MessageFlow Rule
- Rod Widdowson
- Scott Cantor
Identified by type="MessageFlow", this rule enforces replay detection and freshness requirements to prevent replay attacks, along with optional message correlation enforcement.
Attributes
Name | Type | Default | Description |
|---|---|---|---|
checkCorrelation 3.1 | boolean | false | Enables request/response correlation checking based on use of a cookie to track request IDs, subsequently recovered to compare to the InResponseTo attribute in a response |
blockUnsolicited 3.1 | boolean | false | Enables the checkCorrelation option and adds rejection of any message with an empty InResponseTo attribute |
checkReplay | boolean | true | Enables or disables use of a replay cache to prevent replay attacks. Do not turn off in production. |
expires | time in seconds | 180 | Maxmimum time permitted between a message's timestamp and when it can be processed. Bounds the size of the replay cache. |
Example
<PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>