Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-577

Wss4jSecurityInterceptor ignores Timestamp timeToLive property when creating Timestamp element

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.8
    • Fix Version/s: 1.5.9
    • Component/s: Security
    • Labels:
      None
    • Environment:
      Spring-ws 1.5.8, spring 2.5.6, Wss4jSecurityInterceptor, wss4j 1.5.8, AxiomSoapMessageFactory (payloadCaching = true)

      Description

      When securing a SOAP message with a secure timestamp element, Wss4jSecurityInterceptor does not take into account timeToLive property specified in configuration, always defaulting to 5 minutes (300 sec) timeToLive value (difference b/w Created and Expires element values):

      <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-4">
      <wsu:Created>2009-10-19T16:27:27.069Z</wsu:Created>
      <wsu:Expires>2009-10-19T16:42:27.069Z</wsu:Expires>
      </wsu:Timestamp>

      Difference b/w Created and Expires values should reflect timeToLive number of seconds specified as config property of Wss4jSecurityInterceptor.

      A fix that worked for me was to add "requestData.setTimeToLive(timeToLive);" to Wss4jSecurityInterceptor.initializeRequestData(MessageContext messageContext) method:

      private RequestData initializeRequestData(MessageContext messageContext) {
      RequestData requestData = new RequestData();
      requestData.setMsgContext(messageContext);

      // set timeToLive from property
      requestData.setTimeToLive(timeToLive);
      // reads securementUsername first from the context then from the
      // property
      String contextUsername = (String) messageContext.getProperty(SECUREMENT_USER_PROPERTY_NAME);
      if (StringUtils.hasLength(contextUsername))

      { requestData.setUsername(contextUsername); }

      else

      { requestData.setUsername(securementUsername); }

      return requestData;
      }

      I will attach a patch file as well.
      Thanks,
      Paul

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            tareq Tareq Abedrabbo
            Reporter:
            pdotsenko Paul Dotsenko
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: