[
https://issues.apache.org/jira/browse/RAMPART-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13613537#comment-13613537
]
Nathan Clement commented on RAMPART-401:
----------------------------------------
I think that this is related to WSS-427
> Reject stale UsernameToken/Created values
> -----------------------------------------
>
> Key: RAMPART-401
> URL: https://issues.apache.org/jira/browse/RAMPART-401
> Project: Rampart
> Issue Type: Improvement
> Affects Versions: 1.6.2
> Reporter: Nathan Clement
> Attachments: check_username_token_timestamp.patch
>
>
> The WS-Security UsernameToken Profile says the following about the
> UsernameToken/Created element:
> {quote}
> It is RECOMMENDED that web service producers provide a timestamp “freshness”
> limitation, and that any UsernameToken with “stale” timestamps be rejected.
> As a guideline, a value of five minutes can be used as a minimum to detect,
> and thus reject, replays.
> {quote}
> Please add support to Rampart for rejecting stale timestamps in the
> UsernameToken.
> Attached is a patch that implements this feature in the
> PolicyBasedResultsValidator, although I don't know if that's the right place
> for it.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
