Class AssertionUtil
java.lang.Object
org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil
Utility to deal with assertions
- Since:
- Jun 3, 2009
- Author:
- Anil.Saldhana@redhat.com
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic DocumentasDocument(AssertionType assertion) GivenAssertionType, convert it into a DOM Document.static StringasString(AssertionType assertion) GivenAssertionType, convert it into a Stringstatic AssertionTypecreateAssertion(String id, NameIDType issuer) Create an assertionstatic SubjectTypecreateAssertionSubject(String userName) Given a user name, create aSubjectTypethat can then be inserted into an assertionstatic AttributeTypecreateAttribute(String name, String nameFormat, Object... attributeValues) Create an attribute typestatic SAML11AssertionTypecreateSAML11Assertion(String id, XMLGregorianCalendar issueInstant, String issuer) Create an assertionstatic voidcreateSAML11TimedConditions(SAML11AssertionType assertion, long durationInMilis, long clockSkew) Add validity conditions to the SAML2 Assertionstatic voidcreateTimedConditions(AssertionType assertion, long durationInMilis) Add validity conditions to the SAML2 Assertionstatic voidcreateTimedConditions(AssertionType assertion, long durationInMilis, long clockSkew) Add validity conditions to the SAML2 Assertionstatic ElementdecryptAssertion(ResponseType responseType, PrivateKey privateKey) static ElementdecryptAssertion(ResponseType responseType, XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator) This method modifies the given responseType, and replaces the encrypted assertion with a decrypted version.static voiddecryptId(ResponseType responseType, XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator) This method modifies the given responseType, and replaces the encrypted id with a decrypted version.static AssertionTypegetAssertion(SAMLDocumentHolder holder, ResponseType responseType, PrivateKey privateKey) static XMLGregorianCalendargetExpiration(AssertionType assertion) Extract the expiration time from anAssertionTypegetRoles(SAML11AssertionType assertion, List<String> roleKeys) Given an assertion, return the list of roles it may havegetRoles(AssertionType assertion, List<String> roleKeys) Given an assertion, return the list of roles it may haveprotected static ElementgetSignature(Element element) static booleanhasExpired(SAML11AssertionType assertion) Check whether the assertion has expiredstatic booleanhasExpired(SAML11AssertionType assertion, long clockSkewInMilis) Verify whether the assertion has expired.static booleanhasExpired(AssertionType assertion) Check whether the assertion has expired.static booleanhasExpired(AssertionType assertion, long clockSkewInMilis) Verify whether the assertion has expired.static booleanisAssertionEncrypted(ResponseType responseType) static booleanisIdEncrypted(ResponseType responseType) static booleanisSignatureValid(Element element, PublicKey publicKey) Given an Element, validate the Signature direct child elementstatic booleanisSignatureValid(Element element, KeyLocator keyLocator) Given an Element, validate the Signature direct child elementstatic booleanisSignedElement(Element element) Given an Element, check if there is a Signature direct child element
-
Constructor Details
-
AssertionUtil
public AssertionUtil()
-
-
Method Details
-
asString
GivenAssertionType, convert it into a String- Parameters:
assertion-- Returns:
- Throws:
ProcessingException
-
asDocument
GivenAssertionType, convert it into a DOM Document.- Parameters:
assertion-- Returns:
- Throws:
ProcessingException
-
createSAML11Assertion
public static SAML11AssertionType createSAML11Assertion(String id, XMLGregorianCalendar issueInstant, String issuer) Create an assertion- Parameters:
id-issuer-- Returns:
-
createAssertion
Create an assertion- Parameters:
id-issuer-- Returns:
-
createAssertionSubject
Given a user name, create aSubjectTypethat can then be inserted into an assertion- Parameters:
userName-- Returns:
-
createAttribute
public static AttributeType createAttribute(String name, String nameFormat, Object... attributeValues) Create an attribute type- Parameters:
name- Name of the attributenameFormat- name format uriattributeValues- an object array of attribute values- Returns:
-
createTimedConditions
public static void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException, IssueInstantMissingException Add validity conditions to the SAML2 Assertion
There is no clock skew added.
- Parameters:
assertion-durationInMilis-- Throws:
ConfigurationExceptionIssueInstantMissingException
-
createTimedConditions
public static void createTimedConditions(AssertionType assertion, long durationInMilis, long clockSkew) throws ConfigurationException, IssueInstantMissingException Add validity conditions to the SAML2 Assertion- Parameters:
assertion-durationInMilis-- Throws:
ConfigurationExceptionIssueInstantMissingException
-
createSAML11TimedConditions
public static void createSAML11TimedConditions(SAML11AssertionType assertion, long durationInMilis, long clockSkew) throws ConfigurationException, IssueInstantMissingException Add validity conditions to the SAML2 Assertion- Parameters:
assertion-durationInMilis-- Throws:
ConfigurationExceptionIssueInstantMissingException
-
isSignatureValid
Given an Element, validate the Signature direct child element -
isSignatureValid
Given an Element, validate the Signature direct child element- Parameters:
element- parent ElementkeyLocator- theKeyLocator- Returns:
- true if signature is present and valid
-
isSignedElement
Given an Element, check if there is a Signature direct child element- Parameters:
element- parent Element- Returns:
- true if signature is present
-
getSignature
-
hasExpired
Check whether the assertion has expired. Processing rules defined in Section 2.5.1.2 of saml-core-2.0-os.pdf.- Parameters:
assertion-- Returns:
- Throws:
ConfigurationException
-
hasExpired
public static boolean hasExpired(AssertionType assertion, long clockSkewInMilis) throws ConfigurationException Verify whether the assertion has expired. You can add in a clock skew to adapt to conditions where in the IDP and SP are out of sync.- Parameters:
assertion-clockSkewInMilis- in milliseconds- Returns:
- Throws:
ConfigurationException
-
hasExpired
Check whether the assertion has expired- Parameters:
assertion-- Returns:
- Throws:
ConfigurationException
-
hasExpired
public static boolean hasExpired(SAML11AssertionType assertion, long clockSkewInMilis) throws ConfigurationException Verify whether the assertion has expired. You can add in a clock skew to adapt to conditions where in the IDP and SP are out of sync.- Parameters:
assertion-clockSkewInMilis- in milliseconds- Returns:
- Throws:
ConfigurationException
-
getExpiration
Extract the expiration time from anAssertionType- Parameters:
assertion-- Returns:
-
getRoles
Given an assertion, return the list of roles it may have- Parameters:
assertion- TheAssertionTyperoleKeys- a list of string values representing the role keys. The list can be null.- Returns:
-
getRoles
Given an assertion, return the list of roles it may have- Parameters:
assertion- TheSAML11AssertionTyperoleKeys- a list of string values representing the role keys. The list can be null.- Returns:
-
getAssertion
public static AssertionType getAssertion(SAMLDocumentHolder holder, ResponseType responseType, PrivateKey privateKey) throws ParsingException, ProcessingException, ConfigurationException -
isAssertionEncrypted
- Throws:
ProcessingException
-
decryptAssertion
public static Element decryptAssertion(ResponseType responseType, PrivateKey privateKey) throws ParsingException, ProcessingException, ConfigurationException -
decryptAssertion
public static Element decryptAssertion(ResponseType responseType, XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator) throws ParsingException, ProcessingException, ConfigurationException This method modifies the given responseType, and replaces the encrypted assertion with a decrypted version.- Parameters:
responseType- a response containing an encrypted assertiondecryptionKeyLocator- locator of keys suitable for decrypting encrypted element- Returns:
- the assertion element as it was decrypted. This can be used in signature verification.
- Throws:
ParsingExceptionProcessingExceptionConfigurationException
-
isIdEncrypted
-
decryptId
public static void decryptId(ResponseType responseType, XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator) throws ConfigurationException, ProcessingException, ParsingException This method modifies the given responseType, and replaces the encrypted id with a decrypted version.- Parameters:
responseType- a response containing an encrypted iddecryptionKeyLocator- locator of keys suitable for decrypting encrypted element- Throws:
ConfigurationExceptionProcessingExceptionParsingException
-