uk.ac.cam.ucs.webauth
Class WLSValidator

java.lang.Object
  extended byuk.ac.cam.ucs.webauth.WLSValidator

public class WLSValidator
extends Object

Impliments a validator for authentication response message.

Version:
$Revision: 1.4 $ $Date: 2005/03/11 10:03:39 $

Constructor Summary
WLSValidator(KeyStore k)
          Default constructor.
 
Method Summary
 String getKeyPrefix()
          Get the maximum expected clock skew.
 int getMaxSkew()
          Get the maximum expected clock skew.
 int getTimeout()
          Get the transmition timeout for validation for this validator.
 void setKeyPrefix(String keyPrefix)
          Set the string prefix used to identify the relavent public key in the key store.
 void setMaxSkew(int maxSkew)
          Set the maximum expected difference betweent the clock supplying the date parameter for validate and correct time.
 void setTimeout(int timeout)
          Set the transmition timeout for validation.
 void validate(WLSRequest request, WLSResponse response)
          Alternate version of validate in which date defaults to the current date/time
 void validate(WLSRequest request, WLSResponse response, Date date)
          Perform validation tests on a WLSResponse.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

WLSValidator

public WLSValidator(KeyStore k)
Default constructor. The timeout for the resulting object is set to 30 sec and the clock skew to 0.

Parameters:
k - A keyStore that contains the currently-valid public keys for the authentication system.
Method Detail

validate

public void validate(WLSRequest request,
                     WLSResponse response,
                     Date date)
              throws WLSException
Perform validation tests on a WLSResponse. This involves:
  1. Checking that an acceptable combination of parameters are present in the response.
  2. Checking that 'kid', if present, corresponds to a key currently being used by the WAA.
  3. Checking that the signature, if provided, matches the data supplied.
  4. Checking that the response is recent by comparing 'issue' with the supplied date. If the supplied date is not from a clock synchronised by NTP or a similar mechanism then an allowance must be made for the maximum expected clock skew.
  5. Checking that 'url' is consistent with that in the corresponding Request.
  6. Checking that 'auth' and/or 'sso' contain values that are consistent with those in the corresponding Request.

Parameters:
request - The WLSRequest object, the submssion of which to the login server resulted in the WLSResponse being validated. This is not required to be the identical object, but it should contain the same values for the folowing parameters as the object which did (or at least could) have caused this response: TODO: er, what are these?
response - The WLSResponse object to be validated
date - The date on which validation will be based.
Throws:
WLSException - if the response fails to validate

validate

public void validate(WLSRequest request,
                     WLSResponse response)
              throws WLSException
Alternate version of validate in which date defaults to the current date/time

Parameters:
request - See validate(WLSRequest, WLSResponse)
response - See validate(WLSRequest, WLSResponse)
Throws:
WLSException - if the response fails to validate

setTimeout

public void setTimeout(int timeout)
Set the transmition timeout for validation. This is the maximum time, in miliseconds, after issue that a response will be considered fresh. In an environment subject to network snooping this should be kept as short as possible.

Parameters:
timeout - the integer value to which timeout should be set.

getTimeout

public int getTimeout()
Get the transmition timeout for validation for this validator. See setTimeout for details

Returns:
the integer value representing the timeout in miliseconds

setMaxSkew

public void setMaxSkew(int maxSkew)
Set the maximum expected difference betweent the clock supplying the date parameter for validate and correct time. This is expressed in integer miliseconds.

Parameters:
maxSkew - the integer value of the maximum expected clock skew.

getMaxSkew

public int getMaxSkew()
Get the maximum expected clock skew. See setMaxSkew for details

Returns:
the integer value representing the maximum expected clock skew.

setKeyPrefix

public void setKeyPrefix(String keyPrefix)
Set the string prefix used to identify the relavent public key in the key store. Keys must be available in the key store under an alias formed from this prefix and the key-id caried in the response message being validated.

Parameters:
keyPrefix - the prefix string

getKeyPrefix

public String getKeyPrefix()
Get the maximum expected clock skew. See setKeyPrefix for details

Returns:
the prefix string