Hi. I have read some good info ( http://coheigea.blogspot.com/2012/04/security-token-caching-in-apache-cxf-26.html) and dug through CXF code regarding the feature for detecting replayed messages. I have run into an issue processing multiple messages of the following scenario: 1) Another web service stack is sending my CXF service messages with a wsu:Timestamp/wsu:Created that is only precise to the seconds as opposed to milliseconds. 2) Two messages are sent within the same second. I.E. They have the same timestamp. 3) These message has 2 digital signatures on it. One on the timestamp and the other on a SAML 2.0 assertion. 4) The assertion and therefore assertion signature are legitimately identical for the two messages. 5) Because the timestamp/timestamp signature and the timestamp/assertion signature are the same for the two messages, a replay is detected.
In this scenario, I believe the replay detection functionality is detecting false positives. I have two questions: 1) Is my understanding correct and is this expected behavior? I might be interested in figuring out how to add wsa:messageId in to the detection mix... 2) How can I override this behavior? I.E. Which interfaces would I implement? Thank you!
