[
http://issues.apache.org/jira/browse/AXIS2C-263?page=comments#action_12434111 ]
Malinda Kaushalye Kapuruge commented on AXIS2C-263:
---------------------------------------------------
Sounds fine. :)
If I summarize the scenario.
- Generate message-ID by SHA-1(Serialized envelope of incoming message)
- Generate Timestamp on message arrival.
- Keep the message-ID + Timestamp for a specific time period(default is 5
minutes).
- Remove records if expired.
- On message arrival check if there is already a similar message-ID in the
database.(or in memory hash table)
Suggestions:
1. At the beginning I'd like to keep message-ID + Timestamps in the hash table.
One possibility of doing this is to keep the hash table as a property in
conf context.
2. I do not like the idea of
Rejecting any message without a message id
Rejecting any message without a timestamp.
Instead we should generate message-IDs and Timestamps on arrival (like you
have mentioned in alternatives) always.
3. It should be posisble to configure (to enable/disable) this protection
mechanism.
This can be done in using an additional inflow security parameter.
Any comments?
PS: Also I'm wondering why this issue is reported as a bug ;-)
> Replay detection needed
> -----------------------
>
> Key: AXIS2C-263
> URL: http://issues.apache.org/jira/browse/AXIS2C-263
> Project: Axis2-C
> Issue Type: Bug
> Components: rampart
> Affects Versions: Current (Nightly)
> Reporter: James Clark
> Assigned To: Malinda Kaushalye Kapuruge
> Priority: Critical
>
> You need to implement replay detection. See section 13.2.1 of WS-Security
> 2004.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
