Move TTL validation to the TimestampProcessor
---------------------------------------------
Key: WSS-186
URL: https://issues.apache.org/jira/browse/WSS-186
Project: WSS4J
Issue Type: Improvement
Components: WSS4J Handlers
Affects Versions: 1.5.7
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.6
In WSS4J 1.5.7, the TimestampProcessor only validates the "Expires" element of
the Timestamp if it exists (and only throws an Exception if
WSHandlerConstants.TIMESTAMP_STRICT is set (default to true)). The application
code must then call WSHandler.verifyTimestamp(int TTL) to actually verify the
TTL on the TImestamp. This is a potential security hole, as all validation
should be done when processing the Timestamp.
So I propose to deprecate WSHandler.verifyTimestamp in 1.6, and instead do the
TTL validation in the TimestampProcessor. This involves adding a new variable
to WSSConfig (to specify the TTL).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
