我正在使用OpenSAML库来生成SAML2令牌。我的印象是令牌的验证签名也会检查其到期情况,但事实并非如此。我可以使用库提供的API来检查过期吗?
与以下代码段中的checkIfExpired()一样:
public static boolean validateSignature(String token, Credential credential)
{
try {
InputStream in = new ByteArrayInputStream(token.getBytes());
Document inCommonMDDoc = ppMgr.parse(in);
AssertionUnmarshaller unmarshaller = new AssertionUnmarshaller();
Assertion assertion = (Assertion) unmarshaller
.unmarshall(inCommonMDDoc.getDocumentElement());
SignatureValidator validator = new SignatureValidator(credential);
try {
validator.validate(assertion.getSignature());
return checkIfExpired(assertion) ; // -- Checks if assertion has expired and return true/false
} catch (ValidationException e) {
log.error("Invalid Signature", e);
return false;
}
} catch (Exception e) {
log.error("Unable to perform Signature Validation", e);
}
}
注意:如果OpenSAML已经有了API,我想避免手动操作。
答案 0 :(得分:4)
检查断言是否过期的方法是检查断言中的条件。这样的事情。
if (assertion.getConditions().getNotBefore() != null && assertion.getConditions().getNotBefore().isAfterNow()) {
throw new ValidationException("Condition states that assertion is not yet valid (is the server time correct?)");
}
if (assertion.getConditions().getNotOnOrAfter() != null
&& (assertion.getConditions().getNotOnOrAfter().isBeforeNow() || assertion.getConditions().getNotOnOrAfter().isEqualNow())) {
throw new ValidationException("Condition states that assertion is no longer valid (is the server time correct?)");
}
就我而言,现在没有更简单的方法可以做到这一点。正确的方法可能是编写验证器,也可以扩展ConditionsSpecValidator。此验证器不会自行验证所有条件