axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hasini Gunasinghe (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RAMPART-357) Timestamp verification handled at two locations in different ways
Date Mon, 06 Feb 2012 18:27:59 GMT

    [ https://issues.apache.org/jira/browse/RAMPART-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13201445#comment-13201445
] 

Hasini Gunasinghe commented on RAMPART-357:
-------------------------------------------

FYI..

This was a real user requirement where he has written a custom PolicyValidator and wanted
to handle time stamp verification in a consistent manner in that custom PolicyValidator.

When future messages are sent, the verification in his PolicyValidator is hit. But when expired
messages are sent, exception thrown in WSS4J level and there was no way to get the control
of error handling to custom PolicyValidator.

Hence the solution in this patch is proposed.

Thanks,
Hasini.
                
> Timestamp verification handled at two locations in different ways
> -----------------------------------------------------------------
>
>                 Key: RAMPART-357
>                 URL: https://issues.apache.org/jira/browse/RAMPART-357
>             Project: Rampart
>          Issue Type: Bug
>            Reporter: Hasini Gunasinghe
>         Attachments: rampart_357.patch
>
>
> Currently, when verifying timestamp, 'Expired' is verified in WSS4J level if timestampStrict
enabled.
> 'Created' is verified in PolicyBasedResultsValidator.
> timestampMaxSkew is taken into consideration only when verifying 'Created' in timestamp
inside PolicyBasedResultsValidator.
> IMO, both 'Expired' and 'Created' should be verified in PolicyBasedResultsValidator in
a consistent way, taking timestampMaxSkew into consideration in both the occasions.
> Hence the proposed solution is like below:
> -Disable timestampStrict in WSConfig by default through Rampart. 
> -Verify both 'Expired' and 'Created' in PolicyBasedResultsValidator.
> -Allow to enable verification at WSS4J level through rampart config, if someone needs
it.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message