Hi,
I was wondering if there is any code in Rampart (or WSS4J) that rejects stale
timestamps in UsernameToken elements? The WS-Security UsernameToken Profile
says the following:
It is RECOMMENDED that web service producers provide a timestamp “freshness”
limitation, and that any UsernameToken with “stale” timestamps be rejected. As
a guideline, a value of five minutes can be used as a minimum to detect, and
thus reject, replays.
If there's nothing existing to implement this recommendation, I can write a
patch to implement this. I thought this could be done in RampartEngine after
the "nonceLifeTimeInSeconds" is checked. I could use the same timeout period
and reject any request with a Created timestamp older that this value. Is that
the best place to implement this feature?
Thanks,
Nathan
