Nathan Clement created RAMPART-401:
--------------------------------------
Summary: Reject stale UsernameToken/Created values
Key: RAMPART-401
URL: https://issues.apache.org/jira/browse/RAMPART-401
Project: Rampart
Issue Type: Improvement
Affects Versions: 1.6.2
Reporter: Nathan Clement
Attachments: check_username_token_timestamp.patch
The WS-Security UsernameToken Profile says the following about the
UsernameToken/Created element:
{quote}
It is RECOMMENDED that web service producers provide a timestamp “freshness”
limitation, and that any UsernameToken with “stale” timestamps be rejected. As
a guideline, a value of five minutes can be used as a minimum to detect, and
thus reject, replays.
{quote}
Please add support to Rampart for rejecting stale timestamps in the
UsernameToken.
Attached is a patch that implements this feature in the
PolicyBasedResultsValidator, although I don't know if that's the right place
for it.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
