Timestamp verification handled at two locations in different ways
-----------------------------------------------------------------
Key: RAMPART-357
URL: https://issues.apache.org/jira/browse/RAMPART-357
Project: Rampart
Issue Type: Bug
Reporter: Hasini Gunasinghe
Currently, when verifying timestamp, 'Expired' is verified in WSS4J level if
timestampStrict enabled.
'Created' is verified in PolicyBasedResultsValidator.
timestampMaxSkew is taken into consideration only when verifying 'Created' in
timestamp inside PolicyBasedResultsValidator.
IMO, both 'Expired' and 'Created' should be verified in
PolicyBasedResultsValidator in a consistent way, taking timestampMaxSkew into
consideration in both the occasions.
Hence the proposed solution is like below:
-Disable timestampStrict in WSConfig by default through Rampart.
-Verify both 'Expired' and 'Created' in PolicyBasedResultsValidator.
-Allow to enable verification at WSS4J level through rampart config, if someone
needs it.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
