[SWS-577] Wss4jSecurityInterceptor ignores Timestamp timeToLive property when creating Timestamp element Created: 19/Oct/09  Updated: 04/May/12  Resolved: 28/Dec/09

Status: Closed
Project: Spring Web Services
Component/s: Security
Affects Version/s: 1.5.8
Fix Version/s: 1.5.9

Type: Improvement Priority: Major
Reporter: Paul Dotsenko Assignee: Tareq Abedrabbo
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Spring-ws 1.5.8, spring 2.5.6, Wss4jSecurityInterceptor, wss4j 1.5.8, AxiomSoapMessageFactory (payloadCaching = true)


Attachments: Text File Wss4jSecurityInterceptor.java.patch    

 Description   

When securing a SOAP message with a secure timestamp element, Wss4jSecurityInterceptor does not take into account timeToLive property specified in configuration, always defaulting to 5 minutes (300 sec) timeToLive value (difference b/w Created and Expires element values):

<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-4">
<wsu:Created>2009-10-19T16:27:27.069Z</wsu:Created>
<wsu:Expires>2009-10-19T16:42:27.069Z</wsu:Expires>
</wsu:Timestamp>

Difference b/w Created and Expires values should reflect timeToLive number of seconds specified as config property of Wss4jSecurityInterceptor.

A fix that worked for me was to add "requestData.setTimeToLive(timeToLive);" to Wss4jSecurityInterceptor.initializeRequestData(MessageContext messageContext) method:

private RequestData initializeRequestData(MessageContext messageContext) {
RequestData requestData = new RequestData();
requestData.setMsgContext(messageContext);

// set timeToLive from property
requestData.setTimeToLive(timeToLive);
// reads securementUsername first from the context then from the
// property
String contextUsername = (String) messageContext.getProperty(SECUREMENT_USER_PROPERTY_NAME);
if (StringUtils.hasLength(contextUsername))

{ requestData.setUsername(contextUsername); }

else

{ requestData.setUsername(securementUsername); }

return requestData;
}

I will attach a patch file as well.
Thanks,
Paul



 Comments   
Comment by Paul Dotsenko [ 19/Oct/09 ]

Proposed fix path file.

Comment by Tareq Abedrabbo [ 28/Dec/09 ]

The timeToLive property works only on incoming messages. I added a setSecurementTimeToLive that should be what you needse. I also added a setValidationTimeToLive for consistency - it has the same effect as setTimeToLive - and deprecated setTimeToLive. Hope this works for you.

Comment by Paul Dotsenko [ 28/Dec/09 ]

Thanks Tareq, this works for me.

Comment by Arjen Poutsma [ 04/May/12 ]

Closing old issues

Generated at Mon Dec 18 14:21:10 UTC 2017 using JIRA 6.4.14#64029-sha1:ae256fe0fbb912241490ff1cecfb323ea0905ca5.