mace-opensaml-users - InResponseTo security policy rule
Subject: OpenSAML user discussion
List archive
- From: Frank Cornelis <>
- To:
- Subject: InResponseTo security policy rule
- Date: Wed, 29 Aug 2007 15:07:36 +0200
Hi,
Is it possible to add a security policy rule that checks for the
correctness of the InResponseTo field?
Regards,
Frank.
import org.apache.log4j.Logger;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.ws.message.MessageContext;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.ws.security.SecurityPolicyRule;
/**
* Security policy rule that checks whether the response is indeed in
response to
* a previous request.
*/
public class InResponseToRule implements SecurityPolicyRule {
private static Logger log = Logger.getLogger(InResponseToRule.class);
private final String expectedInResponseTo;
public InResponseToRule(String expectedInResponseTo) {
this.expectedInResponseTo = expectedInResponseTo;
}
public void evaluate(MessageContext messageContext)
throws SecurityPolicyException {
if (!(messageContext instanceof SAMLMessageContext)) {
log
.debug("Invalid message context type,
this policy rule only support
SAMLMessageContext");
return;
}
SAMLMessageContext samlMsgCtx = (SAMLMessageContext)
messageContext;
SAMLObject samlMsg = samlMsgCtx.getInboundSAMLMessage();
if (samlMsg == null) {
log.error("Message context did not contain inbound
SAML message");
throw new SecurityPolicyException(
"Message context did not contain
inbound SAML message");
}
if (samlMsg instanceof StatusResponseType) {
StatusResponseType statusResponse =
(StatusResponseType) samlMsg;
String actualInResponseTo =
statusResponse.getInResponseTo();
if (!expectedInResponseTo.equals(actualInResponseTo))
{
throw new SecurityPolicyException(
"Response not in response to
" + expectedInResponseTo
+ " but to "
+ actualInResponseTo);
}
}
}
}
- InResponseTo security policy rule, Frank Cornelis, 08/29/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/29/2007
- RE: InResponseTo security policy rule, Scott Cantor, 08/29/2007
- Re: InResponseTo security policy rule, Frank Cornelis, 08/30/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/30/2007
- RE: InResponseTo security policy rule, Scott Cantor, 08/30/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/30/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/29/2007
Archive powered by MHonArc 2.6.16.