Hi Matthew, > I might be interested in figuring out how to add wsa:messageId in to the detection mix...
It already is if it is signed. Does the service already require WS-Addressing? If so and if you add a "SignedPart" policy like: <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing "/> then the SignatureValue should be different for each Signature, even if they are signing the same Timestamp Created value. Colm. On Fri, Mar 7, 2014 at 1:14 AM, matthew weaver <[email protected]> wrote: > Hi. I have read some good info ( > > http://coheigea.blogspot.com/2012/04/security-token-caching-in-apache-cxf-26.html > ) > and dug through CXF code regarding the feature for detecting replayed > messages. I have run into an issue processing multiple messages of the > following scenario: > 1) Another web service stack is sending my CXF service messages with a > wsu:Timestamp/wsu:Created that is only precise to the seconds as opposed to > milliseconds. > 2) Two messages are sent within the same second. I.E. They have the same > timestamp. > 3) These message has 2 digital signatures on it. One on the timestamp and > the other on a SAML 2.0 assertion. > 4) The assertion and therefore assertion signature are legitimately > identical for the two messages. > 5) Because the timestamp/timestamp signature and the timestamp/assertion > signature are the same for the two messages, a replay is detected. > > In this scenario, I believe the replay detection functionality is detecting > false positives. I have two questions: > 1) Is my understanding correct and is this expected behavior? I might be > interested in figuring out how to add wsa:messageId in to the detection > mix... > 2) How can I override this behavior? I.E. Which interfaces would I > implement? > > Thank you! > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
