Table of Contents
Advertisement
Data items are protected by encrypting the original values and placing the encrypted values into a
URL query string. When the Publisher Web server receives the encrypted values, the Publisher
decrypts the values and uses them to compare the unencrypted data items that are supplied by an
HTTP GET or POST request.
If an instance of a data item appears in the encrypted data, then an unencrypted data item value must
match one of the encrypted data item values. If the unencrypted data item value does not match one
of the encrypted data item values, then the HTTP request is rejected by the Publisher channel Web
server.
In addition, any HTTP POST request that does not contain protected data is rejected.
Example
In an HTTP POST request, the Publisher channel Web server uses the unencrypted POST data
named responder-dn to check the password supplied by the POST data. This is done to authenticate
the responding user against the user's eDirectory object.
Suppose the Subscriber channel <url-query> element content specifies two data items as follows:
<item name="responder-dn" protect="yes">\PERIN-TAO\novell\phb</item>
<item name="responder-dn" protect="yes">\PERIN-TAO\novell\carol</item>
The URL generated by the Subscriber channel will contain both responder-dn values in the
protected data.
Suppose a malicious user obtains the URL that is generated and sent in an e-mail message. The
malicious user uses the URL to obtain the HTML form that allows users to change data for an
eDirectory object.
In the HTTP POST request that is submitted to the Web server, the malicious user uses his
eDirectory DN (responder-dn=\PERIN-TAO\novell\wally) as the unencrypted responder-dn value.
The malicious user also submits his own password in the POST data so that the authentication that
the Web server performs will succeed.
However, when the Publisher channel Web server receives the HTTP POST data, it fails to find
"\PERIN-TAO\novell\wally" in the encrypted protected data and rejects the POST request.
B.2 XML Elements
The elements that make up a replacement data document are described below. If no XML attributes
are described for an element, then none are allowed.
Section B.2.1, "<replacement-data>," on page 43
Section B.2.2, "<item>," on page 43
Section B.2.3, "<url-data>," on page 45
Section B.2.4, "<url-query>," on page 46
42
Identity Manager 3.6 Manual Task Service Driver Implementation Guide
Advertisement
Table of Contents
Related Manuals for Novell IDENTITY MANAGER 3.6.1 - MANUAL TASK SERVICE DRIVER
Related Products for Novell IDENTITY MANAGER 3.6.1 - MANUAL TASK SERVICE DRIVER
- NOVELL IDENTITY MANAGER 3.6.1 - NULL SERVICE AND LOOPBACK SERVICE DRIVERS
- NOVELL IDENTITY MANAGER 3.6.1 - JOBS GUIDE
- NOVELL POLICIES IN IMANAGER 3.6.1 - 06-05-2009
- NOVELL IDENTITY MANAGER 3.6. - INTEGRATION
- Novell 3.6 05-2008
- NOVELL CLIENT LOGIN EXTENSION 3.7 - ADMINISTRATION
- NOVELL IDENTITY ASSURANCE SOLUTION 3.0.2 - ADMINISTRATION
- NOVELL IFOLDER 3 - ADMINISTRATION
- NOVELL IFOLDER 3.8 - CROSS-PLATFORM
- NOVELL POLICY IN DESIGNER 3.5 - 09-18-2009
- NOVELL ACCESS MANAGER 3.1 SP1 - AGENT GUIDE
- NOVELL ACCESS MANAGER 3.1 SP2 - SSL VPN USER GUIDE 2010
- Novell Access Manager 3.1 SP 1
- Novell Access Manager 3.1 SP 2
- Novell Access Manager 3.1 SP2 Beta 1
- Novell Enhanced Smart Card Method 3.0.1
Need help?
Do you have a question about the IDENTITY MANAGER 3.6.1 - MANUAL TASK SERVICE DRIVER and is the answer not in the manual?
Questions and answers