Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.5.7
-
None
Description
In WSS4J 1.5.7, the TimestampProcessor only validates the "Expires" element of the Timestamp if it exists (and only throws an Exception if WSHandlerConstants.TIMESTAMP_STRICT is set (default to true)). The application code must then call WSHandler.verifyTimestamp(int TTL) to actually verify the TTL on the TImestamp. This is a potential security hole, as all validation should be done when processing the Timestamp.
So I propose to deprecate WSHandler.verifyTimestamp in 1.6, and instead do the TTL validation in the TimestampProcessor. This involves adding a new variable to WSSConfig (to specify the TTL).