mace-opensaml-users - Re: InResponseTo security policy rule
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: InResponseTo security policy rule
- Date: Wed, 29 Aug 2007 09:51:57 -0400
- Openpgp: id=A260F52E; url=http://pgpkeys.pca.dfn.de/pks/lookup?op=get&search=0x3F5E9E87A260F52E
- Organization: Georgetown University
Probably not. The security policy rules are meant to be stateless so
that they can be used over many messages. Storing the InResponseTo in
the rule represents state and wouldn't allow you to use the rule across
messages (as the message ID you're responding to would change).
Frank Cornelis wrote:
> Hi,
>
>
> Is it possible to add a security policy rule that checks for the
> correctness of the InResponseTo field?
>
>
> Regards,
> Frank.
>
>
> import org.apache.log4j.Logger;
> import org.opensaml.common.SAMLObject;
> import org.opensaml.common.binding.SAMLMessageContext;
> import org.opensaml.saml2.core.StatusResponseType;
> import org.opensaml.ws.message.MessageContext;
> import org.opensaml.ws.security.SecurityPolicyException;
> import org.opensaml.ws.security.SecurityPolicyRule;
>
> /**
> * Security policy rule that checks whether the response is indeed in
> response to
> * a previous request.
> */
> public class InResponseToRule implements SecurityPolicyRule {
>
> private static Logger log = Logger.getLogger(InResponseToRule.class);
>
> private final String expectedInResponseTo;
>
> public InResponseToRule(String expectedInResponseTo) {
> this.expectedInResponseTo = expectedInResponseTo;
> }
>
> public void evaluate(MessageContext messageContext)
> throws SecurityPolicyException {
> if (!(messageContext instanceof SAMLMessageContext)) {
> log
> .debug("Invalid message context type,
> this policy rule only support
> SAMLMessageContext");
> return;
> }
> SAMLMessageContext samlMsgCtx = (SAMLMessageContext)
> messageContext;
>
> SAMLObject samlMsg = samlMsgCtx.getInboundSAMLMessage();
> if (samlMsg == null) {
> log.error("Message context did not contain inbound
> SAML message");
> throw new SecurityPolicyException(
> "Message context did not contain
> inbound SAML message");
> }
> if (samlMsg instanceof StatusResponseType) {
> StatusResponseType statusResponse =
> (StatusResponseType) samlMsg;
> String actualInResponseTo =
> statusResponse.getInResponseTo();
> if (!expectedInResponseTo.equals(actualInResponseTo))
> {
> throw new SecurityPolicyException(
> "Response not in response to
> " + expectedInResponseTo
> + " but to "
> + actualInResponseTo);
> }
> }
> }
> }
--
Chad La Joie 2052-C Harris Bldg
OIS-Middleware 202.687.0124
- InResponseTo security policy rule, Frank Cornelis, 08/29/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/29/2007
- RE: InResponseTo security policy rule, Scott Cantor, 08/29/2007
- Re: InResponseTo security policy rule, Frank Cornelis, 08/30/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/30/2007
- RE: InResponseTo security policy rule, Scott Cantor, 08/30/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/30/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/29/2007
Archive powered by MHonArc 2.6.16.