OpenSAML user discussion

[Frank Cornelis <>]

OK, I see. So, if I would like to implement the challenge-response via
the SAML message ID I probably would have to extend the
SAMLMessageContext with an 'expectedInResponseTo' property?
Are there any plans to make this challenge-response pattern more
explicit in the opensaml library?


Regards,
Frank.

On Wed, 2007-08-29 at 09:51 -0400, Chad La Joie wrote:
> Probably not.  The security policy rules are meant to be stateless so
> that they can be used over many messages.  Storing the InResponseTo in
> the rule represents state and wouldn't allow you to use the rule across
> messages (as the message ID you're responding to would change).
> 
> Frank Cornelis wrote:
> > Hi,
> > 
> > 
> > Is it possible to add a security policy rule that checks for the
> > correctness of the InResponseTo field?
> > 
> > 
> > Regards,
> > Frank.
> > 
> > 
> > import org.apache.log4j.Logger;
> > import org.opensaml.common.SAMLObject;
> > import org.opensaml.common.binding.SAMLMessageContext;
> > import org.opensaml.saml2.core.StatusResponseType;
> > import org.opensaml.ws.message.MessageContext;
> > import org.opensaml.ws.security.SecurityPolicyException;
> > import org.opensaml.ws.security.SecurityPolicyRule;
> > 
> > /**
> >  * Security policy rule that checks whether the response is indeed in
> > response to
> >  * a previous request.
> >  */
> > public class InResponseToRule implements SecurityPolicyRule {
> > 
> >     private static Logger log = Logger.getLogger(InResponseToRule.class);
> > 
> >     private final String expectedInResponseTo;
> > 
> >     public InResponseToRule(String expectedInResponseTo) {
> >             this.expectedInResponseTo = expectedInResponseTo;
> >     }
> > 
> >     public void evaluate(MessageContext messageContext)
> >                     throws SecurityPolicyException {
> >             if (!(messageContext instanceof SAMLMessageContext)) {
> >                     log
> >                                     .debug("Invalid message context type, 
> > this policy rule only support
> > SAMLMessageContext");
> >                     return;
> >             }
> >             SAMLMessageContext samlMsgCtx = (SAMLMessageContext) 
> > messageContext;
> > 
> >             SAMLObject samlMsg = samlMsgCtx.getInboundSAMLMessage();
> >             if (samlMsg == null) {
> >                     log.error("Message context did not contain inbound 
> > SAML message");
> >                     throw new SecurityPolicyException(
> >                                     "Message context did not contain 
> > inbound SAML message");
> >             }
> >             if (samlMsg instanceof StatusResponseType) {
> >                     StatusResponseType statusResponse = 
> > (StatusResponseType) samlMsg;
> >                     String actualInResponseTo = 
> > statusResponse.getInResponseTo();
> >                     if (!expectedInResponseTo.equals(actualInResponseTo)) 
> > {
> >                             throw new SecurityPolicyException(
> >                                             "Response not in response to 
> > " + expectedInResponseTo
> >                                                             + " but to " 
> > + actualInResponseTo);
> >                     }
> >             }
> >     }
> > }
>