Author: coheigea
Date: Wed Jun 1 11:37:16 2011
New Revision: 1130107
URL: http://svn.apache.org/viewvc?rev=1130107&view=rev
Log:
[WSS-291] - Default to allowing future created timestamps up to 60s
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/Timestamp.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/TimestampValidator.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/TimestampTest.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java?rev=1130107&r1=1130106&r2=1130107&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java
Wed Jun 1 11:37:16 2011
@@ -236,10 +236,9 @@ public class WSSConfig {
/**
* The time in seconds in the future within which the Created time of an
incoming
- * Timestamp is valid. The default is 0 seconds, meaning that no
future-dated
- * timestamps are allowed.
+ * Timestamp is valid. The default is 60 seconds.
*/
- protected int timeStampFutureTTL = 0;
+ protected int timeStampFutureTTL = 60;
/**
* This variable controls whether types other than PasswordDigest or
PasswordText
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java?rev=1130107&r1=1130106&r2=1130107&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
Wed Jun 1 11:37:16 2011
@@ -594,18 +594,19 @@ public abstract class WSHandler {
protected int decodeFutureTimeToLive(RequestData reqData) {
String ttl =
getString(WSHandlerConstants.TTL_FUTURE_TIMESTAMP,
reqData.getMsgContext());
+ int defaultFutureTimeToLive = 60;
if (ttl != null) {
try {
int ttlI = Integer.parseInt(ttl);
if (ttlI < 0) {
- return 0;
+ return defaultFutureTimeToLive;
}
return ttlI;
} catch (NumberFormatException e) {
- return 0;
+ return defaultFutureTimeToLive;
}
}
- return 0;
+ return defaultFutureTimeToLive;
}
protected boolean decodeBSPCompliance(RequestData reqData)
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java?rev=1130107&r1=1130106&r2=1130107&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
Wed Jun 1 11:37:16 2011
@@ -649,11 +649,9 @@ public class WSHandlerConstants {
/**
* This configuration tag specifies the time in seconds in the future
within which
- * the Created time of an incoming Timestamp is valid. WSS4J rejects by
default any
- * timestamp which is "Created" in the future, and so there could
potentially be
- * problems in a scenario where a client's clock is slightly askew. The
default
- * value for this parameter is "0", meaning that no future-created
Timestamps are
- * allowed.
+ * the Created time of an incoming Timestamp is valid. The default value
is "60",
+ * to avoid problems where clocks are slightly askew. To reject all
future-created
+ * Timestamps, set this value to "0".
*/
public static final String TTL_FUTURE_TIMESTAMP = "futureTimeToLive";
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/Timestamp.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/Timestamp.java?rev=1130107&r1=1130106&r2=1130107&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/Timestamp.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/Timestamp.java
Wed Jun 1 11:37:16 2011
@@ -105,7 +105,15 @@ public class Timestamp {
}
} else if
(WSConstants.EXPIRES_LN.equals(currentChild.getLocalName()) &&
WSConstants.WSU_NS.equals(currentChild.getNamespaceURI())) {
- if (strExpires == null) {
+ if (strExpires != null || (bspCompliant && strCreated ==
null)) {
+ //
+ // Created must appear before Expires and we can't
have multiple Expires
+ // elements
+ //
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY,
"invalidTimestamp"
+ );
+ } else {
String valueType =
currentChildElement.getAttribute("ValueType");
if (bspCompliant && valueType != null &&
!"".equals(valueType)) {
// We can't have a ValueType attribute as per the
BSP spec
@@ -114,14 +122,6 @@ public class Timestamp {
);
}
strExpires =
((Text)currentChildElement.getFirstChild()).getData();
- } else if (strExpires != null || (bspCompliant &&
strCreated == null)) {
- //
- // Created must appear before Expires, and we can't
have multiple
- // Expires elements
- //
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
"invalidTimestamp"
- );
}
} else {
if (bspCompliant) {
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/TimestampValidator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/TimestampValidator.java?rev=1130107&r1=1130106&r2=1130107&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/TimestampValidator.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/TimestampValidator.java
Wed Jun 1 11:37:16 2011
@@ -48,7 +48,7 @@ public class TimestampValidator implemen
WSSConfig wssConfig = data.getWssConfig();
boolean timeStampStrict = true;
int timeStampTTL = 300;
- int futureTimeToLive = 0;
+ int futureTimeToLive = 60;
if (wssConfig != null) {
timeStampStrict = wssConfig.isTimeStampStrict();
timeStampTTL = wssConfig.getTimeStampTTL();
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/TimestampTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/TimestampTest.java?rev=1130107&r1=1130106&r2=1130107&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/TimestampTest.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/TimestampTest.java
Wed Jun 1 11:37:16 2011
@@ -175,9 +175,57 @@ public class TimestampTest extends org.j
/**
+ * This is a test for processing an Timestamp where the "Created" element
is in the (near)
+ * future. It should be accepted by default when it is created 30 seconds
in the future,
+ * and then rejected once we configure "0 seconds" for future-time-to-live.
+ */
+ @org.junit.Test
+ public void testNearFutureCreated() throws Exception {
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Element timestampElement =
+ doc.createElementNS(
+ WSConstants.WSU_NS, WSConstants.WSU_PREFIX + ":" +
WSConstants.TIMESTAMP_TOKEN_LN
+ );
+
+ DateFormat zulu = new XmlSchemaDateFormat();
+ Element elementCreated =
+ doc.createElementNS(
+ WSConstants.WSU_NS, WSConstants.WSU_PREFIX + ":" +
WSConstants.CREATED_LN
+ );
+ Date createdDate = new Date();
+ long currentTime = createdDate.getTime() + 30000;
+ createdDate.setTime(currentTime);
+
elementCreated.appendChild(doc.createTextNode(zulu.format(createdDate)));
+ timestampElement.appendChild(elementCreated);
+
+ secHeader.getSecurityHeader().appendChild(timestampElement);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+ //
+ // Do some processing
+ //
+ WSSConfig config = WSSConfig.getNewInstance();
+ verify(doc, config);
+ try {
+ config.setTimeStampFutureTTL(0);
+ verify(doc, config);
+ fail("The timestamp validation should have failed");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getErrorCode() ==
WSSecurityException.MESSAGE_EXPIRED);
+ }
+ }
+
+ /**
* This is a test for processing an Timestamp where the "Created" element
is in the future.
- * This Timestamp should be rejected by default, and then accepted once
the future
- * time-to-live configuration is enabled.
+ * A Timestamp that is 120 seconds in the future should be rejected by
default.
*/
@org.junit.Test
public void testFutureCreated() throws Exception {
@@ -197,7 +245,7 @@ public class TimestampTest extends org.j
WSConstants.WSU_NS, WSConstants.WSU_PREFIX + ":" +
WSConstants.CREATED_LN
);
Date createdDate = new Date();
- long currentTime = createdDate.getTime() + 30000;
+ long currentTime = createdDate.getTime() + 120000;
createdDate.setTime(currentTime);
elementCreated.appendChild(doc.createTextNode(zulu.format(createdDate)));
timestampElement.appendChild(elementCreated);
@@ -219,8 +267,6 @@ public class TimestampTest extends org.j
} catch (WSSecurityException ex) {
assertTrue(ex.getErrorCode() ==
WSSecurityException.MESSAGE_EXPIRED);
}
- config.setTimeStampFutureTTL(60);
- verify(doc, config);
}
