Skip to Content.
Sympa Menu

mace-opensaml-users - Re: InResponseTo security policy rule

Subject: OpenSAML user discussion

List archive

Re: InResponseTo security policy rule


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: InResponseTo security policy rule
  • Date: Wed, 29 Aug 2007 09:51:57 -0400
  • Openpgp: id=A260F52E; url=http://pgpkeys.pca.dfn.de/pks/lookup?op=get&search=0x3F5E9E87A260F52E
  • Organization: Georgetown University

Probably not. The security policy rules are meant to be stateless so
that they can be used over many messages. Storing the InResponseTo in
the rule represents state and wouldn't allow you to use the rule across
messages (as the message ID you're responding to would change).

Frank Cornelis wrote:
> Hi,
>
>
> Is it possible to add a security policy rule that checks for the
> correctness of the InResponseTo field?
>
>
> Regards,
> Frank.
>
>
> import org.apache.log4j.Logger;
> import org.opensaml.common.SAMLObject;
> import org.opensaml.common.binding.SAMLMessageContext;
> import org.opensaml.saml2.core.StatusResponseType;
> import org.opensaml.ws.message.MessageContext;
> import org.opensaml.ws.security.SecurityPolicyException;
> import org.opensaml.ws.security.SecurityPolicyRule;
>
> /**
> * Security policy rule that checks whether the response is indeed in
> response to
> * a previous request.
> */
> public class InResponseToRule implements SecurityPolicyRule {
>
> private static Logger log = Logger.getLogger(InResponseToRule.class);
>
> private final String expectedInResponseTo;
>
> public InResponseToRule(String expectedInResponseTo) {
> this.expectedInResponseTo = expectedInResponseTo;
> }
>
> public void evaluate(MessageContext messageContext)
> throws SecurityPolicyException {
> if (!(messageContext instanceof SAMLMessageContext)) {
> log
> .debug("Invalid message context type,
> this policy rule only support
> SAMLMessageContext");
> return;
> }
> SAMLMessageContext samlMsgCtx = (SAMLMessageContext)
> messageContext;
>
> SAMLObject samlMsg = samlMsgCtx.getInboundSAMLMessage();
> if (samlMsg == null) {
> log.error("Message context did not contain inbound
> SAML message");
> throw new SecurityPolicyException(
> "Message context did not contain
> inbound SAML message");
> }
> if (samlMsg instanceof StatusResponseType) {
> StatusResponseType statusResponse =
> (StatusResponseType) samlMsg;
> String actualInResponseTo =
> statusResponse.getInResponseTo();
> if (!expectedInResponseTo.equals(actualInResponseTo))
> {
> throw new SecurityPolicyException(
> "Response not in response to
> " + expectedInResponseTo
> + " but to "
> + actualInResponseTo);
> }
> }
> }
> }

--
Chad La Joie 2052-C Harris Bldg
OIS-Middleware 202.687.0124



Archive powered by MHonArc 2.6.16.

Top of Page