cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Morris (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-3208) Timestamp validation in ws-security
Date Mon, 20 Dec 2010 15:54:02 GMT
Timestamp validation in ws-security
-----------------------------------

                 Key: CXF-3208
                 URL: https://issues.apache.org/jira/browse/CXF-3208
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.3.1
         Environment: Windows XP running Glassfish 2.1 server.  Running a simple web service
with ws-timestamp set. Using SOAPUI 3.6.1 to create SOAP request messages to validate with
the Glassfish 2.1 server using CXF 2.3.1. 
            Reporter: David Morris


Validation issues during testing:

The timestamp in ws-security can be future dated and will be accepted as valid in a SOAP soap
response message.
The creation date can be greater than the expiration date and be accepted as valid in a SOAP
response message.

This is important to resolve re-play attacks to resolve a security loop hole that can be exploited.

Examples of SOAP requests message return soap response messages as valid when in fact should
throw a soap fault:

<B>Future dated timestamp, not using the server time to check:</B>
<B>SOAP Request:</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
 <soap:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1">
 <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-1">
  <wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created> 
  <wsu:Expires>2011-12-20T18:35:50.444Z</wsu:Expires> 
  </wsu:Timestamp>
  </wsse:Security>
  </soap:Header>
<soap:Body>
<ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
 <arg0>
  <customerID>C001</customerID> 
  <itemID>I001</itemID> 
  <price>200.0</price> 
  <qty>100</qty> 
  </arg0>
  </ns2:processOrder>
  </soap:Body>
  </soap:Envelope>

<B>SOAP Response</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <ns2:processOrderResponse xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
         <return>ORD1234</return>
      </ns2:processOrderResponse>
   </soap:Body>
</soap:Envelope>

<B>Timestamp where the creation time is greater then the expiration time:</B>
<B>SOAP Request:</B>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
 <soap:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1">
 <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-1">
  <wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created> 
  <wsu:Expires>2010-12-20T18:35:50.444Z</wsu:Expires> 
  </wsu:Timestamp>
  </wsse:Security>
  </soap:Header>
<soap:Body>
<ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
 <arg0>
  <customerID>C001</customerID> 
  <itemID>I001</itemID> 
  <price>200.0</price> 
  <qty>100</qty> 
  </arg0>
  </ns2:processOrder>
  </soap:Body>
  </soap:Envelope>

<B>SOAP Response</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <ns2:processOrderResponse xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
         <return>ORD1234</return>
      </ns2:processOrderResponse>
   </soap:Body>
</soap:Envelope>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message