[
https://issues.apache.org/jira/browse/RAMPART-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13207647#comment-13207647
]
Hasini Gunasinghe commented on RAMPART-357:
-------------------------------------------
Hi AmilaJ,
Thanks for modifying it to suit the latest trunk. I did some minor changes and
attaching the updated version.
Thanks,
Hasini.
> Timestamp verification handled at two locations in different ways
> -----------------------------------------------------------------
>
> Key: RAMPART-357
> URL: https://issues.apache.org/jira/browse/RAMPART-357
> Project: Rampart
> Issue Type: Bug
> Reporter: Hasini Gunasinghe
> Attachments: rampart_357.patch, rampart_357_trunk.patch,
> rampart_patch_trunk_v2.patch
>
>
> Currently, when verifying timestamp, 'Expired' is verified in WSS4J level if
> timestampStrict enabled.
> 'Created' is verified in PolicyBasedResultsValidator.
> timestampMaxSkew is taken into consideration only when verifying 'Created' in
> timestamp inside PolicyBasedResultsValidator.
> IMO, both 'Expired' and 'Created' should be verified in
> PolicyBasedResultsValidator in a consistent way, taking timestampMaxSkew into
> consideration in both the occasions.
> Hence the proposed solution is like below:
> -Disable timestampStrict in WSConfig by default through Rampart.
> -Verify both 'Expired' and 'Created' in PolicyBasedResultsValidator.
> -Allow to enable verification at WSS4J level through rampart config, if
> someone needs it.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
