org.opensaml.xml.validation.ValidationException Java Examples

/**
 * Checks that the Subject element is present when required.
 * 
 * @param assertion
 * @throws ValidationException
 */
protected void validateSubject(Assertion assertion) throws ValidationException {
    if ((assertion.getStatements() == null || assertion.getStatements().size() == 0)
            && (assertion.getAuthnStatements() == null || assertion.getAuthnStatements().size() == 0)
            && (assertion.getAttributeStatements() == null || assertion.getAttributeStatements().size() == 0)
            && (assertion.getAuthzDecisionStatements() == null || assertion.getAuthzDecisionStatements().size() == 0)
            && assertion.getSubject() == null) {
        throw new ValidationException("Subject is required when Statements are absent");
    }

    if (assertion.getAuthnStatements().size() > 0 && assertion.getSubject() == null) {
        throw new ValidationException("Assertions containing AuthnStatements require a Subject");
    }
    if (assertion.getAuthzDecisionStatements().size() > 0 && assertion.getSubject() == null) {
        throw new ValidationException("Assertions containing AuthzDecisionStatements require a Subject");
    }
    if (assertion.getAttributeStatements().size() > 0 && assertion.getSubject() == null) {
        throw new ValidationException("Assertions containing AttributeStatements require a Subject");
    }
}
 

/**
 * Validate the Identifier child types (BaseID, NameID, EncryptedID).
 * 
 * @param request the request being processed
 * @throws ValidationException thrown if the identifiers present are not valid
 */
protected void validateIdentifiers(LogoutRequest request) throws ValidationException {
    int idCount = 0;
    
    if (request.getBaseID() != null) {
        idCount++;
    }
    if (request.getNameID() != null) {
        idCount++;
    }
    if (request.getEncryptedID() != null) {
        idCount++;
    }
    
    if (idCount != 1) {
        throw new ValidationException("LogoutRequest must contain exactly one of: BaseID, NameID, EncryptedID");
    }
}
 

/**
 * Validate that required children are present.
 * 
 * @param xmlObject the object to validate
 * @throws ValidationException  thrown if the object is invalid
 */
protected void validateChildrenPresence(CipherData xmlObject) throws ValidationException {
    if (xmlObject.getCipherValue() == null && xmlObject.getCipherReference() == null) {
        throw new ValidationException("CipherData did not contain either a CipherValue or CipherReference child");
    }
    if (xmlObject.getCipherValue() != null && xmlObject.getCipherReference() != null) {
        throw new ValidationException("CipherData contained both a CipherValue and a CipherReference child");
    }
}
 

/**
 * Validates the Version attribute.
 * 
 * @param request request to validate
 * @throws ValidationException if invalid
 */
protected void validateVersion(RequestAbstractType request) throws ValidationException {
    if (request.getVersion() == null) {
        throw new ValidationException("Version attribute must not be null");
    }
    if (request.getVersion().toString() != SAMLVersion.VERSION_20.toString()) {
        throw new ValidationException("Wrong SAML Version");
    }
}
 

protected void validateSingleSign(IDPSSODescriptor idpssoDescriptor) throws ValidationException {
    if (idpssoDescriptor.getSingleSignOnServices() != null && idpssoDescriptor.getSingleSignOnServices().size() > 0) {
        for (int i = 0; i < idpssoDescriptor.getSingleSignOnServices().size(); i++) {
            if (!DatatypeHelper.isEmpty(idpssoDescriptor.getSingleSignOnServices().get(i).getResponseLocation())) {
                throw new ValidationException("ResponseLocation of all SingleSignOnServices must be null");
            }
        }
    }
}
 

/**
 * Validate that the extension child, if present, is from another namespace.
 * 
 * @param xmlObject the object to validate
 * @throws ValidationException thrown if the object is invalid
 */
protected void validateExtensionChildNamespace(KeyValue xmlObject) throws ValidationException {
    // Validate that the unknown child is not from the dsig namespace
    // or are from another namespace.
    XMLObject unknownChild = xmlObject.getUnknownXMLObject();
    if (unknownChild == null) {
        return;
    }
    QName childName = unknownChild.getElementQName();
    if (XMLConstants.XMLSIG_NS.equals(childName.getNamespaceURI())) {
        throw new ValidationException("KeyValue contains an illegal child extension element: " + childName);
    }
}
 

/** {@inheritDoc} */
public void validate(Action action) throws ValidationException {
     if (DatatypeHelper.isEmpty(action.getContents())) {
         throw new ValidationException("Action label must be specified");
     }

}
 

/**
 * Validate that all children are present.
 * 
 * @param xmlObject the object to validate
 * @throws ValidationException  thrown if the object is invalid
 */
protected void validateChildrenPresence(ECKeyValue xmlObject) throws ValidationException {
    if (xmlObject.getPublicKey() == null) {
        throw new ValidationException("ECKeyValue did not contain a required PublicKey value");
    } else if (xmlObject.getNamedCurve() == null && xmlObject.getECParameters() == null) {
        throw new ValidationException("ECKeyValue did not contain a required NamedCurve or ECParameters value");
    }
}
 

/** {@inheritDoc} */
public void validate(RequestType requestAbstractType) throws ValidationException {
    validateVersion(requestAbstractType);

    validateID(requestAbstractType);

    validateIssueInstant(requestAbstractType);
}
 

/**
 * Test that the provided assertion has some statements in 
 * @param assertion
 * @throws ValidationException
 */
protected void validateStatements(Assertion assertion) throws ValidationException {
    List <Statement> list = assertion.getStatements();
     if (list == null || list.size() == 0) {
         throw new ValidationException("No Statements present");
     }
}
 

/** {@inheritDoc} */
public void validate(AuthorizationDecisionQuery query) throws ValidationException {
    super.validate(query);
    validateActions(query);

    validateResourcePresent(query);

}
 

/**
 * Checks that at least one AuthnService is present.
 * 
 * @param authnAuthorityDescriptor
 * @throws ValidationException
 */
protected void validateAuthnQueryServices(AuthnAuthorityDescriptor authnAuthorityDescriptor)
        throws ValidationException {
    if (authnAuthorityDescriptor.getAuthnQueryServices() == null
            || authnAuthorityDescriptor.getAuthnQueryServices().size() == 0) {
        throw new ValidationException("Must have one or more AuthnQueryServices.");
    }
}
 

/**
 * Validate the Signature's Reference URI.
 * 
 * First validate the Reference URI against the parent's ID itself.  Then validate that the 
 * URI (if non-empty) resolves to the same Element node as is cached by the SignableSAMLObject.
 * 
 * 
 * @param uri the Signature Reference URI attribute value
 * @param signableObject the SignableSAMLObject whose signature is being validated
 * @throws ValidationException  if the URI is invalid or doesn't resolve to the expected DOM node
 */
protected void validateReferenceURI(String uri, SignableSAMLObject signableObject) throws ValidationException {
    String id = signableObject.getSignatureReferenceID();
    validateReferenceURI(uri, id);
    
    if (DatatypeHelper.isEmpty(uri)) {
        return;
    }
    
    String uriID = uri.substring(1);
    
    Element expected = signableObject.getDOM();
    if (expected == null) {
        log.error("SignableSAMLObject does not have a cached DOM Element.");
        throw new ValidationException("SignableSAMLObject does not have a cached DOM Element.");
    }
    Document doc = expected.getOwnerDocument();
    
    Element resolved = IdResolver.getElementById(doc, uriID);
    if (resolved == null) {
        log.error("Apache xmlsec IdResolver could not resolve the Element for id reference: {}", uriID);
        throw new ValidationException("Apache xmlsec IdResolver could not resolve the Element for id reference: "
                +  uriID);
    }
    
    if (!expected.isSameNode(resolved)) {
        log.error("Signature Reference URI '{}' did not resolve to the expected parent Element", uri);
        throw new ValidationException("Signature Reference URI did not resolve to the expected parent Element");
    }
}
 

/**
 * Checks that at least either Valid Until or Cache Duration is present when Entities Descriptor is root element.
 * 
 * @param entitiesDescriptor
 * @throws ValidationException
 */
protected void validateRoot(EntitiesDescriptor entitiesDescriptor) throws ValidationException {
    if (entitiesDescriptor.getParent() == null && entitiesDescriptor.getValidUntil() == null
            && entitiesDescriptor.getCacheDuration() == null) {
        throw new ValidationException("Must have either ValidUntil or CacheDuration when is root element.");
    }
}
 

/**
 * Checks that at least one EntitiesDescriptor or EntityDescriptor is present.
 * 
 * @param entitiesDescriptor
 * @throws ValidationException
 */
protected void validateEntityDescriptors(EntitiesDescriptor entitiesDescriptor) throws ValidationException {
    if ((entitiesDescriptor.getEntitiesDescriptors() == null || entitiesDescriptor.getEntitiesDescriptors().size() < 1)
            && (entitiesDescriptor.getEntityDescriptors() == null || entitiesDescriptor.getEntityDescriptors()
                    .size() < 1)) {
        throw new ValidationException("Must have one or more EntitiesDescriptor or EntityDescriptor.");
    }
}
 

/**
 * Checks that ID is valid and present.
 * 
 * @param affiliateMember
 * @throws ValidationException
 */
protected void validateID(AffiliateMember affiliateMember) throws ValidationException {
    if (DatatypeHelper.isEmpty(affiliateMember.getID())) {
        throw new ValidationException("ID required");
    } else if (affiliateMember.getID().length() > 1024) {
        throw new ValidationException("Max ID length is 1024");
    }
}
 

/** {@inheritDoc} */
public void validate(RequestType request) throws ValidationException {
    validateID(request);
    validateVersion(request);
    validateIssueInstant(request);

}
 

/**
 * Validate that exactly one child is present.
 * 
 * @param xmlObject the object to validate
 * @throws ValidationException  thrown if the object is invalid
 */
protected void validateChildrenPresence(X509IssuerSerial xmlObject) throws ValidationException {
    if (xmlObject.getX509IssuerName() == null) {
        throw new ValidationException("X509IssuerSerial does not contain an X509IssuerName");
    }
    if (xmlObject.getX509SerialNumber() == null) {
        throw new ValidationException("X509IssuerSerial does not contain an X509SerialNumber");
    }
}
 

/**
 * Checks that an AffiliationDescriptor OR one or more RoleDescriptors are present.
 * 
 * @param entityDescriptor
 * @throws ValidationException
 */
protected void validateDescriptors(EntityDescriptor entityDescriptor) throws ValidationException {
    if ((entityDescriptor.getRoleDescriptors() == null || entityDescriptor.getRoleDescriptors().size() < 1)
            && entityDescriptor.getAffiliationDescriptor() == null) {
        throw new ValidationException("Must have an AffiliationDescriptor or one or more RoleDescriptors.");
    }

    if (entityDescriptor.getAffiliationDescriptor() != null && entityDescriptor.getRoleDescriptors() != null
            && entityDescriptor.getRoleDescriptors().size() > 0) {
        throw new ValidationException("Cannot have an AffiliationDescriptor AND RoleDescriptors");
    }
}
 

/**
 * Test that the issuer is present
 * @param assertion
 * @throws ValidationException
 */
protected void validateIssuer(Assertion assertion) throws ValidationException {
    if (DatatypeHelper.isEmpty(assertion.getIssuer())) {
         throw new ValidationException("Issuer not present");
     }
}
 

/** {@inheritDoc} */
public void validate(Conditions conditions) throws ValidationException {
    validateOneTimeUseCondition(conditions);
    validateProxyRestrictionCondition(conditions);
}
 

/** {@inheritDoc} */
public void validate(TelephoneNumber telephoneNumber) throws ValidationException {
    validateNumber(telephoneNumber);
}
 

/** {@inheritDoc} */
public void validate(SubjectConfirmation subjectConfirmation) throws ValidationException {
    validateMethod(subjectConfirmation);
}
 

/** {@inheritDoc} */
public void validate(EndpointType endpoint) throws ValidationException {
    validateBinding(endpoint);
    validateLocation(endpoint);
}
 

/** {@inheritDoc} */
public void validate(Status status) throws ValidationException {
    validateStatusCode(status);
}
 

/** {@inheritDoc} */
public void validate(AuthzDecisionQuery query) throws ValidationException {
    super.validate(query);
    validateActions(query);
    validateResource(query);
}
 

/** {@inheritDoc} */
public void validate(Transforms xmlObject) throws ValidationException {
    validateTransforms(xmlObject);
}
 

protected void validateStatusCode(Status status) throws ValidationException {
    if (status.getStatusCode() == null) {
        throw new ValidationException("StatusCode is required");
    }
}
 

/** {@inheritDoc} */
public void validate(RequesterID requesterID) throws ValidationException {
    validateRequesterID(requesterID);
}
 

/** {@inheritDoc} */
public void validate(NameIDMappingResponse response) throws ValidationException {
    super.validate(response);
    validateIdentifiers(response);
}