axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Clement (JIRA)" <j...@apache.org>
Subject [jira] [Created] (RAMPART-401) Reject stale UsernameToken/Created values
Date Mon, 18 Mar 2013 04:46:15 GMT
Nathan Clement created RAMPART-401:
--------------------------------------

             Summary: Reject stale UsernameToken/Created values
                 Key: RAMPART-401
                 URL: https://issues.apache.org/jira/browse/RAMPART-401
             Project: Rampart
          Issue Type: Improvement
    Affects Versions: 1.6.2
            Reporter: Nathan Clement
         Attachments: check_username_token_timestamp.patch

The WS-Security UsernameToken Profile says the following about the UsernameToken/Created element:

{quote}
It is RECOMMENDED that web service producers provide a timestamp “freshness” limitation,
and that any UsernameToken with “stale” timestamps be rejected. As a guideline, a value
of five minutes can be used as a minimum to detect, and thus reject, replays.
{quote}

Please add support to Rampart for rejecting stale timestamps in the UsernameToken.

Attached is a patch that implements this feature in the PolicyBasedResultsValidator, although
I don't know if that's the right place for it.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message