Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-533

Also use signing key when trying to detect message replay attacks

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0.4, 1.6.19, 2.1.0
    • Component/s: None
    • Labels:
      None

      Description


      Currently we use the Timestamp created value + signature value as a key to avoid message replay attacks. However it's possible that we could have two signatures in the security header that sign the Timestamp, but with different keys. This task is to add the hashed encoded version of the key as part of the caching key to allow for this scenario.

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              coheigea Colm O hEigeartaigh
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: