axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruchith Fernando <ruchith.ferna...@gmail.com>
Subject Re: Rampart: UsernameToken with stale timestamps
Date Tue, 05 Mar 2013 16:14:55 GMT
Hi Nathan,

I believe we already have this in Rampart.
Please see:
http://hasini-gunasinghe.blogspot.com.au/2012_02_01_archive.html

Thanks,
Ruchith

On Tue, Mar 5, 2013 at 1:22 AM, Nathan Clement
<nathan.a.clement@hotmail.com> wrote:
> Hi,
>
> I was wondering if there is any code in Rampart (or WSS4J) that rejects
> stale timestamps in UsernameToken elements?  The WS-Security UsernameToken
> Profile says the following:
>
> It is RECOMMENDED that web service producers provide a timestamp “freshness”
> limitation, and that any UsernameToken with “stale” timestamps be rejected.
> As a guideline, a value of five minutes can be used as a minimum to detect,
> and thus reject, replays.
>
>
> If there's nothing existing to implement this recommendation, I can write a
> patch to implement this.  I thought this could be done in RampartEngine
> after the "nonceLifeTimeInSeconds" is checked.  I could use the same timeout
> period and reject any request with a Created timestamp older that this
> value.  Is that the best place to implement this feature?
>
> Thanks,
>
> Nathan



-- 
http://ruchith.org

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message