Have WSS4J in/out interceptors require nonces and timestamps when using
UsernameTokens?
---------------------------------------------------------------------------------------
Key: CXF-1636
URL: https://issues.apache.org/jira/browse/CXF-1636
Project: CXF
Issue Type: Improvement
Reporter: Glen Mazza
Priority: Minor
Our WSS4J In/Out interceptors[1][2] do not appear to be requiring
UsernameTokens to have timestamps and nonces. From [3], lines 176-190, these
are used to prevent replay attacks (i.e., an intruder just copying the entire
soap header, encrypted or not, and reusing it for another request).
To fix this problem, this blog sample[4] created a separate interceptor that
will reject any UsernameToken that does not have both a timestamp and a nonce.
Perhaps we should update our WSS4J in/out interceptors to require both of
these, so external users don't need to do this.
A question though--I'm unsure where the nonce-checking is being done--our WSS4J
interceptors seem to be ignoring them, but perhaps WSS4J is doing the
checking/validation that they are not being used more then once.
Glen
[1] http://tinyurl.com/4cgg9b
[2] http://tinyurl.com/48h6an
[3] http://tinyurl.com/65n78j
[4]
http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
