axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hasini Gunasinghe (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (RAMPART-357) Timestamp verification handled at two locations in different ways
Date Mon, 06 Feb 2012 07:53:59 GMT
Timestamp verification handled at two locations in different ways
-----------------------------------------------------------------

                 Key: RAMPART-357
                 URL: https://issues.apache.org/jira/browse/RAMPART-357
             Project: Rampart
          Issue Type: Bug
            Reporter: Hasini Gunasinghe


Currently, when verifying timestamp, 'Expired' is verified in WSS4J level if timestampStrict
enabled.
'Created' is verified in PolicyBasedResultsValidator.

timestampMaxSkew is taken into consideration only when verifying 'Created' in timestamp inside
PolicyBasedResultsValidator.

IMO, both 'Expired' and 'Created' should be verified in PolicyBasedResultsValidator in a consistent
way, taking timestampMaxSkew into consideration in both the occasions.

Hence the proposed solution is like below:
-Disable timestampStrict in WSConfig by default through Rampart. 
-Verify both 'Expired' and 'Created' in PolicyBasedResultsValidator.
-Allow to enable verification at WSS4J level through rampart config, if someone needs it.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message