You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2009/05/06 13:13:30 UTC
[jira] Created: (WSS-186) Move TTL validation to the
TimestampProcessor
Move TTL validation to the TimestampProcessor
---------------------------------------------
Key: WSS-186
URL: https://issues.apache.org/jira/browse/WSS-186
Project: WSS4J
Issue Type: Improvement
Components: WSS4J Handlers
Affects Versions: 1.5.7
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.6
In WSS4J 1.5.7, the TimestampProcessor only validates the "Expires" element of the Timestamp if it exists (and only throws an Exception if WSHandlerConstants.TIMESTAMP_STRICT is set (default to true)). The application code must then call WSHandler.verifyTimestamp(int TTL) to actually verify the TTL on the TImestamp. This is a potential security hole, as all validation should be done when processing the Timestamp.
So I propose to deprecate WSHandler.verifyTimestamp in 1.6, and instead do the TTL validation in the TimestampProcessor. This involves adding a new variable to WSSConfig (to specify the TTL).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-186) Move TTL validation to the
TimestampProcessor
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-186.
-------------------------------------
Resolution: Fixed
> Move TTL validation to the TimestampProcessor
> ---------------------------------------------
>
> Key: WSS-186
> URL: https://issues.apache.org/jira/browse/WSS-186
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6
>
>
> In WSS4J 1.5.7, the TimestampProcessor only validates the "Expires" element of the Timestamp if it exists (and only throws an Exception if WSHandlerConstants.TIMESTAMP_STRICT is set (default to true)). The application code must then call WSHandler.verifyTimestamp(int TTL) to actually verify the TTL on the TImestamp. This is a potential security hole, as all validation should be done when processing the Timestamp.
> So I propose to deprecate WSHandler.verifyTimestamp in 1.6, and instead do the TTL validation in the TimestampProcessor. This involves adding a new variable to WSSConfig (to specify the TTL).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-186) Move TTL validation to the
TimestampProcessor
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-186.
-----------------------------------
> Move TTL validation to the TimestampProcessor
> ---------------------------------------------
>
> Key: WSS-186
> URL: https://issues.apache.org/jira/browse/WSS-186
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6
>
>
> In WSS4J 1.5.7, the TimestampProcessor only validates the "Expires" element of the Timestamp if it exists (and only throws an Exception if WSHandlerConstants.TIMESTAMP_STRICT is set (default to true)). The application code must then call WSHandler.verifyTimestamp(int TTL) to actually verify the TTL on the TImestamp. This is a potential security hole, as all validation should be done when processing the Timestamp.
> So I propose to deprecate WSHandler.verifyTimestamp in 1.6, and instead do the TTL validation in the TimestampProcessor. This involves adding a new variable to WSSConfig (to specify the TTL).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org