[CXF-1636] Have WSS4J in/out interceptors require nonces and timestamps when using UsernameTokens? - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.4.7, 2.5.3, 2.6
Component/s: WS-* Components
Labels:
None

Description

Our WSS4J In/Out interceptors[1][2] do not appear to be requiring UsernameTokens to have timestamps and nonces. From [3], lines 176-190, these are used to prevent replay attacks (i.e., an intruder just copying the entire soap header, encrypted or not, and reusing it for another request).

To fix this problem, this blog sample[4] created a separate interceptor that will reject any UsernameToken that does not have both a timestamp and a nonce. Perhaps we should update our WSS4J in/out interceptors to require both of these, so external users don't need to do this.

A question though-~~I'm unsure where the nonce-checking is being done~~-our WSS4J interceptors seem to be ignoring them, but perhaps WSS4J is doing the checking/validation that they are not being used more then once.

Glen

[1] http://tinyurl.com/4cgg9b
[2] http://tinyurl.com/48h6an
[3] http://tinyurl.com/65n78j
[4] http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

cxf-1636.patch
07/Mar/12 16:44
27 kB
Colm O hEigeartaigh

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Glen Mazza

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 09/Jun/08 04:04

Updated:: 23/Apr/12 16:45

Resolved:: 09/Mar/12 16:14