[WSS-186] Move TTL validation to the TimestampProcessor - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.5.7
Fix Version/s: 1.6
Component/s: WSS4J Handlers
Labels:
None

Description

In WSS4J 1.5.7, the TimestampProcessor only validates the "Expires" element of the Timestamp if it exists (and only throws an Exception if WSHandlerConstants.TIMESTAMP_STRICT is set (default to true)). The application code must then call WSHandler.verifyTimestamp(int TTL) to actually verify the TTL on the TImestamp. This is a potential security hole, as all validation should be done when processing the Timestamp.

So I propose to deprecate WSHandler.verifyTimestamp in 1.6, and instead do the TTL validation in the TimestampProcessor. This involves adding a new variable to WSSConfig (to specify the TTL).

Attachments

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Colm O hEigeartaigh

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 06/May/09 11:13

Updated:: 07/May/09 10:25

Resolved:: 07/May/09 10:25