svn commit: r1052480 - in /webservices/wss4j/branches/1_5_x-fixes: src/org/apache/ws/security/handler/WSHandler.java test/wssec/TestWSSecurityTimestamp.java

Fri, 24 Dec 2010 02:53:03 -0800 

Author: coheigea
Date: Fri Dec 24 10:52:34 2010
New Revision: 1052480

URL: http://svn.apache.org/viewvc?rev=1052480&view=rev
Log:
[WSS-262] - A fix for accepting Timestamps that are in the future. 

Modified:
    
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java
    
webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityTimestamp.java

Modified: 
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java?rev=1052480&r1=1052479&r2=1052480&view=diff
==============================================================================
--- 
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java
 (original)
+++ 
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java
 Fri Dec 24 10:52:34 2010
@@ -1408,6 +1408,13 @@ public abstract class WSHandler {
 
         // Calculate the time that is allowed for the message to travel
         Calendar validCreation = Calendar.getInstance();
+        Calendar cre = timestamp.getCreated();
+        if (cre != null && cre.after(validCreation)) {
+            if (doDebug) {
+                log.debug("Validation of Timestamp: The message was created in 
the future!");
+            }
+            return false;
+        }
         long currentTime = validCreation.getTime().getTime();
         currentTime -= timeToLive * 1000;
         validCreation.setTime(new Date(currentTime));
@@ -1427,7 +1434,6 @@ public abstract class WSHandler {
         // Validate the time it took the message to travel
         // if (timestamp.getCreated().before(validCreation) ||
         // !timestamp.getCreated().equals(validCreation)) {
-        Calendar cre = timestamp.getCreated();
         if (cre != null && !cre.after(validCreation)) {
             if (doDebug) {
                 log.debug("Validation of Timestamp: The message was created 
too long ago");

Modified: 
webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityTimestamp.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityTimestamp.java?rev=1052480&r1=1052479&r2=1052480&view=diff
==============================================================================
--- 
webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityTimestamp.java 
(original)
+++ 
webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityTimestamp.java 
Fri Dec 24 10:52:34 2010
@@ -33,15 +33,19 @@ import org.apache.ws.security.WSConstant
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.ws.security.util.XmlSchemaDateFormat;
 import org.apache.ws.security.WSSecurityEngine;
 import org.apache.ws.security.handler.WSHandler;
 import org.apache.ws.security.message.WSSecHeader;
 import org.apache.ws.security.message.WSSecTimestamp;
 import org.apache.ws.security.message.token.Timestamp;
 import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
+import java.text.DateFormat;
+import java.util.Date;
 import java.util.Vector;
 
 /**
@@ -258,7 +262,59 @@ public class TestWSSecurityTimestamp ext
         }     
     }
     
+    /**
+     * This is a test for processing an Timestamp where the "Created" element 
is in the future.
+     * This Timestamp should be rejected.
+     */
+    public void testFutureCreated() throws Exception {
+        
+        Document doc = unsignedEnvelope.getAsDocument();
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Element timestampElement = 
+            doc.createElementNS(
+                WSConstants.WSU_NS, WSConstants.WSU_PREFIX + ":" + 
WSConstants.TIMESTAMP_TOKEN_LN
+            );
+
+        DateFormat zulu = new XmlSchemaDateFormat();
+        Element elementCreated =
+            doc.createElementNS(
+                WSConstants.WSU_NS, WSConstants.WSU_PREFIX + ":" + 
WSConstants.CREATED_LN
+            );
+        Date createdDate = new Date();
+        long currentTime = createdDate.getTime() + 300000;
+        createdDate.setTime(currentTime);
+        
elementCreated.appendChild(doc.createTextNode(zulu.format(createdDate)));
+        timestampElement.appendChild(elementCreated);
 
+        secHeader.getSecurityHeader().appendChild(timestampElement);
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+            LOG.debug(outputString);
+        }
+        
+        //
+        // Do some processing
+        //
+        Vector wsResult = verify(doc);
+        WSSecurityEngineResult actionResult = 
+            WSSecurityUtil.fetchActionResult(wsResult, WSConstants.TS);
+        assertTrue(actionResult != null);
+        
+        Timestamp receivedTimestamp = 
+            (Timestamp)actionResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
+        assertTrue(receivedTimestamp != null);
+        
+        MyHandler myHandler = new MyHandler();
+        if (myHandler.publicVerifyTimestamp(receivedTimestamp, 300)) {
+            fail("The timestamp validation should have failed");
+        }
+    }
+    
+    
     /**
      * Verifies the soap envelope
      *

Reply via email to