[
https://issues.apache.org/jira/browse/CXF-3337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12995901#comment-12995901
]
David Morris commented on CXF-3337:
-----------------------------------
Thanks Colm. Validated that future timestamps are rejected in wss4j1.5.11.
However org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor (using cxf version
2.3.2) throws a 'The message has expired' soap fault (after the call to
WSHandler). Should this be more descriptive for future dated timestamps? (i.e.
'The timestamp cannot be future dated') The WSHandler verifies that it is a
valid timestamp and within the valid time range(boolean).
> Timestamp in WS-Security validation
> -----------------------------------
>
> Key: CXF-3337
> URL: https://issues.apache.org/jira/browse/CXF-3337
> Project: CXF
> Issue Type: Improvement
> Components: WS-* Components
> Affects Versions: 2.3.2
> Environment: Windows XP/Java 1.6.0_21
> Reporter: David Morris
> Fix For: 2.3.2
>
> Attachments: screenshot-1.jpg
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Couple issues discovered during testing of the timestamp:
> 1.) ZULU time must be used for timestamp comparisions. Cannot make the
> assumption that the web services client is in the same time zone as the
> server. Changed the following code:
> org.apache.ws.security.handler.WSHandler
> protected boolean verifyTimestamp(Timestamp timestamp, int
> timeToLive) method
> ...
> // Calculate the time that is allowed for the message to travel
> Calendar validCreation = Calendar.getInstance();
> //added the following line
> validCreation.setTimeZone(TimeZone.getTimeZone("GMT")); //ZULU
> Time
> 2.) Need to check for future dated timestamps. During our validation using
> SOAPUI, the timestamps in the request can future dated by the validation
> team. Changed the following code in
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.java:
> protected void checkTimestamps(SoapMessage msg, RequestData reqData,
> Vector wsResult)
> throws WSSecurityException {
> /*
> * Perform further checks on the timestamp that was transmitted in
> * the header. In the following implementation the timestamp is
> * valid if it was created after (now-ttl), where ttl is set on
> * server side, not by the client. Note: the method
> * verifyTimestamp(Timestamp) allows custom implementations with
> * other validation algorithms for subclasses.
> */
> // Extract the timestamp action result from the action vector
> Vector timestampResults = new Vector();
> timestampResults =
> WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.TS,
> timestampResults);
> if (!timestampResults.isEmpty()) {
> for (int i = 0; i < timestampResults.size(); i++) {
> WSSecurityEngineResult result =
> (WSSecurityEngineResult) timestampResults.get(i);
> Timestamp timestamp =
> (Timestamp)result.get(WSSecurityEngineResult.TAG_TIMESTAMP);
> if (timestamp != null) {
>
> //message expired
> if(!verifyTimestamp(timestamp,
> decodeTimeToLive(reqData))) {
> LOG.warning("The timestamp could not be validated");
> throw new
> WSSecurityException(WSSecurityException.MESSAGE_EXPIRED);
> }
>
> //createdDate future dated
> Calendar validCreation = Calendar.getInstance();
> validCreation.setTimeZone(TimeZone.getTimeZone("GMT"));
> //ZULU Time
> Calendar createdDate = timestamp.getCreated();
>
> if (createdDate.after(validCreation)) {
> LOG.warning("The timestamp createdDate is
> future dated");
> throw new WSSecurityException("The timestamp
> createdDate cannot be future dated");
> }
> }
> msg.put(TIMESTAMP_RESULT, result);
> }
> }
> }
>
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
