Mercurial > dive4elements > river
comparison gwt-client/src/main/java/org/dive4elements/river/client/server/auth/saml/TicketValidator.java @ 8839:2c8259176c46
Add configurable time tolerance to SAML ticket validation.
This allows e.g. to account for time skew between the ISP and
the server this servlet is run on.
| author | Tom Gottfried <tom@intevation.de> |
|---|---|
| date | Wed, 28 Jun 2017 20:09:53 +0200 |
| parents | 238fc722f87a |
| children | 0a5239a1e46e |
comparison
equal
deleted
inserted
replaced
| 8838:1fa03f3c9d3d | 8839:2c8259176c46 |
|---|---|
| 46 * The trusted Key for signature checks. | 46 * The trusted Key for signature checks. |
| 47 */ | 47 */ |
| 48 private Key trustedKey; | 48 private Key trustedKey; |
| 49 | 49 |
| 50 /** | 50 /** |
| 51 * Tolerance in milliseconds for validation based on NotBefore and | |
| 52 * NotOnOrAfter of the SAML ticket | |
| 53 */ | |
| 54 private int timeEps; | |
| 55 | |
| 56 /** | |
| 51 * Creates a new TicketValidator from a trusted key. | 57 * Creates a new TicketValidator from a trusted key. |
| 52 * @param trustedKey The trusted key for the signature checks. | 58 * @param trustedKey The trusted key for the signature checks. |
| 53 */ | 59 */ |
| 54 public TicketValidator(Key trustedKey) { | 60 public TicketValidator(Key trustedKey, int timeEps) { |
| 55 this.trustedKey = trustedKey; | 61 this.trustedKey = trustedKey; |
| 62 this.timeEps = timeEps; | |
| 56 } | 63 } |
| 57 | 64 |
| 58 /** | 65 /** |
| 59 * Creates a new TicketValidator, loading the trusted key from a | 66 * Creates a new TicketValidator, loading the trusted key from a |
| 60 * file. | 67 * file. |
| 61 * @param filename The filename of the X509 certificate containing | 68 * @param filename The filename of the X509 certificate containing |
| 62 * the trusted public key. | 69 * the trusted public key. |
| 63 */ | 70 */ |
| 64 public TicketValidator(String filename) throws IOException, | 71 public TicketValidator(String filename, int timeEps) |
| 65 CertificateException { | 72 throws IOException, CertificateException { |
| 66 this.trustedKey = loadKey(filename); | 73 this.trustedKey = loadKey(filename); |
| 74 this.timeEps = timeEps; | |
| 67 } | 75 } |
| 68 | 76 |
| 69 /** | 77 /** |
| 70 * Loads the public key from a file containing an X509 certificate. | 78 * Loads the public key from a file containing an X509 certificate. |
| 71 */ | 79 */ |
| 105 log.error("Could not extract assertion from signed content."); | 113 log.error("Could not extract assertion from signed content."); |
| 106 return null; | 114 return null; |
| 107 } | 115 } |
| 108 | 116 |
| 109 Assertion assertion = new Assertion(assertionElement); | 117 Assertion assertion = new Assertion(assertionElement); |
| 110 if (!assertion.isValidNow()) { | 118 if (!assertion.isValidNow(this.timeEps)) { |
| 111 log.error("Ticket is not valid now" | 119 log.error("Ticket is not valid now" |
| 112 + " (NotBefore: " + assertion.getFrom() | 120 + " (NotBefore: " + assertion.getFrom() |
| 113 + ", NotOnOrAfter: " + assertion.getUntil()); | 121 + ", NotOnOrAfter: " + assertion.getUntil() |
| 122 + ", Tolerance (milliseconds): " + this.timeEps); | |
| 114 return null; | 123 return null; |
| 115 } | 124 } |
| 116 | 125 |
| 117 return assertion; | 126 return assertion; |
| 118 } | 127 } |