[
https://issues.apache.org/jira/browse/WSS-186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed WSS-186.
-----------------------------------
> Move TTL validation to the TimestampProcessor
> ---------------------------------------------
>
> Key: WSS-186
> URL: https://issues.apache.org/jira/browse/WSS-186
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6
>
>
> In WSS4J 1.5.7, the TimestampProcessor only validates the "Expires" element
> of the Timestamp if it exists (and only throws an Exception if
> WSHandlerConstants.TIMESTAMP_STRICT is set (default to true)). The
> application code must then call WSHandler.verifyTimestamp(int TTL) to
> actually verify the TTL on the TImestamp. This is a potential security hole,
> as all validation should be done when processing the Timestamp.
> So I propose to deprecate WSHandler.verifyTimestamp in 1.6, and instead do
> the TTL validation in the TimestampProcessor. This involves adding a new
> variable to WSSConfig (to specify the TTL).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
