private Map<DateTime, DateTime> getValidNotBeforeAndAfterDetails(SubjectConfirmationData subjectConfirmationData, long timeSkew) throws IdentityOAuth2Exception { Map<DateTime, DateTime> timeConstrainsFromSubjectConfirmation = new HashMap<>(); DateTime notOnOrAfter = subjectConfirmationData.getNotOnOrAfter(); DateTime notBefore = subjectConfirmationData.getNotBefore(); if (isWithinValidTimeWindow(notOnOrAfter, notBefore, timeSkew)) { if (notOnOrAfter != null) { timeConstrainsFromSubjectConfirmation.put(notOnOrAfter, notBefore); } else { if (log.isDebugEnabled()){ log.debug("Cannot find valid NotOnOrAfter and NotBefore attributes in " + "SubjectConfirmationData " + subjectConfirmationData.toString()); } } } return timeConstrainsFromSubjectConfirmation; }
/** * Validates the <code>NotOnOrAfter</code> condition of the {@link SubjectConfirmationData}, if any is present. * * @param confirmation confirmation method, with {@link SubjectConfirmationData}, being validated * @param assertion assertion bearing the confirmation method * @param context current validation context * * @return the result of the validation evaluation */ protected ValidationResult validateNotOnOrAfter(SubjectConfirmation confirmation, Assertion assertion, ValidationContext context) { DateTime skewedNow = new DateTime(ISOChronology.getInstanceUTC()).minus(getClockSkew(context)); DateTime notOnOrAfter = confirmation.getSubjectConfirmationData().getNotOnOrAfter(); if (notOnOrAfter != null && notOnOrAfter.isBefore(skewedNow)) { context.setValidationFailureMessage(String.format( "Subject confirmation, in assertion '%s', with NotOnOrAfter condition of '%s' is no longer valid", assertion.getID(), notOnOrAfter)); return ValidationResult.INVALID; } return ValidationResult.VALID; }
if (subjectCD.getNotOnOrAfter() != null) { String notOnOrAfterStr = Configuration.getSAMLDateFormatter().print(subjectCD.getNotOnOrAfter()); domElement.setAttributeNS(null, SubjectConfirmationData.NOT_ON_OR_AFTER_ATTRIB_NAME, notOnOrAfterStr);
public SubjectConfirmation(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); Subject subject = credential.getAuthenticationAssertion().getSubject(); List<org.opensaml.saml2.core.SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmations(); org.opensaml.saml2.core.SubjectConfirmation subjectConfirmation = subjectConfirmations.get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); method = subjectConfirmation.getMethod(); inResponseTo = subjectConfirmationData.getInResponseTo(); notOnOrAfter = subjectConfirmationData.getNotOnOrAfter(); recipient = subjectConfirmationData.getRecipient(); }
protected void processSAMLAssertion() { this.setAssertionId(assertion.getID()); Subject subject = assertion.getSubject(); //Read the validity period from the 'Conditions' element, else read it from SC Data if (assertion.getConditions() != null) { Conditions conditions = assertion.getConditions(); if (conditions.getNotBefore() != null) { this.setDateNotBefore(conditions.getNotBefore().toDate()); } if (conditions.getNotOnOrAfter() != null) { this.setDateNotOnOrAfter(conditions.getNotOnOrAfter().toDate()); } } else { SubjectConfirmationData scData = subject.getSubjectConfirmations() .get(0).getSubjectConfirmationData(); if (scData.getNotBefore() != null) { this.setDateNotBefore(scData.getNotBefore().toDate()); } if (scData.getNotOnOrAfter() != null) { this.setDateNotOnOrAfter(scData.getNotOnOrAfter().toDate()); } } }
subjectConfirmationData.getNotOnOrAfter(), maxTimeOffset);
if (data.getNotOnOrAfter() == null) { log.debug("Bearer SubjectConfirmation invalidated by missing notOnOrAfter"); continue; if (data.getNotOnOrAfter().plusSeconds(getResponseSkew()).isBeforeNow()) { log.debug("Bearer SubjectConfirmation invalidated by notOnOrAfter"); continue;
recipientURLS.add(s.getSubjectConfirmationData().getRecipient()); if (s.getSubjectConfirmationData().getNotOnOrAfter() != null) { notOnOrAfterFromSubjectConfirmations.add(s.getSubjectConfirmationData().getNotOnOrAfter()); } else { if (log.isDebugEnabled()){
if (data.getNotBefore() != null && data.getNotOnOrAfter().isBeforeNow()) { log.debug("HoK SubjectConfirmation invalidated by expired notOnOrAfter"); continue;
if (data.getNotOnOrAfter().isBeforeNow()) { confirmed = false; continue;
if (scd.getNotOnOrAfter() != null) { final DateTime chkdate = scd.getNotOnOrAfter().plusSeconds(slack); if (now.isEqual(chkdate) || now.isAfter(chkdate)) { throw new ValidationException("SubjectConfirmationData is in the past");
if (scd.getNotOnOrAfter() != null) { DateTime chkdate = scd.getNotOnOrAfter().plusSeconds(slack); if (now.isEqual(chkdate) || now.isAfter(chkdate)) { throw new ValidationException(