cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-1636) Have WSS4J in/out interceptors require nonces and timestamps when using UsernameTokens?
Date Mon, 09 Jun 2008 04:05:45 GMT
Have WSS4J in/out interceptors require nonces and timestamps when using UsernameTokens?
---------------------------------------------------------------------------------------

                 Key: CXF-1636
                 URL: https://issues.apache.org/jira/browse/CXF-1636
             Project: CXF
          Issue Type: Improvement
            Reporter: Glen Mazza
            Priority: Minor


Our WSS4J In/Out interceptors[1][2] do not appear to be requiring UsernameTokens to have timestamps
and nonces.  From [3], lines 176-190, these are used to prevent replay attacks (i.e., an intruder
just copying the entire soap header, encrypted or not, and reusing it for another request).
 

To fix this problem, this blog sample[4] created a separate interceptor that will reject any
UsernameToken that does not have both a timestamp and a nonce.  Perhaps we should update our
WSS4J in/out interceptors to require both of these, so external users don't need to do this.

A question though--I'm unsure where the nonce-checking is being done--our WSS4J interceptors
seem to be ignoring them, but perhaps WSS4J is doing the checking/validation that they are
not being used more then once.

Glen

[1] http://tinyurl.com/4cgg9b
[2] http://tinyurl.com/48h6an
[3] http://tinyurl.com/65n78j
[4] http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message