I am working with the OpenSAML library to create SAML2 tokens. I got the impression that the token confirmation signature also checks its expiration, which, apparently, is not so. Is there an API provided by the library that I can use to check for expiration? Like checkIfExpired() in the following code snippet:
public static boolean validateSignature(String token, Credential credential) { try { InputStream in = new ByteArrayInputStream(token.getBytes()); Document inCommonMDDoc = ppMgr.parse(in); AssertionUnmarshaller unmarshaller = new AssertionUnmarshaller(); Assertion assertion = (Assertion) unmarshaller .unmarshall(inCommonMDDoc.getDocumentElement()); SignatureValidator validator = new SignatureValidator(credential); try { validator.validate(assertion.getSignature()); return checkIfExpired(assertion) ; // -- Checks if assertion has expired and return true/false } catch (ValidationException e) { log.error("Invalid Signature", e); return false; } } catch (Exception e) { log.error("Unable to perform Signature Validation", e); } }
NOTE. I want to avoid this manually if OpenSAML already has an API for it.
source share