/** * Verify whether an {@link org.picketlink.identity.federation.saml.v2.assertion.AssertionType} has expired * @param assertionType * @return * @throws ConfigurationException */ public boolean hasExpired(AssertionType assertionType) throws ConfigurationException { return AssertionUtil.hasExpired(assertionType); } }
/** * Verify whether an {@link org.picketlink.identity.federation.saml.v2.assertion.AssertionType} has expired * @param assertionType * @return * @throws ConfigurationException */ public boolean hasExpired(AssertionType assertionType) throws ConfigurationException { return AssertionUtil.hasExpired(assertionType); } }
if (AssertionUtil.hasExpired(assertionType)) { log.error("Expired Assertion with ID = " + assertionType.getID()); return Response.status(Response.Status.NOT_ACCEPTABLE).build();// expired assertion
/** * @see org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#validateToken(org.picketlink.identity.federation.core.interfaces.ProtocolContext) */ public void validateToken(ProtocolContext context) throws ProcessingException { if (!(context instanceof SAMLProtocolContext)) return; SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(PicketLinkCoreSTS.rte); SAMLProtocolContext samlProtocolContext = (SAMLProtocolContext) context; AssertionType issuedAssertion = samlProtocolContext.getIssuedAssertion(); try { if (!AssertionUtil.hasExpired(issuedAssertion)) throw logger.samlAssertionExpiredError(); } catch (ConfigurationException e) { throw logger.processingError(e); } if (issuedAssertion == null) throw logger.assertionInvalidError(); if (this.tokenRegistry.getToken(issuedAssertion.getID()) == null) throw logger.assertionInvalidError(); }
/** * @see org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#validateToken(org.picketlink.identity.federation.core.interfaces.ProtocolContext) */ public void validateToken(ProtocolContext context) throws ProcessingException { if (!(context instanceof SAML11ProtocolContext)) return; SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(PicketLinkCoreSTS.rte); SAML11ProtocolContext samlProtocolContext = (SAML11ProtocolContext) context; SAML11AssertionType issuedAssertion = samlProtocolContext.getIssuedAssertion(); try { if (!AssertionUtil.hasExpired(issuedAssertion)) throw logger.samlAssertionExpiredError(); } catch (ConfigurationException e) { throw logger.processingError(e); } if (issuedAssertion == null) throw logger.assertionInvalidError(); if (this.tokenRegistry.getToken(issuedAssertion.getID()) == null) throw logger.assertionInvalidError(); }
/** * @see org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#validateToken(org.picketlink.identity.federation.core.interfaces.ProtocolContext) */ public void validateToken(ProtocolContext context) throws ProcessingException { if (!(context instanceof SAML11ProtocolContext)) return; SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(PicketLinkCoreSTS.rte); SAML11ProtocolContext samlProtocolContext = (SAML11ProtocolContext) context; SAML11AssertionType issuedAssertion = samlProtocolContext.getIssuedAssertion(); try { if (AssertionUtil.hasExpired(issuedAssertion)) { throw logger.samlAssertionExpiredError(); } } catch (ConfigurationException e) { throw logger.processingError(e); } if (issuedAssertion == null) throw logger.assertionInvalidError(); if (this.tokenRegistry.getToken(issuedAssertion.getID()) == null) throw logger.assertionInvalidError(); }
/** * @see org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#validateToken(org.picketlink.identity.federation.core.interfaces.ProtocolContext) */ public void validateToken(ProtocolContext context) throws ProcessingException { if (!(context instanceof SAMLProtocolContext)) return; SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(PicketLinkCoreSTS.rte); SAMLProtocolContext samlProtocolContext = (SAMLProtocolContext) context; AssertionType issuedAssertion = samlProtocolContext.getIssuedAssertion(); try { if (AssertionUtil.hasExpired(issuedAssertion)) { throw logger.samlAssertionExpiredError(); } } catch (ConfigurationException e) { throw logger.processingError(e); } if (issuedAssertion == null) throw logger.assertionInvalidError(); if (this.tokenRegistry.getToken(issuedAssertion.getID()) == null) throw logger.assertionInvalidError(); }
/** * @see org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#validateToken(org.picketlink.identity.federation.core.interfaces.ProtocolContext) */ public void validateToken(ProtocolContext context) throws ProcessingException { if (!(context instanceof SAMLProtocolContext)) return; SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(PicketLinkCoreSTS.rte); SAMLProtocolContext samlProtocolContext = (SAMLProtocolContext) context; AssertionType issuedAssertion = samlProtocolContext.getIssuedAssertion(); try { if (!AssertionUtil.hasExpired(issuedAssertion)) throw new ProcessingException(ErrorCodes.EXPIRED_ASSERTION); } catch (ConfigurationException e) { throw new ProcessingException(e); } if (issuedAssertion == null) throw new ProcessingException(ErrorCodes.NULL_ARGUMENT + "Assertion"); if (this.tokenRegistry.getToken(issuedAssertion.getID()) == null) throw new ProcessingException(ErrorCodes.INVALID_ASSERTION); }
/** * @see org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#validateToken(org.picketlink.identity.federation.core.interfaces.ProtocolContext) */ public void validateToken(ProtocolContext context) throws ProcessingException { if (!(context instanceof SAMLProtocolContext)) return; SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(PicketLinkCoreSTS.rte); SAMLProtocolContext samlProtocolContext = (SAMLProtocolContext) context; AssertionType issuedAssertion = samlProtocolContext.getIssuedAssertion(); try { if (!AssertionUtil.hasExpired(issuedAssertion)) throw new ProcessingException(ErrorCodes.EXPIRED_ASSERTION); } catch (ConfigurationException e) { throw new ProcessingException(e); } if (issuedAssertion == null) throw new ProcessingException(ErrorCodes.NULL_ASSERTION); if (this.tokenRegistry.getToken(issuedAssertion.getID()) == null) throw new ProcessingException(ErrorCodes.INVALID_ASSERTION); }
/** * @see org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#validateToken(org.picketlink.identity.federation.core.interfaces.ProtocolContext) */ public void validateToken(ProtocolContext context) throws ProcessingException { if (!(context instanceof SAMLProtocolContext)) return; SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(PicketLinkCoreSTS.rte); SAMLProtocolContext samlProtocolContext = (SAMLProtocolContext) context; AssertionType issuedAssertion = samlProtocolContext.getIssuedAssertion(); try { if (!AssertionUtil.hasExpired(issuedAssertion)) throw new ProcessingException(ErrorCodes.EXPIRED_ASSERTION); } catch (ConfigurationException e) { throw new ProcessingException(e); } if (issuedAssertion == null) throw new ProcessingException(ErrorCodes.NULL_ARGUMENT + "Assertion"); if (this.tokenRegistry.getToken(issuedAssertion.getID()) == null) throw new ProcessingException(ErrorCodes.INVALID_ASSERTION); }
/** * @see org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#validateToken(org.picketlink.identity.federation.core.interfaces.ProtocolContext) */ public void validateToken(ProtocolContext context) throws ProcessingException { if (!(context instanceof SAMLProtocolContext)) return; SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(PicketLinkCoreSTS.rte); SAMLProtocolContext samlProtocolContext = (SAMLProtocolContext) context; AssertionType issuedAssertion = samlProtocolContext.getIssuedAssertion(); try { if (!AssertionUtil.hasExpired(issuedAssertion)) throw new ProcessingException(ErrorCodes.EXPIRED_ASSERTION); } catch (ConfigurationException e) { throw new ProcessingException(e); } if (issuedAssertion == null) throw new ProcessingException(ErrorCodes.NULL_ASSERTION); if (this.tokenRegistry.getToken(issuedAssertion.getID()) == null) throw new ProcessingException(ErrorCodes.INVALID_ASSERTION); }
/** * @see org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#validateToken(org.picketlink.identity.federation.core.interfaces.ProtocolContext) */ public void validateToken(ProtocolContext context) throws ProcessingException { if (!(context instanceof SAML11ProtocolContext)) return; SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(PicketLinkCoreSTS.rte); SAML11ProtocolContext samlProtocolContext = (SAML11ProtocolContext) context; SAML11AssertionType issuedAssertion = samlProtocolContext.getIssuedAssertion(); try { if (AssertionUtil.hasExpired(issuedAssertion)) { throw logger.samlAssertionExpiredError(); } } catch (ConfigurationException e) { throw logger.processingError(e); } if (issuedAssertion == null) throw logger.assertionInvalidError(); if (this.tokenRegistry.getToken(issuedAssertion.getID()) == null) throw logger.assertionInvalidError(); }
/** * @see org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#validateToken(org.picketlink.identity.federation.core.interfaces.ProtocolContext) */ public void validateToken(ProtocolContext context) throws ProcessingException { if (!(context instanceof SAMLProtocolContext)) return; SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(PicketLinkCoreSTS.rte); SAMLProtocolContext samlProtocolContext = (SAMLProtocolContext) context; AssertionType issuedAssertion = samlProtocolContext.getIssuedAssertion(); try { if (AssertionUtil.hasExpired(issuedAssertion)) { throw logger.samlAssertionExpiredError(); } } catch (ConfigurationException e) { throw logger.processingError(e); } if (issuedAssertion == null) throw logger.assertionInvalidError(); if (this.tokenRegistry.getToken(issuedAssertion.getID()) == null) throw logger.assertionInvalidError(); }
/** * This method validates SAML Credential in following steps: <ol> <li>Validate the signing key embedded in SAML token is still * valid, not expired</li> <li>Validate the signing key embedded in SAML token is trusted against a local truststore, such as * certpath validation</li> <li>Validate SAML token is still valid, not expired</li> <li>Validate the SAML signature using the * embedded signing key in SAML token itself as you indicated below</li> </ol> * * If something goes wrong throws LoginException. * * @throws LoginException */ private void validateSAMLCredential() throws LoginException, ConfigurationException, CertificateExpiredException, CertificateNotYetValidException { X509Certificate cert = getX509Certificate(); // public certificate validation validateCertPath(cert); // check time validity of the certificate cert.checkValidity(); boolean sigValid = false; try { sigValid = AssertionUtil.isSignatureValid(credential.getAssertionAsElement(), cert.getPublicKey()); } catch (ProcessingException e) { logger.processingError(e); } if (!sigValid) { throw logger.authSAMLInvalidSignatureError(); } if (AssertionUtil.hasExpired(assertion)) { throw logger.authSAMLAssertionExpiredError(); } }
if (AssertionUtil.hasExpired(assertion)) { throw logger.authSAMLAssertionExpiredError();
/** * This method validates SAML Credential in following steps: <ol> <li>Validate the signing key embedded in SAML token is still * valid, not expired</li> <li>Validate the signing key embedded in SAML token is trusted against a local truststore, such as * certpath validation</li> <li>Validate SAML token is still valid, not expired</li> <li>Validate the SAML signature using the * embedded signing key in SAML token itself as you indicated below</li> </ol> * * If something goes wrong throws LoginException. * * @throws LoginException */ private void validateSAMLCredential() throws LoginException, ConfigurationException, CertificateExpiredException, CertificateNotYetValidException { X509Certificate cert = getX509Certificate(); // public certificate validation validateCertPath(cert); // check time validity of the certificate cert.checkValidity(); boolean sigValid = false; try { sigValid = AssertionUtil.isSignatureValid(credential.getAssertionAsElement(), cert.getPublicKey()); } catch (ProcessingException e) { logger.processingError(e); } if (!sigValid) { throw logger.authSAMLInvalidSignatureError(); } if (AssertionUtil.hasExpired(assertion)) { throw logger.authSAMLAssertionExpiredError(); } }
if (AssertionUtil.hasExpired(assertion)) { throw logger.authSAMLAssertionExpiredError();
if (AssertionUtil.hasExpired(assertion)) { code = WSTrustConstants.STATUS_CODE_INVALID; reason = "Validation failure: assertion expired or used before its lifetime period";
if (AssertionUtil.hasExpired(assertion, getClockSkewInMillis())) { code = WSTrustConstants.STATUS_CODE_INVALID; reason = "Validation failure: assertion expired or used before its lifetime period";
if (AssertionUtil.hasExpired(assertion)) { code = WSTrustConstants.STATUS_CODE_INVALID; reason = "Validation failure: assertion expired or used before its lifetime period";