// Verify the signature
assertion.verifySignature(
requestData, new WSDocInfo(validateTargetElement.getOwnerDocument())
);
SecurityToken secToken = null;
byte[] signatureValue = assertion.getSignatureValue();
if (tokenParameters.getTokenStore() != null && signatureValue != null
&& signatureValue.length > 0) {
int hash = Arrays.hashCode(signatureValue);
secToken = tokenParameters.getTokenStore().getToken(Integer.toString(hash));
if (secToken != null && secToken.getTokenHash() != hash) {
secToken = null;
}
}
if (secToken != null && secToken.isExpired()) {
LOG.fine("Token: " + secToken.getId() + " is in the cache but expired - revalidating");
secToken = null;
}
if (secToken == null) {
// Validate the assertion against schemas/profiles
validateAssertion(assertion);
// Now verify trust on the signature
Credential trustCredential = new Credential();
SAMLKeyInfo samlKeyInfo = assertion.getSignatureKeyInfo();
trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
trustCredential.setCertificates(samlKeyInfo.getCerts());
trustCredential = validator.validate(trustCredential, requestData);
// Finally check that subject DN of the signing certificate matches a known constraint
X509Certificate cert = null;
if (trustCredential.getCertificates() != null) {
cert = trustCredential.getCertificates()[0];
}
if (!certConstraints.matches(cert)) {
return response;
}
}
// Parse roles from the validated token
if (samlRoleParser != null) {
Set<Principal> roles =
samlRoleParser.parseRolesFromAssertion(samlPrincipal, null, assertion);
response.setRoles(roles);
}
// Get the realm of the SAML token
String tokenRealm = null;
if (samlRealmCodec != null) {
tokenRealm = samlRealmCodec.getRealmFromToken(assertion);
// verify the realm against the cached token
if (secToken != null) {
Properties props = secToken.getProperties();
if (props != null) {
String cachedRealm = props.getProperty(STSConstants.TOKEN_REALM);
if (cachedRealm != null && !tokenRealm.equals(cachedRealm)) {
return response;
}