You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Ruchith Udayanga Fernando (JIRA)" <ji...@apache.org> on 2007/08/08 03:57:59 UTC
[jira] Resolved: (RAMPART-50) parameter ttl not evaluated
org.apache.rampart.handler.WSDoAllReceiver.processBasic
[ https://issues.apache.org/jira/browse/RAMPART-50?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ruchith Udayanga Fernando resolved RAMPART-50.
----------------------------------------------
Resolution: Fixed
Fixed :
http://svn.apache.org/viewvc?view=rev&rev=563721
Thanks,
Ruchith
> parameter ttl not evaluated org.apache.rampart.handler.WSDoAllReceiver.processBasic
> -----------------------------------------------------------------------------------
>
> Key: RAMPART-50
> URL: https://issues.apache.org/jira/browse/RAMPART-50
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.1
> Reporter: Abdelaziz Samari
>
> In the method processBasic of the org.apache.rampart.handler.WSDoAllReceiver the followed code seems to be buggy
> /*
> * Perform further checks on the timestamp that was transmitted in the
> * header. In the following implementation the timestamp is valid if it
> * was created after (now-ttl), where ttl is set on server side, not by
> * the client.
> *
> * Note: the method verifyTimestamp(Timestamp) allows custom
> * implementations with other validation algorithms for subclasses.
> */
> // Extract the timestamp action result from the action vector
> actionResult = WSSecurityUtil.fetchActionResult(wsResult,
> WSConstants.TS);
> if (actionResult != null) {
> Timestamp timestamp = actionResult.getTimestamp();
> if (timestamp != null) {
> String ttl = null;
> if ((ttl = (String) getOption(WSHandlerConstants.TTL_TIMESTAMP)) == null) {
> ttl = (String) getProperty(msgContext,
> WSHandlerConstants.TTL_TIMESTAMP);
> }
> int ttl_i = 0;
> if (ttl != null) {
> try {
> ttl_i = Integer.parseInt(ttl);
> } catch (NumberFormatException e) {
> ttl_i = reqData.getTimeToLive();
> }
> }
> if (ttl_i <= 0) {
> ttl_i = reqData.getTimeToLive();
> }
> if (!verifyTimestamp(timestamp, reqData.getTimeToLive())) {
> throw new AxisFault(
> "WSDoAllReceiver: The timestamp could not be validated");
> }
> }
> }
>
> The parameter ttl is read (getOption rsp. getProperty) but not used to call the methode verifyTimestamp.
> The correct call is :
> if (!verifyTimestamp(timestamp, ttl_i)) {
> throw new AxisFault(
> "WSDoAllReceiver: The timestamp could not be validated");
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.