Timestamp validation in ws-security
-----------------------------------
Key: CXF-3208
URL: https://issues.apache.org/jira/browse/CXF-3208
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.3.1
Environment: Windows XP running Glassfish 2.1 server. Running a
simple web service with ws-timestamp set. Using SOAPUI 3.6.1 to create SOAP
request messages to validate with the Glassfish 2.1 server using CXF 2.3.1.
Reporter: David Morris
Validation issues during testing:
The timestamp in ws-security can be future dated and will be accepted as valid
in a SOAP soap response message.
The creation date can be greater than the expiration date and be accepted as
valid in a SOAP response message.
This is important to resolve re-play attacks to resolve a security loop hole
that can be exploited.
Examples of SOAP requests message return soap response messages as valid when
in fact should throw a soap fault:
<B>Future dated timestamp, not using the server time to check:</B>
<B>SOAP Request:</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soap:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-1">
<wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created>
<wsu:Expires>2011-12-20T18:35:50.444Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/";>
<arg0>
<customerID>C001</customerID>
<itemID>I001</itemID>
<price>200.0</price>
<qty>100</qty>
</arg0>
</ns2:processOrder>
</soap:Body>
</soap:Envelope>
<B>SOAP Response</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Body>
<ns2:processOrderResponse
xmlns:ns2="http://order.security.ri.hin.hhs.gov/";>
<return>ORD1234</return>
</ns2:processOrderResponse>
</soap:Body>
</soap:Envelope>
<B>Timestamp where the creation time is greater then the expiration time:</B>
<B>SOAP Request:</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soap:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-1">
<wsu:Created>2011-12-20T17:56:50.444Z</wsu:Created>
<wsu:Expires>2010-12-20T18:35:50.444Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<ns2:processOrder xmlns:ns2="http://order.security.ri.hin.hhs.gov/";>
<arg0>
<customerID>C001</customerID>
<itemID>I001</itemID>
<price>200.0</price>
<qty>100</qty>
</arg0>
</ns2:processOrder>
</soap:Body>
</soap:Envelope>
<B>SOAP Response</B>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Body>
<ns2:processOrderResponse
xmlns:ns2="http://order.security.ri.hin.hhs.gov/";>
<return>ORD1234</return>
</ns2:processOrderResponse>
</soap:Body>
</soap:Envelope>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
