Return-Path: 
 <issues-return-15362-apmail-cxf-issues-archive=cxf.apache.org@cxf.apache.org>
Delivered-To: apmail-cxf-issues-archive@www.apache.org
Received: (qmail 55630 invoked from network); 20 Dec 2010 15:54:27 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 20 Dec 2010 15:54:27 -0000
Received: (qmail 87702 invoked by uid 500); 20 Dec 2010 15:54:27 -0000
Delivered-To: apmail-cxf-issues-archive@cxf.apache.org
Received: (qmail 87599 invoked by uid 500); 20 Dec 2010 15:54:27 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 87591 invoked by uid 99); 20 Dec 2010 15:54:26 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Dec 2010 15:54:26 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Dec 2010 15:54:23 +0000
Received: from thor (localhost [127.0.0.1])
	by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id oBKFs2mw028859
	for <issues@cxf.apache.org>; Mon, 20 Dec 2010 15:54:02 GMT
Message-ID: <18822393.216761292860442105.JavaMail.jira@thor>
Date: Mon, 20 Dec 2010 10:54:02 -0500 (EST)
From: "David Morris (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Subject: [jira] Created: (CXF-3208) Timestamp validation in ws-security
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
X-Virus-Checked: Checked by ClamAV on apache.org

Timestamp validation in ws-security
-----------------------------------

                 Key: CXF-3208
                 URL: https://issues.apache.org/jira/browse/CXF-3208
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.3.1
         Environment: Windows XP running Glassfish 2.1 server.  Running a simple web service with ws-timestamp set. Using SOAPUI 3.6.1 to create SOAP request messages to validate with the Glassfish 2.1 server using CXF 2.3.1. 
            Reporter: David Morris


Validation issues during testing:

The timestamp in ws-security can be future dated and will be accepted as valid in a SOAP soap response message.
The creation date can be greater than the expiration date and be accepted as valid in a SOAP response message.

This is important to resolve re-play attacks to resolve a security loop hole that can be exploited.

Examples of SOAP requests message return soap response messages as valid when in fact should throw a soap fault:

<B>Future dated timestamp, not using the server time to check:</B>
<B>SOAP Request:</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
 <soap:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
 <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
  <wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created> 
  <wsu:Expires>2011-12-20T18:35:50.444Z</wsu:Expires> 
  </wsu:Timestamp>
  </wsse:Security>
  </soap:Header>
<soap:Body>
<ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
 <arg0>
  <customerID>C001</customerID> 
  <itemID>I001</itemID> 
  <price>200.0</price> 
  <qty>100</qty> 
  </arg0>
  </ns2:processOrder>
  </soap:Body>
  </soap:Envelope>

<B>SOAP Response</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <ns2:processOrderResponse xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
         <return>ORD1234</return>
      </ns2:processOrderResponse>
   </soap:Body>
</soap:Envelope>

<B>Timestamp where the creation time is greater then the expiration time:</B>
<B>SOAP Request:</B>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
 <soap:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
 <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
  <wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created> 
  <wsu:Expires>2010-12-20T18:35:50.444Z</wsu:Expires> 
  </wsu:Timestamp>
  </wsse:Security>
  </soap:Header>
<soap:Body>
<ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
 <arg0>
  <customerID>C001</customerID> 
  <itemID>I001</itemID> 
  <price>200.0</price> 
  <qty>100</qty> 
  </arg0>
  </ns2:processOrder>
  </soap:Body>
  </soap:Envelope>

<B>SOAP Response</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <ns2:processOrderResponse xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
         <return>ORD1234</return>
      </ns2:processOrderResponse>
   </soap:Body>
</soap:Envelope>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.