You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Andreas Veithen (JIRA)" <ji...@apache.org> on 2017/01/14 13:50:26 UTC
[jira] [Updated] (RAMPART-401) Reject stale UsernameToken/Created
values
[ https://issues.apache.org/jira/browse/RAMPART-401?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andreas Veithen updated RAMPART-401:
------------------------------------
Labels: Patch (was: )
> Reject stale UsernameToken/Created values
> -----------------------------------------
>
> Key: RAMPART-401
> URL: https://issues.apache.org/jira/browse/RAMPART-401
> Project: Rampart
> Issue Type: Improvement
> Affects Versions: 1.6.2
> Reporter: Nathan Clement
> Labels: Patch
> Attachments: check_username_token_timestamp.patch
>
>
> The WS-Security UsernameToken Profile says the following about the UsernameToken/Created element:
> {quote}
> It is RECOMMENDED that web service producers provide a timestamp “freshness” limitation, and that any UsernameToken with “stale” timestamps be rejected. As a guideline, a value of five minutes can be used as a minimum to detect, and thus reject, replays.
> {quote}
> Please add support to Rampart for rejecting stale timestamps in the UsernameToken.
> Attached is a patch that implements this feature in the PolicyBasedResultsValidator, although I don't know if that's the right place for it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org