Mercurial > dive4elements > river
diff gwt-client/src/main/java/org/dive4elements/river/client/server/auth/saml/TicketValidator.java @ 8839:2c8259176c46
Add configurable time tolerance to SAML ticket validation.
This allows e.g. to account for time skew between the ISP and
the server this servlet is run on.
| author | Tom Gottfried <tom@intevation.de> |
|---|---|
| date | Wed, 28 Jun 2017 20:09:53 +0200 |
| parents | 238fc722f87a |
| children | 0a5239a1e46e |
line wrap: on
line diff
--- a/gwt-client/src/main/java/org/dive4elements/river/client/server/auth/saml/TicketValidator.java Tue May 30 12:51:42 2017 +0200 +++ b/gwt-client/src/main/java/org/dive4elements/river/client/server/auth/saml/TicketValidator.java Wed Jun 28 20:09:53 2017 +0200 @@ -48,11 +48,18 @@ private Key trustedKey; /** + * Tolerance in milliseconds for validation based on NotBefore and + * NotOnOrAfter of the SAML ticket + */ + private int timeEps; + + /** * Creates a new TicketValidator from a trusted key. * @param trustedKey The trusted key for the signature checks. */ - public TicketValidator(Key trustedKey) { + public TicketValidator(Key trustedKey, int timeEps) { this.trustedKey = trustedKey; + this.timeEps = timeEps; } /** @@ -61,9 +68,10 @@ * @param filename The filename of the X509 certificate containing * the trusted public key. */ - public TicketValidator(String filename) throws IOException, - CertificateException { + public TicketValidator(String filename, int timeEps) + throws IOException, CertificateException { this.trustedKey = loadKey(filename); + this.timeEps = timeEps; } /** @@ -107,10 +115,11 @@ } Assertion assertion = new Assertion(assertionElement); - if (!assertion.isValidNow()) { + if (!assertion.isValidNow(this.timeEps)) { log.error("Ticket is not valid now" + " (NotBefore: " + assertion.getFrom() - + ", NotOnOrAfter: " + assertion.getUntil()); + + ", NotOnOrAfter: " + assertion.getUntil() + + ", Tolerance (milliseconds): " + this.timeEps); return null; }