You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Vincent Beretti <vb...@gmail.com> on 2008/09/22 19:50:13 UTC

Security optional timestamp validation

Hi,I use ws-security with UsernameToken and Timestamp. Some of our clients
have problems with time synchronizing and some require the Timestamp on
request. So I'd like to do optional timestamp validation.
As I've seen in docs, ws-security on cxf is based
WSS4J. In org.apache.ws.security.handler.WSHandlerConstants, there is
a timestampStrict option configuration.
I quote the meaning of this property :
"Strict Timestamp handling: throw an exception if a Timestamp contains an
Expires element and the semantics of the request are expired, i.e. the
current time at the receiver is past the expires time. "
In the source code of WSS4JInInterceptor, I see that only timeToLive is
passed for timestamp verification.
Could it be possible to had timestampStrict handling in WSS4JInInterceptor,
to only log a warning message if the timestamp is expired ?
Thanks,
Vincent Beretti.

Re: Security optional timestamp validation

Posted by Daniel Kulp <dk...@apache.org>.

I think you would need to patch the WSS4JInInterceptor to change the throw 
exception to just a log message.

That said, I want to update the WSS4JInInterceptor to make each of those 
checks it does a separate method so a subclass could override the behavior 
for each check.   It would definitely help some of the security-policy stuff 
I'm working on.

Dan


On Monday 22 September 2008 1:50:13 pm Vincent Beretti wrote:
> Hi,I use ws-security with UsernameToken and Timestamp. Some of our clients
> have problems with time synchronizing and some require the Timestamp on
> request. So I'd like to do optional timestamp validation.
> As I've seen in docs, ws-security on cxf is based
> WSS4J. In org.apache.ws.security.handler.WSHandlerConstants, there is
> a timestampStrict option configuration.
> I quote the meaning of this property :
> "Strict Timestamp handling: throw an exception if a Timestamp contains an
> Expires element and the semantics of the request are expired, i.e. the
> current time at the receiver is past the expires time. "
> In the source code of WSS4JInInterceptor, I see that only timeToLive is
> passed for timestamp verification.
> Could it be possible to had timestampStrict handling in WSS4JInInterceptor,
> to only log a warning message if the timestamp is expired ?
> Thanks,
> Vincent Beretti.



-- 
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog