You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Ruchith Udayanga Fernando (JIRA)" <ji...@apache.org> on 2007/01/26 07:18:49 UTC

[jira] Moved: (RAMPART-4) RAMPART : Timestamp handling in PolicyBasedResultsValidator when 'NOW' is before Timestamp->Created

     [ https://issues.apache.org/jira/browse/RAMPART-4?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ruchith Udayanga Fernando moved RAMPART-3 to RAMPART-4:
-------------------------------------------------------

        Key: RAMPART-4  (was: RAMPART-3)
    Project: Rampart  (was: Axis 2.0 (Axis2))

> RAMPART : Timestamp handling in PolicyBasedResultsValidator when 'NOW' is before Timestamp->Created
> ---------------------------------------------------------------------------------------------------
>
>                 Key: RAMPART-4
>                 URL: https://issues.apache.org/jira/browse/RAMPART-4
>             Project: Rampart
>          Issue Type: Bug
>         Environment: Java 5 (1.5.0_06) on Apple OS X 10.4.8
>            Reporter: Hans G Knudsen
>         Assigned To: Ruchith Udayanga Fernando
>
> Hi
> Interop testing against a MS .Net/WCF receiver we get an SoapFault/SecurityError if we have a timeskew and 'NOW' is before Timestamp->Created generated on the sender.
> On MS .Net/WCF currentTime/NOW must be > Timestamp->Created and < Timestamp-Expired. 
> On Axis NOW before a received Timestamp->Created is accecpted.
> In Axis Timestamp->Expires is validated in WSS4J TimestampProcessor and is very strict (and must be)
> The Timestamp->Created is handled by RAMPART PolicyBasedResultsValidator - and with the sender being 10 minuttes ahead of receiver the values of the different vars eg. could be :
> ts created   : 2007-01-18T10:20:20.626Z
> ts expires   : 2007-01-18T10:25:20.626Z
> currentTime  : 2007-01-18T10:10:20.904Z
> validcreation: 2007-01-18T10:05:20.904Z
> and the timestamp is accepted as validCreation is before ts->created.
> This behaviour could (depening on skew) result in a timestamp-error on a server response as Timestamp->Expires could be before NOW. With the 10 min skew and the time from above ts->expires would be around 10:15 on response and NOW on receiver would be around 10:20.
> Is the Axis/RAMPART timestamp valiation correct ??
> A more strict validation of would be more usefull/practically for (at least) us.
> A timestamp handling alowing sender to be a 10th (30 seconds on default 300) of ttl ahead could look like ( setting fraction value to 1 would give current behaviour) : 
>     long created = timestamp.getCreated().getTimeInMillis();
>     int skewFraction = 10;
>     Calendar creationTimeWithAllowedSkew = Calendar.getInstance();
>     creationTimeWithAllowedSkew.setTime( new Date( created - (timeToLive/skewFraction) * 1000 ) );
>         	
>     if( creationTimeWithAllowedSkew.after( currentTime ) ) {
>         return false;
>     } 
> Would accept a 30 second timeskew :
> ts created  : 2007-01-18T10:10:50.869Z
> ts expires  : 2007-01-18T10:15:50.869Z
> currentTime : 2007-01-18T10:10:41.161Z
> cre w. skew : 2007-01-18T10:10:20.869Z
> If a diff is needed - should it be againt Axis/RAMPART - axis2/tags/java/rampart_1_1 rev 482298 ??
> regards
> /hans

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.