mace-opensaml-users - Re: InResponseTo security policy rule
Subject: OpenSAML user discussion
List archive
- From: Frank Cornelis <>
- To:
- Subject: Re: InResponseTo security policy rule
- Date: Thu, 30 Aug 2007 11:30:00 +0200
OK, I see. So, if I would like to implement the challenge-response via
the SAML message ID I probably would have to extend the
SAMLMessageContext with an 'expectedInResponseTo' property?
Are there any plans to make this challenge-response pattern more
explicit in the opensaml library?
Regards,
Frank.
On Wed, 2007-08-29 at 09:51 -0400, Chad La Joie wrote:
> Probably not. The security policy rules are meant to be stateless so
> that they can be used over many messages. Storing the InResponseTo in
> the rule represents state and wouldn't allow you to use the rule across
> messages (as the message ID you're responding to would change).
>
> Frank Cornelis wrote:
> > Hi,
> >
> >
> > Is it possible to add a security policy rule that checks for the
> > correctness of the InResponseTo field?
> >
> >
> > Regards,
> > Frank.
> >
> >
> > import org.apache.log4j.Logger;
> > import org.opensaml.common.SAMLObject;
> > import org.opensaml.common.binding.SAMLMessageContext;
> > import org.opensaml.saml2.core.StatusResponseType;
> > import org.opensaml.ws.message.MessageContext;
> > import org.opensaml.ws.security.SecurityPolicyException;
> > import org.opensaml.ws.security.SecurityPolicyRule;
> >
> > /**
> > * Security policy rule that checks whether the response is indeed in
> > response to
> > * a previous request.
> > */
> > public class InResponseToRule implements SecurityPolicyRule {
> >
> > private static Logger log = Logger.getLogger(InResponseToRule.class);
> >
> > private final String expectedInResponseTo;
> >
> > public InResponseToRule(String expectedInResponseTo) {
> > this.expectedInResponseTo = expectedInResponseTo;
> > }
> >
> > public void evaluate(MessageContext messageContext)
> > throws SecurityPolicyException {
> > if (!(messageContext instanceof SAMLMessageContext)) {
> > log
> > .debug("Invalid message context type,
> > this policy rule only support
> > SAMLMessageContext");
> > return;
> > }
> > SAMLMessageContext samlMsgCtx = (SAMLMessageContext)
> > messageContext;
> >
> > SAMLObject samlMsg = samlMsgCtx.getInboundSAMLMessage();
> > if (samlMsg == null) {
> > log.error("Message context did not contain inbound
> > SAML message");
> > throw new SecurityPolicyException(
> > "Message context did not contain
> > inbound SAML message");
> > }
> > if (samlMsg instanceof StatusResponseType) {
> > StatusResponseType statusResponse =
> > (StatusResponseType) samlMsg;
> > String actualInResponseTo =
> > statusResponse.getInResponseTo();
> > if (!expectedInResponseTo.equals(actualInResponseTo))
> > {
> > throw new SecurityPolicyException(
> > "Response not in response to
> > " + expectedInResponseTo
> > + " but to "
> > + actualInResponseTo);
> > }
> > }
> > }
> > }
>
- InResponseTo security policy rule, Frank Cornelis, 08/29/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/29/2007
- RE: InResponseTo security policy rule, Scott Cantor, 08/29/2007
- Re: InResponseTo security policy rule, Frank Cornelis, 08/30/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/30/2007
- RE: InResponseTo security policy rule, Scott Cantor, 08/30/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/30/2007
- Re: InResponseTo security policy rule, Chad La Joie, 08/29/2007
Archive powered by MHonArc 2.6.16.