Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.3.1
-
None
-
Windows XP running Glassfish 2.1 server. Running a simple web service with ws-timestamp set. Using SOAPUI 3.6.1 to create SOAP request messages to validate with the Glassfish 2.1 server using CXF 2.3.1.
-
Moderate
Description
Validation issues during testing:
The timestamp in ws-security can be future dated and will be accepted as valid in a SOAP soap response message.
The creation date can be greater than the expiration date and be accepted as valid in a SOAP response message.
This is important to resolve re-play attacks to resolve a security loop hole that can be exploited.
Examples of SOAP requests message return soap response messages as valid when in fact should throw a soap fault:
<B>Future dated timestamp, not using the server time to check:</B>
<B>SOAP Request:</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
<wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created>
<wsu:Expires>2011-12-20T18:35:50.444Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
<arg0>
<customerID>C001</customerID>
<itemID>I001</itemID>
<price>200.0</price>
<qty>100</qty>
</arg0>
</ns2:processOrder>
</soap:Body>
</soap:Envelope>
<B>SOAP Response</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns2:processOrderResponse xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
<return>ORD1234</return>
</ns2:processOrderResponse>
</soap:Body>
</soap:Envelope>
<B>Timestamp where the creation time is greater then the expiration time:</B>
<B>SOAP Request:</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
<wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created>
<wsu:Expires>2010-12-20T18:35:50.444Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
<arg0>
<customerID>C001</customerID>
<itemID>I001</itemID>
<price>200.0</price>
<qty>100</qty>
</arg0>
</ns2:processOrder>
</soap:Body>
</soap:Envelope>
<B>SOAP Response</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns2:processOrderResponse xmlns:ns2="http://order.security.ri.hin.hhs.gov/">
<return>ORD1234</return>
</ns2:processOrderResponse>
</soap:Body>
</soap:Envelope>
Attachments
Issue Links
- is blocked by
-
-
- Closed
-