HTTP headers Security

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

HTTP headers Security

Rife, Brandon
Hello All,

We’ve configured our web agent to inject the UID into an HTTP header.  I would like for the applications to have the assurance that if that header exists then the web agent is the one that defined it, regardless if the resource is protected or not.  Can web agents be configured to strip specific headers passed in by user agents?

Thanks

________________________________

NOTICE: This e-mail and any attachments is intended only for use by the addressee(s) named herein and may contain legally privileged, proprietary or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, is strictly prohibited. If you receive this email in error please immediately notify me via reply email or at (800) 927-9800 and permanently delete the original copy and any copy of any e-mail, and any printout.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: HTTP headers Security

Paul Figura

Hi Brandon,

If the UID is a defined header by the OpenAM agent configuration, the Agent should by default strip it out and replace it with the real version. (Even if the user agent entered something different)

If there are other headers you need to strip out, you can define dummy headers (with null values, or all point to uid), or configure response providers to do something a bit more complex.

However, this kind of security does not encompass tamper prevention in case of a MITM attack between your reverse proxy and your application. That would require application customization (or use of a J2EE agent directly on the app container).

Regards,
Paul Figura
Identity & Access Management Architect
Indigo Consulting Canada
Tel: 514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 9/20/2016 9:36 AM, Rife, Brandon wrote:
Hello All,

We’ve configured our web agent to inject the UID into an HTTP header.  I would like for the applications to have the assurance that if that header exists then the web agent is the one that defined it, regardless if the resource is protected or not.  Can web agents be configured to strip specific headers passed in by user agents?

Thanks

________________________________

NOTICE: This e-mail and any attachments is intended only for use by the addressee(s) named herein and may contain legally privileged, proprietary or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, is strictly prohibited. If you receive this email in error please immediately notify me via reply email or at (800) 927-9800 and permanently delete the original copy and any copy of any e-mail, and any printout.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: HTTP headers Security

Rife, Brandon
Thanks, Paul.  I was hoping that the web agent would remove a header set by user agents when the name matched the name that the agent was using for all resources, not just protected resources. It looks as if you can only trust the header on requests for protected resources.

From: Paul Figura <[hidden email]>
Date: Tuesday, September 20, 2016 at 10:06 AM
To: Users <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Subject: Re: [OpenAM] HTTP headers Security


Hi Brandon,

If the UID is a defined header by the OpenAM agent configuration, the Agent should by default strip it out and replace it with the real version. (Even if the user agent entered something different)

If there are other headers you need to strip out, you can define dummy headers (with null values, or all point to uid), or configure response providers to do something a bit more complex.

However, this kind of security does not encompass tamper prevention in case of a MITM attack between your reverse proxy and your application. That would require application customization (or use of a J2EE agent directly on the app container).
Regards,
Paul Figura
Identity & Access Management Architect

[ndigo Consulting Canada]

Tel: 514-432-6233

Email: [hidden email]<mailto:[hidden email]> [cid:image002.gif@01D2135C.FEB48C90] <https://urldefense.proofpoint.com/v2/url?u=http-3A__ca.linkedin.com_in_paulfigura&d=CwMDaQ&c=us5Zqth1GwlYel5cicVfQUJZpS5MPy8JOkqG08O9rxw&r=GbxPRpwQABj6xFi1cXBLB7APM3CC-JwnWvven_kvxZQ&m=I1ddfPxQ-xSMSP2YY7qgTuF7SlupwSev005hTQXsk34&s=uXSaCxYXjL5fVmv6emYicy-FnZ-qV_nkAqoO77J6pVk&e=>

http://www.indigoconsulting.ca<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.indigoconsulting.ca&d=CwMDaQ&c=us5Zqth1GwlYel5cicVfQUJZpS5MPy8JOkqG08O9rxw&r=GbxPRpwQABj6xFi1cXBLB7APM3CC-JwnWvven_kvxZQ&m=I1ddfPxQ-xSMSP2YY7qgTuF7SlupwSev005hTQXsk34&s=WRnzkxB1cpc_Iy_yDSrPNaBeVjoRu8Jahf2vsIdjpRc&e=>






On 9/20/2016 9:36 AM, Rife, Brandon wrote:

Hello All,



We’ve configured our web agent to inject the UID into an HTTP header.  I would like for the applications to have the assurance that if that header exists then the web agent is the one that defined it, regardless if the resource is protected or not.  Can web agents be configured to strip specific headers passed in by user agents?



Thanks



________________________________



NOTICE: This e-mail and any attachments is intended only for use by the addressee(s) named herein and may contain legally privileged, proprietary or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, is strictly prohibited. If you receive this email in error please immediately notify me via reply email or at (800) 927-9800 and permanently delete the original copy and any copy of any e-mail, and any printout.

_______________________________________________

Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/<https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwMDaQ&c=us5Zqth1GwlYel5cicVfQUJZpS5MPy8JOkqG08O9rxw&r=GbxPRpwQABj6xFi1cXBLB7APM3CC-JwnWvven_kvxZQ&m=I1ddfPxQ-xSMSP2YY7qgTuF7SlupwSev005hTQXsk34&s=TajMjMcxQEFwiSCrPXb7fKdpPuOesRLRcNIQa15E7EA&e=>

OpenAM mailing list

[hidden email]<mailto:[hidden email]>

https://lists.forgerock.org/mailman/listinfo/openam<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwMDaQ&c=us5Zqth1GwlYel5cicVfQUJZpS5MPy8JOkqG08O9rxw&r=GbxPRpwQABj6xFi1cXBLB7APM3CC-JwnWvven_kvxZQ&m=I1ddfPxQ-xSMSP2YY7qgTuF7SlupwSev005hTQXsk34&s=qCT5dHiacWZmeVYockr1svTyGfVjC_VB_wr6ujOHNa0&e=>



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

image001.jpg (7K) Download Attachment
image002.gif (210 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: HTTP headers Security

Nicolas Seigneur
You can actually force evaluation en therefore header overwrite for all URLs with the following property:

"Fetch Attributes for Not Enforced URLs"

See documentation below:
<a href="https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#web-agent-not-enforced-url-properties">https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#web-agent-not-enforced-url-properties

Nicolas Seigneur
Indigo Consulting Canada

On Tue, Sep 20, 2016 at 4:34 PM, Rife, Brandon <[hidden email]> wrote:
Thanks, Paul.  I was hoping that the web agent would remove a header set by user agents when the name matched the name that the agent was using for all resources, not just protected resources. It looks as if you can only trust the header on requests for protected resources.

From: Paul Figura <[hidden email]>
Date: Tuesday, September 20, 2016 at 10:06 AM
To: Users <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Subject: Re: [OpenAM] HTTP headers Security


Hi Brandon,

If the UID is a defined header by the OpenAM agent configuration, the Agent should by default strip it out and replace it with the real version. (Even if the user agent entered something different)

If there are other headers you need to strip out, you can define dummy headers (with null values, or all point to uid), or configure response providers to do something a bit more complex.

However, this kind of security does not encompass tamper prevention in case of a MITM attack between your reverse proxy and your application. That would require application customization (or use of a J2EE agent directly on the app container).
Regards,
Paul Figura
Identity & Access Management Architect

[ndigo Consulting Canada]

Tel: <a href="tel:514-432-6233" value="+15144326233">514-432-6233

Email: [hidden email]<mailto:[hidden email]> [cid:image002.gif@01D2135C.FEB48C90] <https://urldefense.proofpoint.com/v2/url?u=http-3A__ca.linkedin.com_in_paulfigura&d=CwMDaQ&c=us5Zqth1GwlYel5cicVfQUJZpS5MPy8JOkqG08O9rxw&r=GbxPRpwQABj6xFi1cXBLB7APM3CC-JwnWvven_kvxZQ&m=I1ddfPxQ-xSMSP2YY7qgTuF7SlupwSev005hTQXsk34&s=uXSaCxYXjL5fVmv6emYicy-FnZ-qV_nkAqoO77J6pVk&e=>

http://www.indigoconsulting.ca<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.indigoconsulting.ca&d=CwMDaQ&c=us5Zqth1GwlYel5cicVfQUJZpS5MPy8JOkqG08O9rxw&r=GbxPRpwQABj6xFi1cXBLB7APM3CC-JwnWvven_kvxZQ&m=I1ddfPxQ-xSMSP2YY7qgTuF7SlupwSev005hTQXsk34&s=WRnzkxB1cpc_Iy_yDSrPNaBeVjoRu8Jahf2vsIdjpRc&e=>






On 9/20/2016 9:36 AM, Rife, Brandon wrote:

Hello All,



We’ve configured our web agent to inject the UID into an HTTP header.  I would like for the applications to have the assurance that if that header exists then the web agent is the one that defined it, regardless if the resource is protected or not.  Can web agents be configured to strip specific headers passed in by user agents?



Thanks



________________________________



NOTICE: This e-mail and any attachments is intended only for use by the addressee(s) named herein and may contain legally privileged, proprietary or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, is strictly prohibited. If you receive this email in error please immediately notify me via reply email or at <a href="tel:%28800%29%20927-9800" value="+18009279800">(800) 927-9800 and permanently delete the original copy and any copy of any e-mail, and any printout.

_______________________________________________

Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/<https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwMDaQ&c=us5Zqth1GwlYel5cicVfQUJZpS5MPy8JOkqG08O9rxw&r=GbxPRpwQABj6xFi1cXBLB7APM3CC-JwnWvven_kvxZQ&m=I1ddfPxQ-xSMSP2YY7qgTuF7SlupwSev005hTQXsk34&s=TajMjMcxQEFwiSCrPXb7fKdpPuOesRLRcNIQa15E7EA&e=>

OpenAM mailing list

[hidden email]<mailto:[hidden email]>

https://lists.forgerock.org/mailman/listinfo/openam<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwMDaQ&c=us5Zqth1GwlYel5cicVfQUJZpS5MPy8JOkqG08O9rxw&r=GbxPRpwQABj6xFi1cXBLB7APM3CC-JwnWvven_kvxZQ&m=I1ddfPxQ-xSMSP2YY7qgTuF7SlupwSev005hTQXsk34&s=qCT5dHiacWZmeVYockr1svTyGfVjC_VB_wr6ujOHNa0&e=>



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
-------------------------------------------------
Nicolas Seigneur
Indigo Technologies Canada, Inc.
mobile: +1.514.965.4890

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...