still valid if (auth.getSessionNotOnOrAfter() != null && auth.getSessionNotOnOrAfter().isBeforeNow()) { throw new CredentialsExpiredException("Authentication session is not valid on or after " + auth.getSessionNotOnOrAfter()); } // Verify context verifyAuthnContext(requestedAuthnContext, auth.getAuthnContext(), context); }
public AuthenticationStatement(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); Assertion assertion = credential.getAuthenticationAssertion(); List<AuthnStatement> authnStatements = assertion.getAuthnStatements(); AuthnStatement authnStatement = authnStatements.get(0); SubjectLocality subjectLocalityValue = authnStatement.getSubjectLocality(); authenticationInstance = authnStatement.getAuthnInstant(); sessionValidity = authnStatement.getSessionNotOnOrAfter(); authenticationContextClass = authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef(); sessionIndex = authnStatement.getSessionIndex(); subjectLocality = subjectLocalityValue == null ? null : subjectLocalityValue.getAddress(); }
if (as.getSessionNotOnOrAfter() == null) { LOG.error("SessionNotOnOrAfter is null"); continue; final DateTime exp = as.getSessionNotOnOrAfter().plusSeconds(slack); if (exp != null && (now.isEqual(exp) || now.isAfter(exp))) {
DateTime sessionTime = as.getSessionNotOnOrAfter(); if (sessionTime != null) { DateTime exp = sessionTime.plusSeconds(slack);
DateTime sessionNotOnOrAfter = authnStatement.getSessionNotOnOrAfter(); String subjectLocalityAddress = null;
DateTime sessionNotOnOrAfter = authnStatement.getSessionNotOnOrAfter(); String subjectLocalityAddress = null;