Hi, We usually add a timestamp and sign the timestamp as well. This will ensure that this message cannot be replayed after the expiration of the timestamp.
Thanks, Ruchith On 8/28/06, Jones, Alan R <[EMAIL PROTECTED]> wrote:
I am trying to make sure that Rampart is failing my spoofed SOAP messages legitimately. I configure my client dynamically to use Signature for OutflowSecurity action; I run the test app, and via TCPMON I see the SOAP message was correctly set for the service. All runs fine. I then copy and paste the SOAP message from TCPMON and resend it to the service from another method in test app. I expect it to fail, to verify security is working correctly. My question, in order to make sure my process is legit, is: How does the security engine fail it? The signature value in the SOAP security header is exactly the same everytime I send the message, whether I send it normally from the client or I copy and paste and resend to create a failure condition. Again, it does fail it as desired but I am not sure it is failing for the right reason. There is no timestamp, all data going across in the SOAP header (actual or spoofed) is exactly the same. So how does it know that the copied/pasted/spoofed SOAP is false message? Thanks, Alan J --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- www.ruchith.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
