parameter ttl not evaluated
org.apache.rampart.handler.WSDoAllReceiver.processBasic
-----------------------------------------------------------------------------------
Key: RAMPART-50
URL: https://issues.apache.org/jira/browse/RAMPART-50
Project: Rampart
Issue Type: Bug
Components: rampart-core
Affects Versions: 1.1
Reporter: Abdelaziz Samari
In the method processBasic of the org.apache.rampart.handler.WSDoAllReceiver
the followed code seems to be buggy
/*
* Perform further checks on the timestamp that was transmitted in the
* header. In the following implementation the timestamp is valid if it
* was created after (now-ttl), where ttl is set on server side, not by
* the client.
*
* Note: the method verifyTimestamp(Timestamp) allows custom
* implementations with other validation algorithms for subclasses.
*/
// Extract the timestamp action result from the action vector
actionResult = WSSecurityUtil.fetchActionResult(wsResult,
WSConstants.TS);
if (actionResult != null) {
Timestamp timestamp = actionResult.getTimestamp();
if (timestamp != null) {
String ttl = null;
if ((ttl = (String)
getOption(WSHandlerConstants.TTL_TIMESTAMP)) == null) {
ttl = (String) getProperty(msgContext,
WSHandlerConstants.TTL_TIMESTAMP);
}
int ttl_i = 0;
if (ttl != null) {
try {
ttl_i = Integer.parseInt(ttl);
} catch (NumberFormatException e) {
ttl_i = reqData.getTimeToLive();
}
}
if (ttl_i <= 0) {
ttl_i = reqData.getTimeToLive();
}
if (!verifyTimestamp(timestamp, reqData.getTimeToLive())) {
throw new AxisFault(
"WSDoAllReceiver: The timestamp could not be
validated");
}
}
}
The parameter ttl is read (getOption rsp. getProperty) but not used to call the
methode verifyTimestamp.
The correct call is :
if (!verifyTimestamp(timestamp, ttl_i)) {
throw new AxisFault(
"WSDoAllReceiver: The timestamp could not be
validated");
}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
