2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * BrowserSSOProfile20Validator.cpp
20 * SAML 2.0 Browser SSO Profile Assertion Validator
24 #include "saml2/core/Assertions.h"
25 #include "saml2/profile/BrowserSSOProfileValidator.h"
27 #include <xmltooling/logging.h>
28 #include <xmltooling/XMLToolingConfig.h>
29 #include <xmltooling/util/NDC.h>
31 using namespace opensaml::saml2;
32 using namespace xmltooling::logging;
33 using namespace xmltooling;
36 BrowserSSOProfileValidator::BrowserSSOProfileValidator(
37 const XMLCh* recipient,
38 const vector<const XMLCh*>* audiences,
40 const char* destination,
42 ) : AssertionValidator(recipient, audiences, ts), m_destination(destination), m_requestID(requestID)
46 BrowserSSOProfileValidator::~BrowserSSOProfileValidator()
50 void BrowserSSOProfileValidator::validateAssertion(const Assertion& assertion) const
53 xmltooling::NDC ndc("validate");
55 Category& log = Category::getInstance(SAML_LOGCAT".AssertionValidator");
57 // The assertion MUST have proper confirmation requirements.
58 const char* msg="assertion is missing bearer SubjectConfirmation";
59 const Subject* subject = assertion.getSubject();
61 const vector<SubjectConfirmation*>& confs = subject->getSubjectConfirmations();
62 for (vector<SubjectConfirmation*>::const_iterator sc = confs.begin(); sc!=confs.end(); ++sc) {
63 if (XMLString::equals((*sc)->getMethod(), SubjectConfirmation::BEARER)) {
64 const SubjectConfirmationDataType* data = dynamic_cast<const SubjectConfirmationDataType*>((*sc)->getSubjectConfirmationData());
66 if (m_destination.get()) {
67 if (!XMLString::equals(m_destination.get(), data ? data->getRecipient() : NULL)) {
68 msg = "bearer confirmation failed with recipient mismatch";
73 if (m_requestID.get()) {
74 if (!XMLString::equals(m_requestID.get(), data ? data->getInResponseTo() : NULL)) {
75 msg = "bearer confirmation failed with request correlation mismatch";
81 if (!data || !data->getNotOnOrAfter()) {
82 msg = "bearer confirmation missing NotOnOrAfter attribute";
85 else if (data->getNotOnOrAfterEpoch() <= m_ts - XMLToolingConfig::getConfig().clock_skew_secs) {
86 msg = "bearer confirmation has expired";
91 // Save off client address.
93 auto_ptr_char ip(data->getAddress());
98 // Pass up for additional checking.
99 return AssertionValidator::validateAssertion(assertion);
104 log.error(msg ? msg : "no error message");
105 throw ValidationException("Unable to locate satisfiable bearer SubjectConfirmation in assertion.");
108 const char* BrowserSSOProfileValidator::getAddress() const
110 return m_address.c_str();