Rampart certainly does process timestamp at org.apache.rampart.PolicyBasedResultsValidator#verifyTimestamp()
Also WSS4J org.apache.ws.security.processor.TimestampProcessor#handleTimestamp() verifies the timstamp before control reaches Rampart level validation. Thanks, Ruchith On 7/10/07, Tony Dean <[EMAIL PROTECTED]> wrote:
Rampart does not do any processing with the Timestamp information, does it? However, you do make a valid point. The client should not send a Timestamp if service is not expecting it. Unfortunately, WSSE 3.0 sends one by default with a UsernameToken. ;-( > -----Original Message----- > From: Ruchith Fernando [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 10, 2007 10:59 AM > To: [email protected] > Subject: Re: [Rampart] Ignore Timestamp and Addressing from client > > Hmm ... this is not possible with Rampart-1.0 style configuration! > (Using configuration parameters). IMHO we must validate all > elements in the wsse:Security header of the incoming message > and I don't think it is correct to let random unknown > elements in. We express exactly what we expect in the > security header in the security policy of the service and the > client MUST send exactly as expected by the service. > Otherwise it is the client's problem. > > Thanks, > Ruchith > > On 7/10/07, stlecho <[EMAIL PROTECTED]> wrote: > > > > I completely agree with you Tony. If the client sends on top of the > > required UsernameToken some additional and unwanted information > > (timestamp, addressing, ...), Rampart should still be happy that it > > finds the UsernameToken information. > > > > Regards, Stefan. > > > > > > Tony Dean wrote: > > > > > > As an example suppose you want Rampart to expect and > always process > > > a UsernameToken. You would set > > > <action><items>UsernameToken</items></action>. However, > by default > > > .net clients always send a Timestamp. So even though the .net > > > client sends a UsernameToken, a mismatch occurs because > it sends a > > > Timestamp as well. Is there a way to configure Rampart to just > > > ignore a Timestamp since it is not expected? I think > this is what > > > Stefan is saying also. Maybe this is against ws-security > guidelines. I don't know. Thanks. > > > > > >> -----Original Message----- > > >> From: Ruchith Fernando [mailto:[EMAIL PROTECTED] > > >> Sent: Tuesday, July 10, 2007 5:37 AM > > >> To: [email protected] > > >> Subject: Re: [Rampart] Ignore Timestamp and Addressing > from client > > >> > > >> The actions mismatch error occurs when you configure rampart to > > >> expect security actions different to what the incoming message > > >> contains. When you configure Rampart to process all security > > >> operations performed on the message you will able to get rid of > > >> this error. > > >> > > >> Thanks, > > >> Ruchith > > >> > > >> On 7/2/07, stlecho <[EMAIL PROTECTED]> wrote: > > >> > > > >> > All, > > >> > > > >> > Is there a solution or workaround for this issue ? > > >> > > > >> > Regards, Stefan Lecho. > > >> > > > >> > > > >> > stlecho wrote: > > >> > > > > >> > > Hi, > > >> > > > > >> > > I have configured the InflowSecurity parameter (extracted > > >> > > included > > >> > > underneath) on the server side with the "Signature" item. > > >> > > > > >> > > One of our clients is using a C# client. The SOAP > request that > > >> > > is received from this client contains Timestamp and > > >> Addressing related > > >> > > elements. This results in an "WSDoAllReceiver: security > > >> processing > > >> > > failed (actions mismatch)" AxisFault. > > >> > > > > >> > > Is there a way to "ignore" the Timestamp and > Addressing related > > >> > > elements on the server ? > > >> > > > > >> > > Extract axis2.xml: > > >> > > <parameter name="InflowSecurity"> > > >> > > <action> > > >> > > <items>Signature</items> > > >> > > > <signaturePropFile>interopin.properties</signaturePropFile> > > >> > > > > >> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> > > >> > > > > >> > > > > >> <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/enve > > >> lope/}Body</signatureParts> > > >> > > </action> > > >> > > </parameter> > > >> > > > > >> > > > > >> > > Regards, Stefan Lecho. > > >> > > > > >> > > > >> > -- > > >> > View this message in context: > > >> > > > >> > http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-fro > > >> m-c > > >> > lient-tf3882252.html#a11392800 Sent from the Axis - User > > >> mailing list > > >> > archive at Nabble.com. > > >> > > > >> > > > >> > > > >> > ------------------------------------------------------------------- > > >> -- > > >> > To unsubscribe, e-mail: [EMAIL PROTECTED] > > >> > For additional commands, e-mail: [EMAIL PROTECTED] > > >> > > > >> > > > >> > > >> > > >> -- > > >> www.ruchith.org > > >> www.wso2.org > > >> > > >> > ------------------------------------------------------------------- > > >> -- To unsubscribe, e-mail: [EMAIL PROTECTED] > > >> For additional commands, e-mail: [EMAIL PROTECTED] > > >> > > >> > > > > > > > -------------------------------------------------------------------- > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > -- > > View this message in context: > > > http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-c > > lient-tf3882252.html#a11521124 Sent from the Axis - User > mailing list > > archive at Nabble.com. > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- > www.ruchith.org > www.wso2.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- www.ruchith.org www.wso2.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
