distill off ABE-rule from log message; intranet application

Discussions about the Application Boundaries Enforcer (ABE) module
Peter0
Posts: 2
Joined: Wed Oct 01, 2014 7:33 am

distill off ABE-rule from log message; intranet application

Post by Peter0 »

I want to use a web application running in intranet (domain "example", without any toplevel domain), which uses OpenID and therefore should work together with xlogon.net. On start of a session, after feeding the OpenID username, NoScript reports into firefox' browser console:

Code: Select all

[ABE] <.xlogon.net> Deny on {GET https://my.xlogon.net/server/trust/0/ <<< https://my.xlogon.net/server/, http://example:8008/ - 6}
USER rule:
Site .xlogon.net
Accept from example
Accept from example:8008
Accept from .xlogon.net
Deny
– stating my vainly attempt of a rule.

Please give some hints how to distill off suitable rules from the console report. I tried "Accept from LOCAL" – it doesn't work; "Accept from ALL" – it works, but to let pass from any isn't the goal of ABE, I think.

Opposed to the easy-to-update whitelisting I find managing ABE rules very awkward. In my opinion, while displaying a deny-message there should be the possibility to start some kind of assistent that proposes a rule to be inserted in ABE's ruleset.

Thanks – Peter
Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: distill off ABE-rule from log message; intranet applicat

Post by Giorgio Maone »

Hi,

the message suggest that a redirect is happening.
For an Accept action to apply to a redirect, both sites must be listed in the same "Accept ..." clause.
This should work:

Code: Select all

Site .xlogon.net
Accept from example .xlogon.net
Deny
Notice, though, that the rule above is protecting xlongon.net against CSRF, which I'm not sure is exactly what you meant to do.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Peter0
Posts: 2
Joined: Wed Oct 01, 2014 7:33 am

Re: distill off ABE-rule from log message; intranet applicat

Post by Peter0 »

Giorgio Maone wrote:… in the same "Accept ..." clause.
Ok; important hint.
Giorgio Maone wrote:

Code: Select all

Accept from example .xlogon.net
What is the difference to

Code: Select all

Accept from example SELF
Giorgio Maone wrote:Notice, though, that the rule above is protecting xlongon.net against CSRF, which I'm not sure is exactly what you meant to do.
I thought, protecting against CSRF is in general a goal of ABE. I don't understand – about what do you want to warn?

Ciao – Peter
Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: distill off ABE-rule from log message; intranet applicat

Post by barbaz »

Peter0 wrote:
Giorgio Maone wrote:

Code: Select all

Accept from example .xlogon.net
What is the difference to

Code: Select all

Accept from example SELF
SELF matches only the exact "scheme://ho.st:port" of the origin site
.xlogon.net matches "xlogon.net" and all its subdomains regardless of scheme and port.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:32.0) Gecko/20100101 SeaMonkey/2.29.1
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: distill off ABE-rule from log message; intranet applicat

Post by Thrawn »

Peter0 wrote:
Giorgio Maone wrote:Notice, though, that the rule above is protecting xlongon.net against CSRF, which I'm not sure is exactly what you meant to do.
I thought, protecting against CSRF is in general a goal of ABE. I don't understand – about what do you want to warn?
I think he meant that your rule is protecting the whole xlogon.net domain - including www.xlogon.net, etc. Probably not what you intended.

You might be better off with

Code: Select all

Site https://my.xlogon.net
instead.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Post Reply