Skip to Content.
Sympa Menu

mace-opensaml-users - Re: InResponseTo security policy rule

Subject: OpenSAML user discussion

List archive

Re: InResponseTo security policy rule


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: InResponseTo security policy rule
  • Date: Thu, 30 Aug 2007 07:42:37 -0400
  • Openpgp: id=A260F52E; url=http://pgpkeys.pca.dfn.de/pks/lookup?op=get&search=0x3F5E9E87A260F52E
  • Organization: Georgetown University

There is no challenge-response pattern here, this attribute is really
just meant for message correlation. So the entity can literally say "Ah,
this message is in response to the message X, that I sent." Or, put
another way, it's a bit of state for tracking request/response pairs.

It's probably also important to note that this attribute need not even
be present in all response messages (e.g. unsolicited authentication
response).

Now, as Scott said, you can implement some sanity checks that looks for
entity A sending entity B a message and specifying an in-response-to
message ID that entity B didn't issue. This probably raises a flag but
honestly it may not.

Frank Cornelis wrote:
> OK, I see. So, if I would like to implement the challenge-response via
> the SAML message ID I probably would have to extend the
> SAMLMessageContext with an 'expectedInResponseTo' property?
> Are there any plans to make this challenge-response pattern more
> explicit in the opensaml library?
>
>
> Regards,
> Frank.
>
> On Wed, 2007-08-29 at 09:51 -0400, Chad La Joie wrote:
>> Probably not. The security policy rules are meant to be stateless so
>> that they can be used over many messages. Storing the InResponseTo in
>> the rule represents state and wouldn't allow you to use the rule across
>> messages (as the message ID you're responding to would change).
>>
>> Frank Cornelis wrote:
>>> Hi,
>>>
>>>
>>> Is it possible to add a security policy rule that checks for the
>>> correctness of the InResponseTo field?
>>>
>>>
>>> Regards,
>>> Frank.
>>>
>>>
>>> import org.apache.log4j.Logger;
>>> import org.opensaml.common.SAMLObject;
>>> import org.opensaml.common.binding.SAMLMessageContext;
>>> import org.opensaml.saml2.core.StatusResponseType;
>>> import org.opensaml.ws.message.MessageContext;
>>> import org.opensaml.ws.security.SecurityPolicyException;
>>> import org.opensaml.ws.security.SecurityPolicyRule;
>>>
>>> /**
>>> * Security policy rule that checks whether the response is indeed in
>>> response to
>>> * a previous request.
>>> */
>>> public class InResponseToRule implements SecurityPolicyRule {
>>>
>>> private static Logger log = Logger.getLogger(InResponseToRule.class);
>>>
>>> private final String expectedInResponseTo;
>>>
>>> public InResponseToRule(String expectedInResponseTo) {
>>> this.expectedInResponseTo = expectedInResponseTo;
>>> }
>>>
>>> public void evaluate(MessageContext messageContext)
>>> throws SecurityPolicyException {
>>> if (!(messageContext instanceof SAMLMessageContext)) {
>>> log
>>> .debug("Invalid message context type,
>>> this policy rule only support
>>> SAMLMessageContext");
>>> return;
>>> }
>>> SAMLMessageContext samlMsgCtx = (SAMLMessageContext)
>>> messageContext;
>>>
>>> SAMLObject samlMsg = samlMsgCtx.getInboundSAMLMessage();
>>> if (samlMsg == null) {
>>> log.error("Message context did not contain inbound
>>> SAML message");
>>> throw new SecurityPolicyException(
>>> "Message context did not contain
>>> inbound SAML message");
>>> }
>>> if (samlMsg instanceof StatusResponseType) {
>>> StatusResponseType statusResponse =
>>> (StatusResponseType) samlMsg;
>>> String actualInResponseTo =
>>> statusResponse.getInResponseTo();
>>> if (!expectedInResponseTo.equals(actualInResponseTo))
>>> {
>>> throw new SecurityPolicyException(
>>> "Response not in response to
>>> " + expectedInResponseTo
>>> + " but to "
>>> + actualInResponseTo);
>>> }
>>> }
>>> }
>>> }

--
Chad La Joie 2052-C Harris Bldg
OIS-Middleware 202.687.0124



Archive powered by MHonArc 2.6.16.

Top of Page