You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Ruchith Udayanga Fernando (JIRA)" <ji...@apache.org> on 2007/08/08 03:57:59 UTC

[jira] Resolved: (RAMPART-50) parameter ttl not evaluated org.apache.rampart.handler.WSDoAllReceiver.processBasic

     [ https://issues.apache.org/jira/browse/RAMPART-50?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ruchith Udayanga Fernando resolved RAMPART-50.
----------------------------------------------

    Resolution: Fixed

Fixed :
http://svn.apache.org/viewvc?view=rev&rev=563721

Thanks,
Ruchith

> parameter ttl not evaluated org.apache.rampart.handler.WSDoAllReceiver.processBasic
> -----------------------------------------------------------------------------------
>
>                 Key: RAMPART-50
>                 URL: https://issues.apache.org/jira/browse/RAMPART-50
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.1
>            Reporter: Abdelaziz Samari
>
> In the method processBasic of the org.apache.rampart.handler.WSDoAllReceiver the followed code seems to be buggy
>  				/*
>          * Perform further checks on the timestamp that was transmitted in the
>          * header. In the following implementation the timestamp is valid if it
>          * was created after (now-ttl), where ttl is set on server side, not by
>          * the client.
>          * 
>          * Note: the method verifyTimestamp(Timestamp) allows custom
>          * implementations with other validation algorithms for subclasses.
>          */
>         // Extract the timestamp action result from the action vector
>         actionResult = WSSecurityUtil.fetchActionResult(wsResult,
>                 WSConstants.TS);
>         if (actionResult != null) {
>             Timestamp timestamp = actionResult.getTimestamp();
>             if (timestamp != null) {
>                 String ttl = null;
>                 if ((ttl = (String) getOption(WSHandlerConstants.TTL_TIMESTAMP)) == null) {
>                     ttl = (String) getProperty(msgContext,
>                             WSHandlerConstants.TTL_TIMESTAMP);
>                 }
>                 int ttl_i = 0;
>                 if (ttl != null) {
>                     try {
>                         ttl_i = Integer.parseInt(ttl);
>                     } catch (NumberFormatException e) {
>                         ttl_i = reqData.getTimeToLive();
>                     }
>                 }
>                 if (ttl_i <= 0) {
>                     ttl_i = reqData.getTimeToLive();
>                 }
>                 if (!verifyTimestamp(timestamp, reqData.getTimeToLive())) {
>                     throw new AxisFault(
>                             "WSDoAllReceiver: The timestamp could not be validated");
>                 }
>             }
>         }
>         
> The parameter ttl is read (getOption rsp. getProperty) but not used to call the methode verifyTimestamp. 
> The correct call is :
> 		if (!verifyTimestamp(timestamp, ttl_i)) {
>                     throw new AxisFault(
>                             "WSDoAllReceiver: The timestamp could not be validated");
>                 }

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.