cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Morris (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-3337) Timestamp in WS-Security validation
Date Thu, 17 Feb 2011 14:48:24 GMT

    [ https://issues.apache.org/jira/browse/CXF-3337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12995834#comment-12995834
] 

David Morris commented on CXF-3337:
-----------------------------------

Revisited pom.xml file:

I had wss4j version 1.5.10 and cxf-rt-ws-security.2.3.1. Removed wss4j 1.5.10. re-packaged
war file and deployed on tomcat 7.0. Still getting same issue.

Verified the server is now running cxf-rt-ws-security.2.3.1 and not wss4j 1.5.10.

> Timestamp in WS-Security validation
> -----------------------------------
>
>                 Key: CXF-3337
>                 URL: https://issues.apache.org/jira/browse/CXF-3337
>             Project: CXF
>          Issue Type: Improvement
>          Components: WS-* Components
>    Affects Versions: 2.3.2
>         Environment: Windows XP/Java 1.6.0_21
>            Reporter: David Morris
>             Fix For: 2.3.2
>
>         Attachments: screenshot-1.jpg
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Couple issues discovered during testing of the timestamp:
> 1.) ZULU time must be used for timestamp comparisions. Cannot make the assumption that
the web services client is in the same time zone as the server. Changed the following code:
>     org.apache.ws.security.handler.WSHandler
>           protected boolean verifyTimestamp(Timestamp timestamp, int timeToLive) method
>              ...
>              // Calculate the time that is allowed for the message to travel
>              Calendar validCreation = Calendar.getInstance();
>              //added the following line
>              validCreation.setTimeZone(TimeZone.getTimeZone("GMT")); //ZULU Time 
> 2.) Need to check for future dated timestamps. During our validation using SOAPUI, the
timestamps in the request can future dated by the validation team. Changed the following code
in org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.java:
>     protected void checkTimestamps(SoapMessage msg, RequestData reqData, Vector wsResult)

>         throws WSSecurityException {
>         /*
>          * Perform further checks on the timestamp that was transmitted in
>          * the header. In the following implementation the timestamp is
>          * valid if it was created after (now-ttl), where ttl is set on
>          * server side, not by the client. Note: the method
>          * verifyTimestamp(Timestamp) allows custom implementations with
>          * other validation algorithms for subclasses.
>          */
>         // Extract the timestamp action result from the action vector
>         Vector timestampResults = new Vector();
>         timestampResults = 
>             WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.TS, timestampResults);
>         if (!timestampResults.isEmpty()) {
>             for (int i = 0; i < timestampResults.size(); i++) {
>                 WSSecurityEngineResult result = 
>                     (WSSecurityEngineResult) timestampResults.get(i);
>                 Timestamp timestamp = (Timestamp)result.get(WSSecurityEngineResult.TAG_TIMESTAMP);
               
>                 if (timestamp != null) {
>                 	
>                 	//message expired
>                 	if(!verifyTimestamp(timestamp, decodeTimeToLive(reqData))) {
>                          LOG.warning("The timestamp could not be validated");
>                          throw new WSSecurityException(WSSecurityException.MESSAGE_EXPIRED);
>                      }
>                 	
>                 	//createdDate future dated
>                     Calendar validCreation = Calendar.getInstance();
>                     validCreation.setTimeZone(TimeZone.getTimeZone("GMT")); //ZULU Time
>                 	Calendar createdDate = timestamp.getCreated();                	
>                 	if (createdDate.after(validCreation)) {
>                 		LOG.warning("The timestamp createdDate is future dated");
>                 		throw new WSSecurityException("The timestamp createdDate cannot be
future dated");
>                 	}
>                 }
>                 msg.put(TIMESTAMP_RESULT, result);
>             }
>         }
>     }
>           

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message