Mercurial > dive4elements > river
comparison gwt-client/src/main/java/org/dive4elements/river/client/server/auth/saml/TicketValidator.java @ 8839:2c8259176c46
Add configurable time tolerance to SAML ticket validation.
This allows e.g. to account for time skew between the ISP and
the server this servlet is run on.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Wed, 28 Jun 2017 20:09:53 +0200 |
parents | 238fc722f87a |
children | 0a5239a1e46e |
comparison
equal
deleted
inserted
replaced
8838:1fa03f3c9d3d | 8839:2c8259176c46 |
---|---|
46 * The trusted Key for signature checks. | 46 * The trusted Key for signature checks. |
47 */ | 47 */ |
48 private Key trustedKey; | 48 private Key trustedKey; |
49 | 49 |
50 /** | 50 /** |
51 * Tolerance in milliseconds for validation based on NotBefore and | |
52 * NotOnOrAfter of the SAML ticket | |
53 */ | |
54 private int timeEps; | |
55 | |
56 /** | |
51 * Creates a new TicketValidator from a trusted key. | 57 * Creates a new TicketValidator from a trusted key. |
52 * @param trustedKey The trusted key for the signature checks. | 58 * @param trustedKey The trusted key for the signature checks. |
53 */ | 59 */ |
54 public TicketValidator(Key trustedKey) { | 60 public TicketValidator(Key trustedKey, int timeEps) { |
55 this.trustedKey = trustedKey; | 61 this.trustedKey = trustedKey; |
62 this.timeEps = timeEps; | |
56 } | 63 } |
57 | 64 |
58 /** | 65 /** |
59 * Creates a new TicketValidator, loading the trusted key from a | 66 * Creates a new TicketValidator, loading the trusted key from a |
60 * file. | 67 * file. |
61 * @param filename The filename of the X509 certificate containing | 68 * @param filename The filename of the X509 certificate containing |
62 * the trusted public key. | 69 * the trusted public key. |
63 */ | 70 */ |
64 public TicketValidator(String filename) throws IOException, | 71 public TicketValidator(String filename, int timeEps) |
65 CertificateException { | 72 throws IOException, CertificateException { |
66 this.trustedKey = loadKey(filename); | 73 this.trustedKey = loadKey(filename); |
74 this.timeEps = timeEps; | |
67 } | 75 } |
68 | 76 |
69 /** | 77 /** |
70 * Loads the public key from a file containing an X509 certificate. | 78 * Loads the public key from a file containing an X509 certificate. |
71 */ | 79 */ |
105 log.error("Could not extract assertion from signed content."); | 113 log.error("Could not extract assertion from signed content."); |
106 return null; | 114 return null; |
107 } | 115 } |
108 | 116 |
109 Assertion assertion = new Assertion(assertionElement); | 117 Assertion assertion = new Assertion(assertionElement); |
110 if (!assertion.isValidNow()) { | 118 if (!assertion.isValidNow(this.timeEps)) { |
111 log.error("Ticket is not valid now" | 119 log.error("Ticket is not valid now" |
112 + " (NotBefore: " + assertion.getFrom() | 120 + " (NotBefore: " + assertion.getFrom() |
113 + ", NotOnOrAfter: " + assertion.getUntil()); | 121 + ", NotOnOrAfter: " + assertion.getUntil() |
122 + ", Tolerance (milliseconds): " + this.timeEps); | |
114 return null; | 123 return null; |
115 } | 124 } |
116 | 125 |
117 return assertion; | 126 return assertion; |
118 } | 127 } |