Introduction
Organisations may have set up a Web server Portal page with a HTML form that POSTs the users credentials to the Identity (IDP) Server login page (see Customizing the Identity Server Login Page under section '3.6 Managing Direct Access to the Identity Server') as opposed to having the Access Gateway redirect users to the IDP server login page when trying to access protected resources.
The HTML<form> tag on this page will do something similar to the following form, where the users credentials are submitted to the IDP login page (action tag) and redirect to a target URL after successfully authenticating.
<form method="post" action="https://idp126.lab.novell.com:8443/nidp/app/plogin?id=CustomLoginContract&forceAuth=true">
<p>
<strong>Please enter user ID and password:</strong>
<br>
<strong>User ID</strong>
<input type="text" size="20" name="Ecom_User_ID">
<strong>Password</strong>
<input type="password" size="20" name="Ecom_Password">
<input type="hidden" name="target" value="http://www.novell.com/">
</p>
<p>
<strong>And then click this button:</strong>
<input type="submit" name="login" value="Login">
</p>
</form>
This works fine - when the user enters their credentials, the IDP server validates the credentials and redirects the user to a valid target page.
Problem Definition
The problem however is that the Administrator has concerns regarding a potential hacker changing the target field in such a manner that users are asked for credentials. Looking at the following use case:
- User clicks on a URL (Can be a link from an email or from a website) received in an email with non-trusted provider as a target. (Example: phishing or spam email)
- User taken to valid IDP login page for .novell.com domain and authenticates to IDP (User thinks it is legitimate link as user taken to valid known URL with familiar logo and credentials worked)
- User then forwarded to non-trusted service provider defined by the Target parameter (User still thinks it is trusted application from novell.com)
- Now user is at www.nontrustedprovider.com, user may enter any information that the website prompts or asks as user thinks it is trusted website.
Solution
To avoid this issue, the Administrator needs to be able to define some sort of whitelist on the IDP server defining valid target domains that users can be redirected to. In order to do this, the changes must be added to the top.jsp file (/opt/novell/nids/lib/webapp/jsp/ directory on Linux). By adding the following modifications, the Administrator can define the trusted domains, as well as redirect any authorised requests to a pre-defined URL (/nidp/app/logout in the case below).
The exact changes to the top.jsp page are defined as follows:
- Add the trusted TargetDomains to the top of the file before the existing 'import="java.net.URL"' string)
<%! public static String m_TargetDomains[] = { ".novell.com", ".innerweb.novell.com", ".google.com" }; %> <%@ page import="java.net.URL" %> - Add the following logic to the JSP page after the existing UIHandler string entry. This code will take the target URL we receive and compare it with the trusted m_TargetDomains we configured at the beginning of the file. In the above case, if the target domain does not match the .novell.com, .innerweb.novell.com or .google.com domains, the users are redirected to the logout URL of the IDP server. You can change that URL to be anything you want.
<% UIHandler uh = new UIHandler(request,response); String url = (String) request.getAttribute("url"); URL u = new URL(url); String domain = u.getHost().toLowerCase(); boolean validTarget = false; for (int i = 0; i < m_TargetDomains.length; i++) { if (domain.endsWith(m_TargetDomains[i])) { validTarget = true; break; } } if ( !validTarget ) { //Log this? url="/nidp/app/logout"; } %>
If a user authenticates and the target parameter is part of the .novell.com, .innerweb.novell.com or .google.com domains, the user will be redirected to that target. If the user authenticates and the target parameter is part of another domain, the user will be automatically logged out of the IDP server.
A copy of the sample top.jsp page is included.
| Załącznik | Wielkość |
|---|---|
| top.zip | 777 bytes |