axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Clement (JIRA)" <>
Subject [jira] [Updated] (RAMPART-401) Reject stale UsernameToken/Created values
Date Mon, 18 Mar 2013 04:46:16 GMT


Nathan Clement updated RAMPART-401:

    Attachment: check_username_token_timestamp.patch
> Reject stale UsernameToken/Created values
> -----------------------------------------
>                 Key: RAMPART-401
>                 URL:
>             Project: Rampart
>          Issue Type: Improvement
>    Affects Versions: 1.6.2
>            Reporter: Nathan Clement
>         Attachments: check_username_token_timestamp.patch
> The WS-Security UsernameToken Profile says the following about the UsernameToken/Created
> {quote}
> It is RECOMMENDED that web service producers provide a timestamp “freshness” limitation,
and that any UsernameToken with “stale” timestamps be rejected. As a guideline, a value
of five minutes can be used as a minimum to detect, and thus reject, replays.
> {quote}
> Please add support to Rampart for rejecting stale timestamps in the UsernameToken.
> Attached is a patch that implements this feature in the PolicyBasedResultsValidator,
although I don't know if that's the right place for it.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message