Class OpenSaml5AuthenticationProvider.AssertionValidator.Builder
java.lang.Object
org.springframework.security.saml2.provider.service.authentication.OpenSaml5AuthenticationProvider.AssertionValidator.Builder
- Enclosing class:
- OpenSaml5AuthenticationProvider.AssertionValidator
-
Method Summary
Modifier and TypeMethodDescriptionbuild()Use this clock skew for validating assertion timestamps.conditionValidators(Consumer<List<org.opensaml.saml.saml2.assertion.ConditionValidator>> conditions) Mutate the list ofConditionValidators.subjectValidators(Consumer<List<org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator>> subjects) Mutate the list ofConditionValidators.validationContextParameters(Consumer<Map<String, Object>> parameters) Mutate the map ofValidationContextstatic parameters.
-
Method Details
-
clockSkew
Use this clock skew for validating assertion timestamps. The default is 5 minutes.- Parameters:
duration- the duration to use- Returns:
- the
OpenSaml5AuthenticationProvider.AssertionValidator.Builderfor further configuration
-
validationContextParameters
public OpenSaml5AuthenticationProvider.AssertionValidator.Builder validationContextParameters(Consumer<Map<String, Object>> parameters) Mutate the map ofValidationContextstatic parameters. By default, these include:SAML2AssertionValidationParameters.SC_VALID_IN_RESPONSE_TO>
SAML2AssertionValidationParameters.COND_VALID_AUDIENCES>
SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS>
SAML2AssertionValidationParameters.VALID_ISSUERS>
SAML2AssertionValidationParameters.SC_CHECK_ADDRESS>
SAML2AssertionValidationParameters.CLOCK_SKEW>
COND_VALID_AUDIENCESis needed byBearerSubjectConfirmationValidator. If you do not want these, the best way to remove them is to remove theconditionValidators(java.util.function.Consumer<java.util.List<org.opensaml.saml.saml2.assertion.ConditionValidator>>)orsubjectValidators(java.util.function.Consumer<java.util.List<org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator>>)themselves- Parameters:
parameters- the mutator to change the set of parameters- Returns:
-
conditionValidators
public OpenSaml5AuthenticationProvider.AssertionValidator.Builder conditionValidators(Consumer<List<org.opensaml.saml.saml2.assertion.ConditionValidator>> conditions) Mutate the list ofConditionValidators. By default, these include:AudienceRestrictionConditionValidatorDelegationRestrictionConditionValidatorProxyRestrictionConditionValidator
saml2:OneTimeUseelement since this validator does not have caching facilities. However, you can construct your own instance ofOneTimeUseConditionValidatorand supply it here.- Parameters:
conditions- the mutator for changing the list of conditions to use- Returns:
- the
OpenSaml5AuthenticationProvider.AssertionValidator.Builderfor further configuration
-
subjectValidators
public OpenSaml5AuthenticationProvider.AssertionValidator.Builder subjectValidators(Consumer<List<org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator>> subjects) Mutate the list ofConditionValidators.By default it only has
BearerSubjectConfirmationValidatorfor which address validation is skipped. To turn address validation on, usevalidationContextParameters(Consumer)to set theSAML2AssertionValidationParameters.SC_CHECK_ADDRESSvalue.- Parameters:
subjects- the mutator for changing the list of conditions to use- Returns:
- the
OpenSaml5AuthenticationProvider.AssertionValidator.Builderfor further configuration
-
build
- Returns:
- the
OpenSaml5AuthenticationProvider.AssertionValidator
-