Rampart
  1. Rampart
  2. RAMPART-357

Timestamp verification handled at two locations in different ways

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Currently, when verifying timestamp, 'Expired' is verified in WSS4J level if timestampStrict enabled.
      'Created' is verified in PolicyBasedResultsValidator.

      timestampMaxSkew is taken into consideration only when verifying 'Created' in timestamp inside PolicyBasedResultsValidator.

      IMO, both 'Expired' and 'Created' should be verified in PolicyBasedResultsValidator in a consistent way, taking timestampMaxSkew into consideration in both the occasions.

      Hence the proposed solution is like below:
      -Disable timestampStrict in WSConfig by default through Rampart.
      -Verify both 'Expired' and 'Created' in PolicyBasedResultsValidator.
      -Allow to enable verification at WSS4J level through rampart config, if someone needs it.

      1. rampart_patch_trunk_v2.patch
        11 kB
        Hasini Gunasinghe
      2. rampart_357.patch
        9 kB
        Hasini Gunasinghe
      3. rampart_357_trunk.patch
        11 kB
        Amila Jayasekara

        Activity

          People

          • Assignee:
            Unassigned
            Reporter:
            Hasini Gunasinghe
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development