[
https://issues.apache.org/jira/browse/RAMPART-357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Amila Jayasekara updated RAMPART-357:
-------------------------------------
Attachment: rampart_357_trunk.patch
Hi Hasini,
I slightly modified your patch so that it suits to current Rampart Trunk (after
wss4j migration). Please review this.
Thanks
AmilaJ
> Timestamp verification handled at two locations in different ways
> -----------------------------------------------------------------
>
> Key: RAMPART-357
> URL: https://issues.apache.org/jira/browse/RAMPART-357
> Project: Rampart
> Issue Type: Bug
> Reporter: Hasini Gunasinghe
> Attachments: rampart_357.patch, rampart_357_trunk.patch
>
>
> Currently, when verifying timestamp, 'Expired' is verified in WSS4J level if
> timestampStrict enabled.
> 'Created' is verified in PolicyBasedResultsValidator.
> timestampMaxSkew is taken into consideration only when verifying 'Created' in
> timestamp inside PolicyBasedResultsValidator.
> IMO, both 'Expired' and 'Created' should be verified in
> PolicyBasedResultsValidator in a consistent way, taking timestampMaxSkew into
> consideration in both the occasions.
> Hence the proposed solution is like below:
> -Disable timestampStrict in WSConfig by default through Rampart.
> -Verify both 'Expired' and 'Created' in PolicyBasedResultsValidator.
> -Allow to enable verification at WSS4J level through rampart config, if
> someone needs it.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
