4

我正在使用 OpenSAML 库来生成 SAML2 令牌。我的印象是令牌的验证签名也会检查它的到期情况,显然情况并非如此。是否有库提供的 API 可用于检查过期?就像checkIfExpired()在下面的代码片段中一样:

public static boolean validateSignature(String token, Credential credential)
    {
       try {

        InputStream in = new ByteArrayInputStream(token.getBytes());
        Document inCommonMDDoc = ppMgr.parse(in);
        AssertionUnmarshaller unmarshaller = new AssertionUnmarshaller();
        Assertion assertion = (Assertion) unmarshaller
                .unmarshall(inCommonMDDoc.getDocumentElement());
        SignatureValidator validator = new SignatureValidator(credential);
        try {
            validator.validate(assertion.getSignature());

             return checkIfExpired(assertion) ; // -- Checks if assertion has expired and return true/false

        } catch (ValidationException e) {
            log.error("Invalid Signature", e);
            return false;
        }
    } catch (Exception e) {
        log.error("Unable to perform Signature Validation", e);

    }
}

注意:如果 OpenSAML 已经有 API,我想避免手动操作。

4

1 回答 1

4

检查断言是否过期的方法是检查断言中的条件。像这样的东西。

if (assertion.getConditions().getNotBefore() != null && assertion.getConditions().getNotBefore().isAfterNow()) {
    throw new ValidationException("Condition states that assertion is not yet valid (is the server time correct?)");
}

if (assertion.getConditions().getNotOnOrAfter() != null
                && (assertion.getConditions().getNotOnOrAfter().isBeforeNow() || assertion.getConditions().getNotOnOrAfter().isEqualNow())) {
    throw new ValidationException("Condition states that assertion is no longer valid (is the server time correct?)");
}

就我现在而言,没有更简单的方法可以做到这一点。正确的方法可能是编写一个验证器,也许扩展ConditionSpecValidator。此验证器不会自行验证所有条件

于 2013-05-24T07:29:00.767 回答