Validating XML and SAML Objects
Validation can be done in two ways; validation of XML, during parsing or after marshalling, or validation of the SAMLObjects.
XML Validation
XML schemas for validating SAML 1.0, 1.1, and 2.0 XML are available from the org.opensaml.common.xml.SAMLSchemaBuilder
class. In theory, it should have been possible to load all the XML schemas into one Schema
object, however a conflict in the naming of the SAML 1.0 and 1.1 schemas prohibits this. Therefore this class provides two methods, getSAML10Schema()
and getSAML11Schema()
, both of which can be used to validate SAML 2.0 since its schema is composable with SAML 1.0 or 1.1.
To validate XML as you parse it with the org.opensaml.xml.parse.ParserPool
simply fetch the appropriate schema from the SAMLSchemaBuilder
and add it to the parser pool via the setSchema(Schema)
method. If the parser pool has been in use prior to this then any currently checked out DocumentBuilder
will not be effected but newly checked out ones will.
To validate XML after it has been parsed into a DOM representation:
- Get the appropriate schema from the
SAMLSchemaBuilder
- Create a new
javax.xml.validation.Validator
through thenewValidator()
method on theSchema
- Create a new
javax.xml.transform.dom.DOMSource
with your DOM - Invoke the
Validator#validate(DOMSource)
It should be noted that many products out there seem to produce invalid XML and so the usage of XML Schema validation is not recommended.
SAMLObject Validator Validation
The most common way to perform validator based validation is to use a ValidatorSuite (see the configuration file section to learn how to configure these). These suites can be used on a single SAMLObject, a tree of SAMLObjects, or multiple trees of SAMLObjects (i.e. they are stateless and traverse the , here's how:
- Retrieve the Validator suite using
org.opensaml.Configuration#getValidatorSuite(String)
passing in the ID of the suite you wish to use - Execute the
validate(XMLObject)
giving it the SAMLObject you wish to validate
The default configuration files for the library provide 6 validation suites:
- saml1-schema-validator - validates SAMLObjects against the SAML 1.0/1.1 schema
- saml1-spec-validator - validates SAMLObjects against the SAML 1.0/1.1 specification
- saml2-schema-validator - validates SAMLObjects against the SAML 2.0 core schema
- saml2-spec-validator - validates SAMLObjects against the SAML 2.0 core specification
- saml2-metadata-schema-validator - validates SAMLObjects against the SAML 2.0 metadata schema
- saml2-metadata-spec-validator - validates SAMLObjects against the SAML 2.0 metadata specification
Alternatively, you may wish to attach validators directly to the SAMLObject and evaluate them at some point later. You can do this by create instances of the validators you wish to be evaluated and registering them with the SAMLObject through the registerValidator(Validator)
method. Then, when you're ready to perform the validation you can execute the validate(boolean)
method. The boolean argument indicates whether you wish validators registered on the children objects to be executed as well.