[SWS-577] Wss4jSecurityInterceptor ignores Timestamp timeToLive property when creating Timestamp element Created: 19/Oct/09  Updated: 04/May/12  Resolved: 28/Dec/09

Status: Closed
Project: Spring Web Services
Component/s: Security
Affects Version/s: 1.5.8
Fix Version/s: 1.5.9

Type: Improvement Priority: Major
Reporter: Paul Dotsenko Assignee: Tareq Abedrabbo
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Spring-ws 1.5.8, spring 2.5.6, Wss4jSecurityInterceptor, wss4j 1.5.8, AxiomSoapMessageFactory (payloadCaching = true)

Attachments: Text File Wss4jSecurityInterceptor.java.patch    


When securing a SOAP message with a secure timestamp element, Wss4jSecurityInterceptor does not take into account timeToLive property specified in configuration, always defaulting to 5 minutes (300 sec) timeToLive value (difference b/w Created and Expires element values):

<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-4">

Difference b/w Created and Expires values should reflect timeToLive number of seconds specified as config property of Wss4jSecurityInterceptor.

A fix that worked for me was to add "requestData.setTimeToLive(timeToLive);" to Wss4jSecurityInterceptor.initializeRequestData(MessageContext messageContext) method:

private RequestData initializeRequestData(MessageContext messageContext) {
RequestData requestData = new RequestData();

// set timeToLive from property
// reads securementUsername first from the context then from the
// property
String contextUsername = (String) messageContext.getProperty(SECUREMENT_USER_PROPERTY_NAME);
if (StringUtils.hasLength(contextUsername))

{ requestData.setUsername(contextUsername); }


{ requestData.setUsername(securementUsername); }

return requestData;

I will attach a patch file as well.

Comment by Paul Dotsenko [ 19/Oct/09 ]

Proposed fix path file.

Comment by Tareq Abedrabbo [ 28/Dec/09 ]

The timeToLive property works only on incoming messages. I added a setSecurementTimeToLive that should be what you needse. I also added a setValidationTimeToLive for consistency - it has the same effect as setTimeToLive - and deprecated setTimeToLive. Hope this works for you.

Comment by Paul Dotsenko [ 28/Dec/09 ]

Thanks Tareq, this works for me.

Comment by Arjen Poutsma [ 04/May/12 ]

Closing old issues

Generated at Sun Oct 20 18:57:00 UTC 2019 using Jira 7.13.8#713008-sha1:1606a5c1e7006e1ab135aac81f7a9566b2dbc3a6.