Class AssertionUtil
java.lang.Object
org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil
Utility to deal with assertions
- Since:
- Jun 3, 2009
- Author:
- Anil.Saldhana@redhat.com
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic Document
asDocument
(AssertionType assertion) GivenAssertionType
, convert it into a DOM Document.static String
asString
(AssertionType assertion) GivenAssertionType
, convert it into a Stringstatic AssertionType
createAssertion
(String id, NameIDType issuer) Create an assertionstatic SubjectType
createAssertionSubject
(String userName) Given a user name, create aSubjectType
that can then be inserted into an assertionstatic AttributeType
createAttribute
(String name, String nameFormat, Object... attributeValues) Create an attribute typestatic SAML11AssertionType
createSAML11Assertion
(String id, XMLGregorianCalendar issueInstant, String issuer) Create an assertionstatic void
createSAML11TimedConditions
(SAML11AssertionType assertion, long durationInMilis, long clockSkew) Add validity conditions to the SAML2 Assertionstatic void
createTimedConditions
(AssertionType assertion, long durationInMilis) Add validity conditions to the SAML2 Assertionstatic void
createTimedConditions
(AssertionType assertion, long durationInMilis, long clockSkew) Add validity conditions to the SAML2 Assertionstatic Element
decryptAssertion
(ResponseType responseType, PrivateKey privateKey) static Element
decryptAssertion
(ResponseType responseType, XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator) This method modifies the given responseType, and replaces the encrypted assertion with a decrypted version.static void
decryptId
(ResponseType responseType, XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator) This method modifies the given responseType, and replaces the encrypted id with a decrypted version.static AssertionType
getAssertion
(SAMLDocumentHolder holder, ResponseType responseType, PrivateKey privateKey) static XMLGregorianCalendar
getExpiration
(AssertionType assertion) Extract the expiration time from anAssertionType
getRoles
(SAML11AssertionType assertion, List<String> roleKeys) Given an assertion, return the list of roles it may havegetRoles
(AssertionType assertion, List<String> roleKeys) Given an assertion, return the list of roles it may haveprotected static Element
getSignature
(Element element) static boolean
hasExpired
(SAML11AssertionType assertion) Check whether the assertion has expiredstatic boolean
hasExpired
(SAML11AssertionType assertion, long clockSkewInMilis) Verify whether the assertion has expired.static boolean
hasExpired
(AssertionType assertion) Check whether the assertion has expired.static boolean
hasExpired
(AssertionType assertion, long clockSkewInMilis) Verify whether the assertion has expired.static boolean
isAssertionEncrypted
(ResponseType responseType) static boolean
isIdEncrypted
(ResponseType responseType) static boolean
isSignatureValid
(Element element, PublicKey publicKey) Given an Element, validate the Signature direct child elementstatic boolean
isSignatureValid
(Element element, KeyLocator keyLocator) Given an Element, validate the Signature direct child elementstatic boolean
isSignedElement
(Element element) Given an Element, check if there is a Signature direct child element
-
Constructor Details
-
AssertionUtil
public AssertionUtil()
-
-
Method Details
-
asString
GivenAssertionType
, convert it into a String- Parameters:
assertion
-- Returns:
- Throws:
ProcessingException
-
asDocument
GivenAssertionType
, convert it into a DOM Document.- Parameters:
assertion
-- Returns:
- Throws:
ProcessingException
-
createSAML11Assertion
public static SAML11AssertionType createSAML11Assertion(String id, XMLGregorianCalendar issueInstant, String issuer) Create an assertion- Parameters:
id
-issuer
-- Returns:
-
createAssertion
Create an assertion- Parameters:
id
-issuer
-- Returns:
-
createAssertionSubject
Given a user name, create aSubjectType
that can then be inserted into an assertion- Parameters:
userName
-- Returns:
-
createAttribute
public static AttributeType createAttribute(String name, String nameFormat, Object... attributeValues) Create an attribute type- Parameters:
name
- Name of the attributenameFormat
- name format uriattributeValues
- an object array of attribute values- Returns:
-
createTimedConditions
public static void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException, IssueInstantMissingException Add validity conditions to the SAML2 Assertion
There is no clock skew added.
- Parameters:
assertion
-durationInMilis
-- Throws:
ConfigurationException
IssueInstantMissingException
-
createTimedConditions
public static void createTimedConditions(AssertionType assertion, long durationInMilis, long clockSkew) throws ConfigurationException, IssueInstantMissingException Add validity conditions to the SAML2 Assertion- Parameters:
assertion
-durationInMilis
-- Throws:
ConfigurationException
IssueInstantMissingException
-
createSAML11TimedConditions
public static void createSAML11TimedConditions(SAML11AssertionType assertion, long durationInMilis, long clockSkew) throws ConfigurationException, IssueInstantMissingException Add validity conditions to the SAML2 Assertion- Parameters:
assertion
-durationInMilis
-- Throws:
ConfigurationException
IssueInstantMissingException
-
isSignatureValid
Given an Element, validate the Signature direct child element -
isSignatureValid
Given an Element, validate the Signature direct child element- Parameters:
element
- parent ElementkeyLocator
- theKeyLocator
- Returns:
- true if signature is present and valid
-
isSignedElement
Given an Element, check if there is a Signature direct child element- Parameters:
element
- parent Element- Returns:
- true if signature is present
-
getSignature
-
hasExpired
Check whether the assertion has expired. Processing rules defined in Section 2.5.1.2 of saml-core-2.0-os.pdf.- Parameters:
assertion
-- Returns:
- Throws:
ConfigurationException
-
hasExpired
public static boolean hasExpired(AssertionType assertion, long clockSkewInMilis) throws ConfigurationException Verify whether the assertion has expired. You can add in a clock skew to adapt to conditions where in the IDP and SP are out of sync.- Parameters:
assertion
-clockSkewInMilis
- in miliseconds- Returns:
- Throws:
ConfigurationException
-
hasExpired
Check whether the assertion has expired- Parameters:
assertion
-- Returns:
- Throws:
ConfigurationException
-
hasExpired
public static boolean hasExpired(SAML11AssertionType assertion, long clockSkewInMilis) throws ConfigurationException Verify whether the assertion has expired. You can add in a clock skew to adapt to conditions where in the IDP and SP are out of sync.- Parameters:
assertion
-clockSkewInMilis
- in miliseconds- Returns:
- Throws:
ConfigurationException
-
getExpiration
Extract the expiration time from anAssertionType
- Parameters:
assertion
-- Returns:
-
getRoles
Given an assertion, return the list of roles it may have- Parameters:
assertion
- TheAssertionType
roleKeys
- a list of string values representing the role keys. The list can be null.- Returns:
-
getRoles
Given an assertion, return the list of roles it may have- Parameters:
assertion
- TheSAML11AssertionType
roleKeys
- a list of string values representing the role keys. The list can be null.- Returns:
-
getAssertion
public static AssertionType getAssertion(SAMLDocumentHolder holder, ResponseType responseType, PrivateKey privateKey) throws ParsingException, ProcessingException, ConfigurationException -
isAssertionEncrypted
- Throws:
ProcessingException
-
decryptAssertion
public static Element decryptAssertion(ResponseType responseType, PrivateKey privateKey) throws ParsingException, ProcessingException, ConfigurationException -
decryptAssertion
public static Element decryptAssertion(ResponseType responseType, XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator) throws ParsingException, ProcessingException, ConfigurationException This method modifies the given responseType, and replaces the encrypted assertion with a decrypted version.- Parameters:
responseType
- a response containing an encrypted assertiondecryptionKeyLocator
- locator of keys suitable for decrypting encrypted element- Returns:
- the assertion element as it was decrypted. This can be used in signature verification.
- Throws:
ParsingException
ProcessingException
ConfigurationException
-
isIdEncrypted
-
decryptId
public static void decryptId(ResponseType responseType, XMLEncryptionUtil.DecryptionKeyLocator decryptionKeyLocator) throws ConfigurationException, ProcessingException, ParsingException This method modifies the given responseType, and replaces the encrypted id with a decrypted version.- Parameters:
responseType
- a response containing an encrypted iddecryptionKeyLocator
- locator of keys suitable for decrypting encrypted element- Throws:
ConfigurationException
ProcessingException
ParsingException
-