From 1626ac9867cd5406b83e73651080e33c11fb98d1 Mon Sep 17 00:00:00 2001 From: kstranacher_eGovL Date: Thu, 12 Jul 2012 11:27:13 +0000 Subject: Integration of STORK git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1285 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../validation/StorkAuthnRequestValidator.java | 137 +++++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 id/server/stork-saml-engine/src/main/java/eu/stork/vidp/messages/validation/StorkAuthnRequestValidator.java (limited to 'id/server/stork-saml-engine/src/main/java/eu/stork/vidp/messages/validation/StorkAuthnRequestValidator.java') diff --git a/id/server/stork-saml-engine/src/main/java/eu/stork/vidp/messages/validation/StorkAuthnRequestValidator.java b/id/server/stork-saml-engine/src/main/java/eu/stork/vidp/messages/validation/StorkAuthnRequestValidator.java new file mode 100644 index 000000000..0e8722d55 --- /dev/null +++ b/id/server/stork-saml-engine/src/main/java/eu/stork/vidp/messages/validation/StorkAuthnRequestValidator.java @@ -0,0 +1,137 @@ +/* + * Copyright 2011 by Graz University of Technology, Austria + * The Austrian STORK Modules have been developed by the E-Government + * Innovation Center EGIZ, a joint initiative of the Federal Chancellery + * Austria and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package eu.stork.vidp.messages.validation; + +import org.opensaml.common.SAMLVersion; +import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.core.validator.AuthnRequestSchemaValidator; +import org.opensaml.xml.util.XMLHelper; +import org.opensaml.xml.validation.ValidationException; + +import eu.stork.mw.messages.saml.STORKAuthnRequest; + +public class StorkAuthnRequestValidator extends AuthnRequestSchemaValidator { + + private static final String ALLOWED_CONSENT = "urn:oasis:names:tc:SAML:2.0:consent:unspecified"; + private static final String ALLOWED_PROTOCOL_BINDING_1 = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"; + private static final String ALLOWED_PROTOCOL_BINDING_2 = "urn:oasis:names:tc:SAML:2.0:bindings:SOAP"; + + private static final int MAX_SIZE = 131072; + + /** + * Constructor + * + */ + public StorkAuthnRequestValidator() { + + super(); + } + + @Override + public void validate(AuthnRequest req) throws ValidationException { + + if (XMLHelper.prettyPrintXML(req.getDOM()).getBytes().length > MAX_SIZE) { + throw new ValidationException("SAML AuthnRequest exceeds max size."); + } + + super.validate(req); + + STORKAuthnRequest request = (STORKAuthnRequest) req; + + if (request.getID() == null) { + + throw new ValidationException("ID is required."); + } + + if (request.getVersion() == null) { + + throw new ValidationException("Version is required."); + } else { + + if (!request.getVersion().equals(SAMLVersion.VERSION_20)) { + + throw new ValidationException("Version is invalid."); + } + } + + if (request.getIssueInstant() == null) { + + throw new ValidationException("IssueInstant is required."); + } + + if (request.getConsent() != null) { + + if (!request.getConsent().equals(ALLOWED_CONSENT)) { + + throw new ValidationException("Consent is invalid."); + } + } + + if (request.isForceAuthn() == null) { + + throw new ValidationException("ForceAuthn is required."); + } else if (!request.isForceAuthn()) { + + throw new ValidationException("ForceAuthn is invalid."); + } + + if (request.isPassive() == null) { + + throw new ValidationException("IsPassive is required."); + } else if (request.isPassive()) { + + throw new ValidationException("IsPassive is invalid."); + } + + if (request.getProtocolBinding() == null) { + + throw new ValidationException("ProtocolBinding is required."); + } else { + if (!request.getProtocolBinding() + .equals(ALLOWED_PROTOCOL_BINDING_1) + && !request.getProtocolBinding().equals( + ALLOWED_PROTOCOL_BINDING_2)) { + + throw new ValidationException("ProtocolBinding is invalid."); + } + + } + + if(request.getAssertionConsumerServiceURL() == null) { + + throw new ValidationException("AssertionConsumerServiceURL is required."); + } + + if(request.getProviderName() == null) { + + throw new ValidationException("ProviderName is required."); + } + + + + } + +} -- cgit v1.2.3