You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2010/12/24 11:20:47 UTC
[jira] Assigned: (CXF-3208) Timestamp validation in ws-security
[ https://issues.apache.org/jira/browse/CXF-3208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned CXF-3208:
----------------------------------------
Assignee: Colm O hEigeartaigh
> Timestamp validation in ws-security
> -----------------------------------
>
> Key: CXF-3208
> URL: https://issues.apache.org/jira/browse/CXF-3208
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.3.1
> Environment: Windows XP running Glassfish 2.1 server. Running a simple web service with ws-timestamp set. Using SOAPUI 3.6.1 to create SOAP request messages to validate with the Glassfish 2.1 server using CXF 2.3.1.
> Reporter: David Morris
> Assignee: Colm O hEigeartaigh
>
> Validation issues during testing:
> The timestamp in ws-security can be future dated and will be accepted as valid in a SOAP soap response message.
> The creation date can be greater than the expiration date and be accepted as valid in a SOAP response message.
> This is important to resolve re-play attacks to resolve a security loop hole that can be exploited.
> Examples of SOAP requests message return soap response messages as valid when in fact should throw a soap fault:
> <B>Future dated timestamp, not using the server time to check:</B>
> <B>SOAP Request:</B>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
> <wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created>
> <wsu:Expires>2011-12-20T18:35:50.444Z</wsu:Expires>
> </wsu:Timestamp>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
> <arg0>
> <customerID>C001</customerID>
> <itemID>I001</itemID>
> <price>200.0</price>
> <qty>100</qty>
> </arg0>
> </ns2:processOrder>
> </soap:Body>
> </soap:Envelope>
> <B>SOAP Response</B>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:processOrderResponse xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
> <return>ORD1234</return>
> </ns2:processOrderResponse>
> </soap:Body>
> </soap:Envelope>
> <B>Timestamp where the creation time is greater then the expiration time:</B>
> <B>SOAP Request:</B>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
> <wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created>
> <wsu:Expires>2010-12-20T18:35:50.444Z</wsu:Expires>
> </wsu:Timestamp>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
> <arg0>
> <customerID>C001</customerID>
> <itemID>I001</itemID>
> <price>200.0</price>
> <qty>100</qty>
> </arg0>
> </ns2:processOrder>
> </soap:Body>
> </soap:Envelope>
> <B>SOAP Response</B>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:processOrderResponse xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
> <return>ORD1234</return>
> </ns2:processOrderResponse>
> </soap:Body>
> </soap:Envelope>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.