Affects Version/s: None
Fix Version/s: None
Currently, when verifying timestamp, 'Expired' is verified in WSS4J level if timestampStrict enabled.
'Created' is verified in PolicyBasedResultsValidator.
timestampMaxSkew is taken into consideration only when verifying 'Created' in timestamp inside PolicyBasedResultsValidator.
IMO, both 'Expired' and 'Created' should be verified in PolicyBasedResultsValidator in a consistent way, taking timestampMaxSkew into consideration in both the occasions.
Hence the proposed solution is like below:
-Disable timestampStrict in WSConfig by default through Rampart.
-Verify both 'Expired' and 'Created' in PolicyBasedResultsValidator.
-Allow to enable verification at WSS4J level through rampart config, if someone needs it.