Example 1 with SAMLIssueInstantException
use of org.pac4j.saml.exceptions.SAMLIssueInstantException in project pac4j by pac4j.
the class SAML2LogoutResponseValidator method validateSamlProtocolResponse.
/**
* Validates the SAML protocol response:
* - IssueInstant
* - Issuer
* - StatusCode
* - Signature
*
* @param response the response
* @param context the context
* @param engine the engine
*/
protected final void validateSamlProtocolResponse(final Response response, final SAML2MessageContext context, final SignatureTrustEngine engine) {
if (!StatusCode.SUCCESS.equals(response.getStatus().getStatusCode().getValue())) {
String status = response.getStatus().getStatusCode().getValue();
if (response.getStatus().getStatusMessage() != null) {
status += " / " + response.getStatus().getStatusMessage().getMessage();
}
throw new SAMLException("Logout response is not success ; actual " + status);
}
if (response.getSignature() != null) {
final String entityId = context.getSAMLPeerEntityContext().getEntityId();
validateSignature(response.getSignature(), entityId, engine);
context.getSAMLPeerEntityContext().setAuthenticated(true);
}
if (!isIssueInstantValid(response.getIssueInstant())) {
throw new SAMLIssueInstantException("Response issue instant is too old or in the future");
}
final SAMLMessageStorage messageStorage = context.getSAMLMessageStorage();
if (messageStorage != null && response.getInResponseTo() != null) {
final XMLObject xmlObject = messageStorage.retrieveMessage(response.getInResponseTo());
if (xmlObject == null) {
throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
} else if (!(xmlObject instanceof LogoutRequest)) {
throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected LogoutRequest " + response.getInResponseTo());
}
}
verifyEndpoint(context.getSAMLEndpointContext().getEndpoint(), response.getDestination());
if (response.getIssuer() != null) {
validateIssuer(response.getIssuer(), context);
}
}
Also used :
SAMLInResponseToMismatchException(org.pac4j.saml.exceptions.SAMLInResponseToMismatchException)
XMLObject(org.opensaml.core.xml.XMLObject)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
SAMLIssueInstantException(org.pac4j.saml.exceptions.SAMLIssueInstantException)
SAMLMessageStorage(org.pac4j.saml.storage.SAMLMessageStorage)
SAMLException(org.pac4j.saml.exceptions.SAMLException)
Example 2 with SAMLIssueInstantException
use of org.pac4j.saml.exceptions.SAMLIssueInstantException in project pac4j by pac4j.
the class SAML2DefaultResponseValidator method validateSamlProtocolResponse.
/**
* Validates the SAML protocol response:
* - IssueInstant
* - Issuer
* - StatusCode
* - Signature
*
* @param response the response
* @param context the context
* @param engine the engine
*/
protected final void validateSamlProtocolResponse(final Response response, final SAML2MessageContext context, final SignatureTrustEngine engine) {
if (!StatusCode.SUCCESS.equals(response.getStatus().getStatusCode().getValue())) {
String status = response.getStatus().getStatusCode().getValue();
if (response.getStatus().getStatusMessage() != null) {
status += " / " + response.getStatus().getStatusMessage().getMessage();
}
throw new SAMLException("Authentication response is not success ; actual " + status);
}
if (response.getSignature() != null) {
final String entityId = context.getSAMLPeerEntityContext().getEntityId();
validateSignature(response.getSignature(), entityId, engine);
context.getSAMLPeerEntityContext().setAuthenticated(true);
}
if (!isIssueInstantValid(response.getIssueInstant())) {
throw new SAMLIssueInstantException("Response issue instant is too old or in the future");
}
AuthnRequest request = null;
final SAMLMessageStorage messageStorage = context.getSAMLMessageStorage();
if (messageStorage != null && response.getInResponseTo() != null) {
final XMLObject xmlObject = messageStorage.retrieveMessage(response.getInResponseTo());
if (xmlObject == null) {
throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
} else if (xmlObject instanceof AuthnRequest) {
request = (AuthnRequest) xmlObject;
} else {
throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo());
}
}
verifyEndpoint(context.getSAMLEndpointContext().getEndpoint(), response.getDestination());
if (request != null) {
verifyRequest(request, context);
}
if (response.getIssuer() != null) {
validateIssuer(response.getIssuer(), context);
}
}
Also used :
SAMLInResponseToMismatchException(org.pac4j.saml.exceptions.SAMLInResponseToMismatchException)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
XMLObject(org.opensaml.core.xml.XMLObject)
SAMLIssueInstantException(org.pac4j.saml.exceptions.SAMLIssueInstantException)
SAMLMessageStorage(org.pac4j.saml.storage.SAMLMessageStorage)
SAMLException(org.pac4j.saml.exceptions.SAMLException)
Aggregations
XMLObject (org.opensaml.core.xml.XMLObject)2
SAMLException (org.pac4j.saml.exceptions.SAMLException)2
SAMLInResponseToMismatchException (org.pac4j.saml.exceptions.SAMLInResponseToMismatchException)2
SAMLIssueInstantException (org.pac4j.saml.exceptions.SAMLIssueInstantException)2
SAMLMessageStorage (org.pac4j.saml.storage.SAMLMessageStorage)2
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)1
LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)1
