Timestamp token processing in WSS4J

[Venkat Reddy <vr...@gmail.com>]

hi all,

I have a couple of observations regarding the processing of Timestamp
tokens inside the response messages on client-side.

1. The interop specs (wss-interop1-draft-06.pdf and
wss-interop1-draft-06.pdf) specify that the Timestamp token in the
second message (response) should be ignored. However the
Client-deploy.wsdd has the Timestamp as one of the actions for
response flows for most of the scenarios, forcing the security engine
to process the timestamp token inside response. There might be good
reasons for this, but this leads to the following problem in my test
cases.

2. During processing of timestamp, the security engine creates an
instance of Timestamp. However the creation of timestamp object fails
in my test scenarios becuase I have the </wsu:Created>, but not the
<wsu:Expires> inside the <wsu:Timestamp> element, and the construction
of org.apache.ws.security.message.token.Timestamp can succeed only if
we have both the pieces of info. Is the <wsu:Expires> a mandatory
token? If yes, then my Jwsdp RI on the server-side is not adding this
piece of info inside the response messages.

I'm sure my analysis of the WSS4J code and the WS specs is not
comprehensive enough and i might be missing something here. Can
someone throw some light on this?

Thanks
Venkat