Doesn't the timestamp security element in the Security header accomplish this task?
Brian From: Nathan Clement [mailto:[email protected]] Sent: Tuesday, March 05, 2013 1:22 AM To: [email protected] Subject: Rampart: UsernameToken with stale timestamps Hi, I was wondering if there is any code in Rampart (or WSS4J) that rejects stale timestamps in UsernameToken elements? The WS-Security UsernameToken Profile says the following: It is RECOMMENDED that web service producers provide a timestamp "freshness" limitation, and that any UsernameToken with "stale" timestamps be rejected. As a guideline, a value of five minutes can be used as a minimum to detect, and thus reject, replays. If there's nothing existing to implement this recommendation, I can write a patch to implement this. I thought this could be done in RampartEngine after the "nonceLifeTimeInSeconds" is checked. I could use the same timeout period and reject any request with a Created timestamp older that this value. Is that the best place to implement this feature? Thanks, Nathan _____ No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2899 / Virus Database: 2641/6147 - Release Date: 03/04/13
