axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Clement (JIRA)" <>
Subject [jira] [Created] (RAMPART-401) Reject stale UsernameToken/Created values
Date Mon, 18 Mar 2013 04:46:15 GMT
Nathan Clement created RAMPART-401:

             Summary: Reject stale UsernameToken/Created values
                 Key: RAMPART-401
             Project: Rampart
          Issue Type: Improvement
    Affects Versions: 1.6.2
            Reporter: Nathan Clement
         Attachments: check_username_token_timestamp.patch

The WS-Security UsernameToken Profile says the following about the UsernameToken/Created element:

It is RECOMMENDED that web service producers provide a timestamp “freshness” limitation,
and that any UsernameToken with “stale” timestamps be rejected. As a guideline, a value
of five minutes can be used as a minimum to detect, and thus reject, replays.

Please add support to Rampart for rejecting stale timestamps in the UsernameToken.

Attached is a patch that implements this feature in the PolicyBasedResultsValidator, although
I don't know if that's the right place for it.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message