Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-3337

Timestamp in WS-Security validation

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.3.2
    • 2.3.3
    • WS-* Components
    • None

    • Windows XP/Java 1.6.0_21

    • Moderate

    Description

      Couple issues discovered during testing of the timestamp:

      1.) ZULU time must be used for timestamp comparisions. Cannot make the assumption that the web services client is in the same time zone as the server. Changed the following code:

      org.apache.ws.security.handler.WSHandler
      protected boolean verifyTimestamp(Timestamp timestamp, int timeToLive) method
      ...
      // Calculate the time that is allowed for the message to travel
      Calendar validCreation = Calendar.getInstance();
      //added the following line
      validCreation.setTimeZone(TimeZone.getTimeZone("GMT")); //ZULU Time

      2.) Need to check for future dated timestamps. During our validation using SOAPUI, the timestamps in the request can future dated by the validation team. Changed the following code in org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.java:

      protected void checkTimestamps(SoapMessage msg, RequestData reqData, Vector wsResult)
      throws WSSecurityException {
      /*

      • Perform further checks on the timestamp that was transmitted in
      • the header. In the following implementation the timestamp is
      • valid if it was created after (now-ttl), where ttl is set on
      • server side, not by the client. Note: the method
      • verifyTimestamp(Timestamp) allows custom implementations with
      • other validation algorithms for subclasses.
        */
        // Extract the timestamp action result from the action vector
        Vector timestampResults = new Vector();
        timestampResults =
        WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.TS, timestampResults);

      if (!timestampResults.isEmpty()) {
      for (int i = 0; i < timestampResults.size(); i++) {
      WSSecurityEngineResult result =
      (WSSecurityEngineResult) timestampResults.get;
      Timestamp timestamp = (Timestamp)result.get(WSSecurityEngineResult.TAG_TIMESTAMP);
      if (timestamp != null) {

      //message expired
      if(!verifyTimestamp(timestamp, decodeTimeToLive(reqData)))

      { LOG.warning("The timestamp could not be validated"); throw new WSSecurityException(WSSecurityException.MESSAGE_EXPIRED); }

      //createdDate future dated
      Calendar validCreation = Calendar.getInstance();
      validCreation.setTimeZone(TimeZone.getTimeZone("GMT")); //ZULU Time

      Calendar createdDate = timestamp.getCreated();
      if (createdDate.after(validCreation))

      { LOG.warning("The timestamp createdDate is future dated"); throw new WSSecurityException("The timestamp createdDate cannot be future dated"); }

      }
      msg.put(TIMESTAMP_RESULT, result);
      }
      }
      }

      Attachments

        Activity

          People

            coheigea Colm O hEigeartaigh
            davemorris David Morris
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 24h
                24h
                Logged:
                Time Spent - Not Specified
                Not Specified