summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java')
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java38
1 files changed, 20 insertions, 18 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
index e0a3ab8e..9758ff83 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
@@ -19,6 +19,8 @@
package at.gv.egiz.eaaf.modules.pvp2.impl.verification;
+import java.time.Duration;
+import java.time.Instant;
import java.util.ArrayList;
import java.util.List;
@@ -27,17 +29,6 @@ import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
-import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
-import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
-import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
-
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.opensaml.core.criterion.EntityIdCriterion;
@@ -74,9 +65,19 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;
+import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
import lombok.extern.slf4j.Slf4j;
-import net.shibboleth.utilities.java.support.net.BasicURLComparator;
import net.shibboleth.utilities.java.support.net.URIException;
+import net.shibboleth.utilities.java.support.net.impl.BasicURLComparator;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
@Slf4j
@@ -93,7 +94,7 @@ public class SamlVerificationEngine {
private static final Object SIG_VAL_ERROR_MSG = "Signature verification return false";
/**
- * 5 allow 3 minutes time jitter in before validation.
+ * allow 3 minutes time jitter in before validation.
*/
private static final int TIME_JITTER = 3;
@@ -286,10 +287,11 @@ public class SamlVerificationEngine {
// validate DateTime conditions
final Conditions conditions = saml2assertion.getConditions();
if (conditions != null) {
- final DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
- final DateTime notafter = conditions.getNotOnOrAfter();
+ final Instant notbefore = conditions.getNotBefore().minus(Duration.ofMinutes(5));
+ final Instant notafter = conditions.getNotOnOrAfter();
+ final Instant now = Instant.now();
if (validateDateTime
- && (notbefore.isAfterNow() || notafter.isBeforeNow())) {
+ && (notbefore.isAfter(now) || notafter.isBefore(now))) {
isAssertionValid = false;
log.info("Assertion with ID:{} is out of Date. [ Current:{} NotBefore:{} NotAfter:{} ]",
saml2assertion.getID(), new DateTime(), notbefore, notafter);
@@ -479,14 +481,14 @@ public class SamlVerificationEngine {
throws SamlAssertionValidationExeption {
if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS)) {
// validate response issueInstant
- final DateTime issueInstant = samlResp.getIssueInstant();
+ final Instant issueInstant = samlResp.getIssueInstant();
if (issueInstant == null) {
log.warn("PVP response does not include a 'IssueInstant' attribute");
throw new SamlAssertionValidationExeption(ERROR_14,
new Object[] { loggerName, "'IssueInstant' attribute is not included" });
}
- if (validateDateTime && issueInstant.minusMinutes(TIME_JITTER).isAfterNow()) {
+ if (validateDateTime && issueInstant.minus(Duration.ofMinutes(TIME_JITTER)).isAfter(Instant.now())) {
log.warn("PVP response: IssueInstant DateTime is not valid anymore.");
throw new SamlAssertionValidationExeption(ERROR_14,
new Object[] { loggerName, "'IssueInstant' Time is not valid any more" });
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-13 09:08:06 +0000