[ https://issues.apache.org/jira/browse/CXF-3208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned CXF-3208: ---------------------------------------- Assignee: Colm O hEigeartaigh > Timestamp validation in ws-security > ----------------------------------- > > Key: CXF-3208 > URL: https://issues.apache.org/jira/browse/CXF-3208 > Project: CXF > Issue Type: Bug > Components: WS-* Components > Affects Versions: 2.3.1 > Environment: Windows XP running Glassfish 2.1 server. Running a > simple web service with ws-timestamp set. Using SOAPUI 3.6.1 to create SOAP > request messages to validate with the Glassfish 2.1 server using CXF 2.3.1. > Reporter: David Morris > Assignee: Colm O hEigeartaigh > > Validation issues during testing: > The timestamp in ws-security can be future dated and will be accepted as > valid in a SOAP soap response message. > The creation date can be greater than the expiration date and be accepted as > valid in a SOAP response message. > This is important to resolve re-play attacks to resolve a security loop hole > that can be exploited. > Examples of SOAP requests message return soap response messages as valid when > in fact should throw a soap fault: > <B>Future dated timestamp, not using the server time to check:</B> > <B>SOAP Request:</B> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> > <soap:Header> > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" > soap:mustUnderstand="1"> > <wsu:Timestamp > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > wsu:Id="Timestamp-1"> > <wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created> > <wsu:Expires>2011-12-20T18:35:50.444Z</wsu:Expires> > </wsu:Timestamp> > </wsse:Security> > </soap:Header> > <soap:Body> > <ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/"> > <arg0> > <customerID>C001</customerID> > <itemID>I001</itemID> > <price>200.0</price> > <qty>100</qty> > </arg0> > </ns2:processOrder> > </soap:Body> > </soap:Envelope> > <B>SOAP Response</B> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> > <soap:Body> > <ns2:processOrderResponse > xmlns:ns2="http://order.security.ri.hin.hhs.gov/"> > <return>ORD1234</return> > </ns2:processOrderResponse> > </soap:Body> > </soap:Envelope> > <B>Timestamp where the creation time is greater then the expiration time:</B> > <B>SOAP Request:</B> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> > <soap:Header> > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" > soap:mustUnderstand="1"> > <wsu:Timestamp > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > wsu:Id="Timestamp-1"> > <wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created> > <wsu:Expires>2010-12-20T18:35:50.444Z</wsu:Expires> > </wsu:Timestamp> > </wsse:Security> > </soap:Header> > <soap:Body> > <ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/"> > <arg0> > <customerID>C001</customerID> > <itemID>I001</itemID> > <price>200.0</price> > <qty>100</qty> > </arg0> > </ns2:processOrder> > </soap:Body> > </soap:Envelope> > <B>SOAP Response</B> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> > <soap:Body> > <ns2:processOrderResponse > xmlns:ns2="http://order.security.ri.hin.hhs.gov/"> > <return>ORD1234</return> > </ns2:processOrderResponse> > </soap:Body> > </soap:Envelope> -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.