Monday, June 11, 2007

The new Replay Detection module comes with Rampart/C

Rampart/C has placed another step forward by introducing replay detection functionality for Axis2/C users. The replay detection module comes with Rampart/C and acts on behalf of services deployed, by just a matter of adding one more line in the policy configurations. If an attacker tries to Replay a message the module detects it and sends a SOAP fault back.
By default the RD(Replay Detection) module is turned OFF. All you have to do turn it ON is to add
<rampc:ReplayDetection>N</rampc:ReplayDetection>
policy assertion to your descriptor file where you've defined your policies. Here N is the number of records that must be kept in memory. Greater the value of N is, greater the chance of detecting a replay (with the cost of more memory:)).
Rampart/C keeps records of messages in a list and process them on arrival of a new message. A record is the concatenation of message id(wsa:msg-id) and the value of the timestamp.

RECORD_ID = MSG-ID+TIMESTAMP


The message ID is considered to be unique to a particular message. But for this, user needs to have the addressing module engaged(which comes with axis2/c). This is NOT a MUST but is the RECOMONDED approach. One can just survive with only the timestamp. But shouldn't forget the chance of generating two message at the same time, which definitely make them suspicious as a replay.
You may find a sample scenario here http://svn.apache.org/repos/asf/webservices/rampart/trunk/c/samples/secpolicy/scenario6
Cheers...