axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruchith Fernando <>
Subject Re: Rampart: UsernameToken with stale timestamps
Date Tue, 05 Mar 2013 16:14:55 GMT
Hi Nathan,

I believe we already have this in Rampart.
Please see:


On Tue, Mar 5, 2013 at 1:22 AM, Nathan Clement
<> wrote:
> Hi,
> I was wondering if there is any code in Rampart (or WSS4J) that rejects
> stale timestamps in UsernameToken elements?  The WS-Security UsernameToken
> Profile says the following:
> It is RECOMMENDED that web service producers provide a timestamp “freshness”
> limitation, and that any UsernameToken with “stale” timestamps be rejected.
> As a guideline, a value of five minutes can be used as a minimum to detect,
> and thus reject, replays.
> If there's nothing existing to implement this recommendation, I can write a
> patch to implement this.  I thought this could be done in RampartEngine
> after the "nonceLifeTimeInSeconds" is checked.  I could use the same timeout
> period and reject any request with a Created timestamp older that this
> value.  Is that the best place to implement this feature?
> Thanks,
> Nathan


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message