I think you would need to patch the WSS4JInInterceptor to change the throw exception to just a log message.
That said, I want to update the WSS4JInInterceptor to make each of those checks it does a separate method so a subclass could override the behavior for each check. It would definitely help some of the security-policy stuff I'm working on. Dan On Monday 22 September 2008 1:50:13 pm Vincent Beretti wrote: > Hi,I use ws-security with UsernameToken and Timestamp. Some of our clients > have problems with time synchronizing and some require the Timestamp on > request. So I'd like to do optional timestamp validation. > As I've seen in docs, ws-security on cxf is based > WSS4J. In org.apache.ws.security.handler.WSHandlerConstants, there is > a timestampStrict option configuration. > I quote the meaning of this property : > "Strict Timestamp handling: throw an exception if a Timestamp contains an > Expires element and the semantics of the request are expired, i.e. the > current time at the receiver is past the expires time. " > In the source code of WSS4JInInterceptor, I see that only timeToLive is > passed for timestamp verification. > Could it be possible to had timestampStrict handling in WSS4JInInterceptor, > to only log a warning message if the timestamp is expired ? > Thanks, > Vincent Beretti. -- Daniel Kulp [EMAIL PROTECTED] http://www.dankulp.com/blog
