(axis-axis2-java-rampart) 01/03: RAMPART-420 Allow WS-Security timestamps to be spoofed and BSP checking disabled

Tue, 05 Nov 2024 17:25:03 -0800 

This is an automated email from the ASF dual-hosted git repository.

robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git

commit fef676d1be0faff901b4a659eb8d177bb5f1a6aa
Author: Robert Lazarski <robertlazar...@gmail.com>
AuthorDate: Tue Nov 5 15:03:03 2024 -1000

    RAMPART-420 Allow WS-Security timestamps to be spoofed and BSP checking 
disabled
---
 .../org/apache/rampart/RampartMessageData.java     | 117 +++++++++++++++------
 .../policy/builders/RampartConfigBuilder.java      |   6 --
 .../apache/rampart/policy/model/RampartConfig.java | 104 ++++++++++++------
 .../rampart/policy/builders/kerberosConfig.policy  |   4 +-
 .../main/java/org/apache/rahas/RahasConstants.java |   5 +-
 .../java/org/apache/rahas/client/STSClient.java    |  12 +++
 6 files changed, 175 insertions(+), 73 deletions(-)

diff --git 
a/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java 
b/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
index b19c654d..713ddf87 100644
--- 
a/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
+++ 
b/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
@@ -52,6 +52,7 @@ import org.apache.wss4j.dom.engine.WSSConfig;
 import org.apache.wss4j.common.derivedKey.ConversationConstants;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.util.Loader;
+import org.apache.wss4j.common.util.WSTimeSource;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.message.WSSecHeader;
@@ -106,6 +107,37 @@ public class RampartMessageData {
     
     public final static String PARAM_CLIENT_SIDE = "CLIENT_SIDE";
 
+    /**
+     * Key to hold the WSTimeSource
+     */
+    public final static String CUSTOM_WS_TIME_SOURCE = "wsTimeSource";
+
+    /**
+     * Key to hold the BSP compliance
+     */
+    public static final String DISABLE_BSP_ENFORCEMENT = 
"disableBSPEnforcement";
+
+    public static final String TIMESTAMP_STRICT = "timestampStrict";
+
+    public static final String TIMESTAMP_PRECISION_IN_MS = 
"timestampPrecisionInMs";
+
+    public final static String ALLOW_USERNAME_TOKEN_NO_PASSWORD = 
"allowUsernameTokenNoPassword";
+
+    public final static String TIMESTAMP_FUTURE_TTL = "timeStampFutureTTL";
+
+    public final static String UT_TTL = "utTTL";
+
+    public final static String UT_FUTURE_TTL = "utFutureTTL";
+
+    public final static String HANDLE_CUSTOM_PASSWORD_TYPES = 
"handleCustomPasswordTypes";
+
+    public final static String ALLOW_NAMESPACE_QUALIFIED_PASSWORDTYPES = 
"allowNamespaceQualifiedPasswordTypes";
+    public final static String ENCODE_PASSWORDS = "encodePasswords";
+
+    public final static String VALIDATE_SAML_SUBJECT_CONFIRMATION = 
"validateSamlSubjectConfirmation";
+
+    public final static String ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM = 
"allowRSA15KeyTransportAlgorithm";
+
     /**
      * Key to hold the WS-SecConv version
      */
@@ -183,6 +215,12 @@ public class RampartMessageData {
             //Update the UsernameToken validator
             this.config.setValidator(WSConstants.USERNAME_TOKEN, 
RampartUsernameTokenValidator.class);
             
+           // set the Time Source
+            WSTimeSource wsTimeSource = 
(WSTimeSource)msgCtx.getProperty(CUSTOM_WS_TIME_SOURCE);
+            if (wsTimeSource != null) {
+                this.config.setCurrentTime(wsTimeSource);
+            }
+
             // First obtain the axis service as we have to do a null check, 
there can be situations 
             // where Axis Service is null
             AxisService axisService = msgCtx.getAxisService();            
@@ -352,42 +390,58 @@ public class RampartMessageData {
                 }
             }
 
-            RequestData requestData = new RequestData();
             // Check whether RampartConfig is present
             if (this.policyData != null && this.policyData.getRampartConfig() 
!= null) {
 
-                boolean timestampPrecisionInMilliseconds = this.policyData
-                        .getRampartConfig().isDefaultTimestampPrecisionInMs();
-                boolean timestampStrict = 
this.policyData.getRampartConfig().isTimeStampStrict();
-
                // set some vars on WSS4J class RequestData via RamparConfig as 
desired in 
                // Jira issues RAMPART-205, RAMPART-361, RAMPART-432, 
RAMPART-435
-                boolean disableBSPEnforcement = 
this.policyData.getRampartConfig().isDisableBSPEnforcement();
-                boolean handleCustomPasswordTypes = 
this.policyData.getRampartConfig().isHandleCustomPasswordTypes();
-                boolean allowNamespaceQualifiedPasswordTypes = 
this.policyData.getRampartConfig().isAllowNamespaceQualifiedPasswordTypes();
-                boolean allowUsernameTokenNoPassword = 
this.policyData.getRampartConfig().isAllowUsernameTokenNoPassword();
-                boolean allowRSA15KeyTransportAlgorithm = 
this.policyData.getRampartConfig().isAllowRSA15KeyTransportAlgorithm();
-                int timeStampFutureTTL = 
this.policyData.getRampartConfig().getTimeStampFutureTTL();
-                int utTTL = this.policyData.getRampartConfig().getUtTTL();
-                int utFutureTTL = 
this.policyData.getRampartConfig().getUtFutureTTL();
-
-                // We do not need earlier logic as now WSS4J returns a new 
instance of WSSConfig, rather
-                // than a singleton instance. Therefore modifying logic as 
follows,
-                requestData.setTimeStampStrict(timestampStrict);
-                
requestData.setPrecisionInMilliSeconds(timestampPrecisionInMilliseconds);
+               // The precedence is MessageContext wins
+
+                Boolean timestampPrecisionInMsInput = 
(Boolean)msgCtx.getProperty(TIMESTAMP_PRECISION_IN_MS);
+                if (timestampPrecisionInMsInput != null) {
+                    
this.policyData.getRampartConfig().setDefaultTimestampPrecisionInMs(timestampPrecisionInMsInput);
+                }
+
+                Boolean timestampStrictInput = 
(Boolean)msgCtx.getProperty(TIMESTAMP_STRICT);
+                if (timestampStrictInput != null) {
+                    
this.policyData.getRampartConfig().setTimeStampStrict(timestampStrictInput);
+                }
+
                // 1.8.0 and later
-                requestData.setDisableBSPEnforcement(disableBSPEnforcement);
-                
requestData.setHandleCustomPasswordTypes(handleCustomPasswordTypes);
-                
requestData.setAllowNamespaceQualifiedPasswordTypes(allowNamespaceQualifiedPasswordTypes);
-                
requestData.setAllowUsernameTokenNoPassword(allowUsernameTokenNoPassword);
-                requestData.setTimeStampFutureTTL(timeStampFutureTTL);
-                requestData.setUtTTL(utTTL);
-                requestData.setUtFutureTTL(utFutureTTL);
-                
requestData.setAllowRSA15KeyTransportAlgorithm(allowRSA15KeyTransportAlgorithm);
 // backward compatibility as true
-            } else {
-                // To handle scenarios where password type is not set by 
default.
-                requestData.setHandleCustomPasswordTypes(true);
-           }
+                Boolean disableBSPEnforcementInput = 
(Boolean)msgCtx.getProperty(DISABLE_BSP_ENFORCEMENT);
+                if (disableBSPEnforcementInput != null) {
+                    
this.policyData.getRampartConfig().setDisableBSPEnforcement(disableBSPEnforcementInput);
+                }
+                Boolean handleCustomPasswordTypesInput = 
(Boolean)msgCtx.getProperty(HANDLE_CUSTOM_PASSWORD_TYPES);
+                if (handleCustomPasswordTypesInput != null) {
+                    
this.policyData.getRampartConfig().setHandleCustomPasswordTypes(handleCustomPasswordTypesInput);
+                }
+                Boolean allowNamespaceQualifiedPasswordTypesInput = 
(Boolean)msgCtx.getProperty(ALLOW_NAMESPACE_QUALIFIED_PASSWORDTYPES);
+                if (allowNamespaceQualifiedPasswordTypesInput != null) {
+                    
this.policyData.getRampartConfig().setAllowNamespaceQualifiedPasswordTypes(allowNamespaceQualifiedPasswordTypesInput);
+                }
+                Boolean allowUsernameTokenNoPasswordInput = 
(Boolean)msgCtx.getProperty(ALLOW_USERNAME_TOKEN_NO_PASSWORD);
+                if (allowUsernameTokenNoPasswordInput != null) {
+                    
this.policyData.getRampartConfig().setAllowUsernameTokenNoPassword(allowUsernameTokenNoPasswordInput);
+                }
+                Boolean allowRSA15KeyTransportAlgorithmInput = 
(Boolean)msgCtx.getProperty(ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM);
+                if (allowRSA15KeyTransportAlgorithmInput != null) {
+                    
this.policyData.getRampartConfig().setAllowRSA15KeyTransportAlgorithm(allowRSA15KeyTransportAlgorithmInput);
+                }
+                Integer timeStampFutureTTLInput = 
(Integer)msgCtx.getProperty(TIMESTAMP_FUTURE_TTL);
+                if (timeStampFutureTTLInput != null) {
+                    
this.policyData.getRampartConfig().setTimeStampFutureTTL(timeStampFutureTTLInput);
+                }
+                Integer utTTLInput = (Integer)msgCtx.getProperty(UT_TTL);
+                if (utTTLInput != null) {
+                    this.policyData.getRampartConfig().setUtTTL(utTTLInput);
+                }
+                Integer utFutureTTLInput = 
(Integer)msgCtx.getProperty(UT_FUTURE_TTL);
+                if (utFutureTTLInput != null) {
+                    
this.policyData.getRampartConfig().setUtFutureTTL(utFutureTTLInput);
+                }
+
+            } 
 
             if (axisService != null) { 
                 this.customClassLoader = axisService.getClassLoader(); 
@@ -397,9 +451,6 @@ public class RampartMessageData {
                 this.secHeader = new WSSecHeader(this.document);
                 secHeader.insertSecurityHeader();
             }
-
-            //WSSecurityEngine secEngine = new WSSecurityEngine();
-            //secEngine.processSecurityHeader(this.document, requestData);
             
         } catch (AxisFault e) {
             throw new RampartException("errorInExtractingMsgProps", e);
diff --git 
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
 
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
index d2dac421..016ab4a8 100644
--- 
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
+++ 
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
@@ -127,12 +127,6 @@ public class RampartConfigBuilder implements 
AssertionBuilder<OMElement> {
                     .build(childElement.getFirstElement()));
         }
 
-        childElement = element.getFirstChildWithName(new QName(
-                RampartConfig.NS, RampartConfig.TS_PRECISION_IN_MS_LN));
-        if (childElement != null) {
-            
rampartConfig.setTimestampPrecisionInMilliseconds(childElement.getText().trim());
-        }
-        
         childElement = element.getFirstChildWithName(new QName(
                 RampartConfig.NS, RampartConfig.TS_TTL_LN));
         if (childElement != null) {
diff --git 
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
 
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
index 63cfec50..7f2ed3b5 100644
--- 
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
+++ 
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
@@ -35,7 +35,7 @@ import javax.xml.stream.XMLStreamWriter;
  *  &lt;ramp:encryptionUser&gt;bob&lt;/ramp:encryptionUser&gt;
  *  
&lt;ramp:passwordCallbackClass&gt;org.apache.axis2.security.PWCallback&lt;/ramp:passwordCallbackClass&gt;
  *  
&lt;ramp:policyValidatorCbClass&gt;org.apache.axis2.security.ramp:PolicyValidatorCallbackHandler&lt;/ramp:policyValidatorCbClass&gt;
- *  
&lt;ramp:timestampPrecisionInMilliseconds&gt;true&lt;/timestampPrecisionInMilliseconds&gt;
+ *  &lt;ramp:timestampPrecisionInMs&gt;true&lt;/timestampPrecisionInMs&gt;
  *  &lt;ramp:timestampTTL&gt;300&lt;/ramp:timestampTTL&gt;
  *  &lt;ramp:timestampMaxSkew&gt;0&lt;/ramp:timestampMaxSkew&gt;
  *  
&lt;ramp:tokenStoreClass&gt;org.apache.rahas.StorageImpl&lt;/ramp:tokenStoreClass&gt;
@@ -99,8 +99,6 @@ public class RampartConfig implements Assertion {
     
     public final static String STS_CRYPTO_LN = "stsCrypto";
 
-    public final static String TS_PRECISION_IN_MS_LN = 
"timestampPrecisionInMilliseconds";
-    
     public final static String TS_TTL_LN = "timestampTTL";
 
     public final static String TS_MAX_SKEW_LN = "timestampMaxSkew";
@@ -109,6 +107,8 @@ public class RampartConfig implements Assertion {
 
     public final static String TIMESTAMP_STRICT_LN = "timestampStrict";
 
+    public final static String TIMESTAMP_PRECISION_IN_MS_LN = 
"timestampPrecisionInMs";
+
     public final static String NONCE_LIFE_TIME = "nonceLifeTime";
     
     public final static String OPTIMISE_PARTS = "optimizeParts";
@@ -122,7 +122,7 @@ public class RampartConfig implements Assertion {
 
     public final static String ALLOW_USERNAME_TOKEN_NO_PASSWORD_LN = 
"allowUsernameTokenNoPassword";
 
-    public final static String TIMESTAMP_FUTURE_TTL_LN = "timeStampFutureTTL";
+    public final static String TIMESTAMP_FUTURE_TTL_LN = "timestampFutureTTL";
 
     public final static String UT_TTL_LN = "utTTL";
 
@@ -159,7 +159,8 @@ public class RampartConfig implements Assertion {
     
     private CryptoConfig stsCryptoConfig;
 
-    private String timestampPrecisionInMilliseconds = 
Boolean.toString(DEFAULT_TIMESTAMP_PRECISION_IN_MS);
+    private String timestampPrecisionInMs = 
Boolean.toString(DEFAULT_TIMESTAMP_PRECISION_IN_MS);
+
     private boolean isTimestampPrecisionInMs = 
DEFAULT_TIMESTAMP_PRECISION_IN_MS;
     
     private String timestampTTL = Integer.toString(DEFAULT_TIMESTAMP_TTL);
@@ -184,15 +185,15 @@ public class RampartConfig implements Assertion {
         this.kerberosConfig = kerberosConfig;
     }
     
-    /*To set timeStampStrict in WSS4J RequestData through rampartConfig - 
default value is false*/
-    private boolean timeStampStrict = false;
+    /*To set timestampStrict in WSS4J RequestData through rampartConfig - 
default value is false*/
+    private boolean timestampStrict = false;
 
     /* As of 1.8.0, the following params can also be overridden to set on 
RequestData */
     private boolean disableBSPEnforcement = false;
 
     private boolean allowUsernameTokenNoPassword = false;
 
-    private int timeStampFutureTTL = 60;
+    private int timestampFutureTTL = 60;
 
     private int utTTL = 300;
 
@@ -390,8 +391,8 @@ public class RampartConfig implements Assertion {
             writer.writeEndElement();
         }
 
-        writer.writeStartElement(NS, TS_PRECISION_IN_MS_LN);
-        
writer.writeCharacters(Boolean.toString(isDefaultTimestampPrecisionInMs()));
+        writer.writeStartElement(NS, TIMESTAMP_PRECISION_IN_MS_LN);
+        writer.writeCharacters(Boolean.toString(isTimestampPrecisionInMs()));
         writer.writeEndElement();
 
         if (getTimestampTTL() != null) {
@@ -505,28 +506,25 @@ public class RampartConfig implements Assertion {
         return Constants.TYPE_ASSERTION;
     }
 
-    /**
-     * @deprecated  As of version 1.7.0, replaced by 
isDefaultTimestampPrecisionInMs
-     * @see #isDefaultTimestampPrecisionInMs()
-     * @return Returns "true" or "false".
-     */
-    @Deprecated
-    public String getTimestampPrecisionInMilliseconds() {
-       return timestampPrecisionInMilliseconds;
+    public boolean isTimestampPrecisionInMs() {
+       return this.isTimestampPrecisionInMs;
     }
-
+    
     public boolean isDefaultTimestampPrecisionInMs() {
        return this.isTimestampPrecisionInMs;
     }
-    
-    public void setTimestampPrecisionInMilliseconds(String 
timestampPrecisionInMilliseconds) {
 
-        if (timestampPrecisionInMilliseconds != null) {
-            this.timestampPrecisionInMilliseconds = 
timestampPrecisionInMilliseconds;
-            this.isTimestampPrecisionInMs = 
Boolean.valueOf(timestampPrecisionInMilliseconds);
+    public void setTimestampPrecisionInMs(String timestampPrecisionInMs) {
+
+        if (timestampPrecisionInMs != null) {
+            this.isTimestampPrecisionInMs = 
Boolean.valueOf(timestampPrecisionInMs);
         }
     }
-    
+
+    public void setDefaultTimestampPrecisionInMs(boolean 
isTimestampPrecisionInMs) {
+       this.isTimestampPrecisionInMs = isTimestampPrecisionInMs;
+    }
+
     /**
      * @return Returns the timestampTTL.
      */
@@ -582,13 +580,17 @@ public class RampartConfig implements Assertion {
     }
 
     public boolean isTimeStampStrict() {
-        return timeStampStrict;
+        return timestampStrict;
     }
 
-    public void setTimeStampStrict(String timeStampStrict) {
-        this.timeStampStrict = Boolean.valueOf(timeStampStrict);
+    public void setTimeStampStrict(String timestampStrict) {
+        this.timestampStrict = Boolean.valueOf(timestampStrict);
     }
     
+    public void setTimeStampStrict(boolean timestampStrict) {
+        this.timestampStrict = timestampStrict;
+    }
+
     // The vars below are 1.8.0 and after 
 
     public boolean isDisableBSPEnforcement() {
@@ -599,6 +601,10 @@ public class RampartConfig implements Assertion {
         this.disableBSPEnforcement = Boolean.valueOf(disableBSPEnforcement);
     }
 
+    public void setDisableBSPEnforcement(boolean disableBSPEnforcement) {
+        this.disableBSPEnforcement = disableBSPEnforcement;
+    }
+
     public boolean isAllowUsernameTokenNoPassword() {
         return allowUsernameTokenNoPassword;
     }
@@ -607,12 +613,20 @@ public class RampartConfig implements Assertion {
         this.allowUsernameTokenNoPassword = 
Boolean.valueOf(allowUsernameTokenNoPassword);
     }
 
+    public void setAllowUsernameTokenNoPassword(boolean 
allowUsernameTokenNoPassword) {
+        this.allowUsernameTokenNoPassword = allowUsernameTokenNoPassword;
+    }
+
     public int getTimeStampFutureTTL() {
-        return timeStampFutureTTL;
+        return timestampFutureTTL;
     }
 
-    public void setTimeStampFutureTTL(String timeStampFutureTTL) {
-        this.timeStampFutureTTL = Integer.valueOf(timeStampFutureTTL);
+    public void setTimeStampFutureTTL(String timestampFutureTTL) {
+        this.timestampFutureTTL = Integer.valueOf(timestampFutureTTL);
+    }
+
+    public void setTimeStampFutureTTL(int timestampFutureTTL) {
+        this.timestampFutureTTL = timestampFutureTTL;
     }
 
     public int getUtTTL() {
@@ -623,6 +637,10 @@ public class RampartConfig implements Assertion {
         this.utTTL = Integer.valueOf(utTTL);
     }
 
+    public void setUtTTL(int utTTL) {
+        this.utTTL = utTTL;
+    }
+
     public int getUtFutureTTL() {
         return utFutureTTL;
     }
@@ -631,6 +649,10 @@ public class RampartConfig implements Assertion {
         this.utFutureTTL = Integer.valueOf(utFutureTTL);
     }
 
+    public void setUtFutureTTL(int utFutureTTL) {
+        this.utFutureTTL = utFutureTTL;
+    }
+
     public boolean isHandleCustomPasswordTypes() {
         return handleCustomPasswordTypes;
     }
@@ -639,6 +661,10 @@ public class RampartConfig implements Assertion {
         this.handleCustomPasswordTypes = 
Boolean.valueOf(handleCustomPasswordTypes);
     }
 
+    public void setHandleCustomPasswordTypes(boolean 
handleCustomPasswordTypes) {
+        this.handleCustomPasswordTypes = handleCustomPasswordTypes;
+    }
+
     public boolean isAllowNamespaceQualifiedPasswordTypes() {
         return allowNamespaceQualifiedPasswordTypes;
     }
@@ -647,6 +673,10 @@ public class RampartConfig implements Assertion {
         this.allowNamespaceQualifiedPasswordTypes = 
Boolean.valueOf(allowNamespaceQualifiedPasswordTypes);
     }
 
+    public void setAllowNamespaceQualifiedPasswordTypes(boolean 
allowNamespaceQualifiedPasswordTypes) {
+        this.allowNamespaceQualifiedPasswordTypes = 
allowNamespaceQualifiedPasswordTypes;
+    }
+
     public boolean isEncodePasswords() {
         return encodePasswords;
     }
@@ -655,6 +685,10 @@ public class RampartConfig implements Assertion {
         this.encodePasswords = Boolean.valueOf(encodePasswords);
     }
 
+    public void setEncodePasswords(boolean encodePasswords) {
+        this.encodePasswords = encodePasswords;
+    }
+
     public boolean isValidateSamlSubjectConfirmation() {
         return validateSamlSubjectConfirmation;
     }
@@ -663,6 +697,10 @@ public class RampartConfig implements Assertion {
         this.validateSamlSubjectConfirmation = 
Boolean.valueOf(validateSamlSubjectConfirmation);
     }
 
+    public void setValidateSamlSubjectConfirmation(boolean 
validateSamlSubjectConfirmation) {
+        this.validateSamlSubjectConfirmation = validateSamlSubjectConfirmation;
+    }
+
     public boolean isAllowRSA15KeyTransportAlgorithm() {
         return allowRSA15KeyTransportAlgorithm;
     }
@@ -671,4 +709,8 @@ public class RampartConfig implements Assertion {
         this.allowRSA15KeyTransportAlgorithm = 
Boolean.valueOf(allowRSA15KeyTransportAlgorithm);
     }
 
+    public void setAllowRSA15KeyTransportAlgorithm(boolean 
allowRSA15KeyTransportAlgorithm) {
+        this.allowRSA15KeyTransportAlgorithm = allowRSA15KeyTransportAlgorithm;
+    }
+
 }
diff --git 
a/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy
 
b/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy
index d3ed14b9..d7e8a406 100644
--- 
a/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy
+++ 
b/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy
@@ -2,11 +2,11 @@
     <wsp:ExactlyOne>
         <wsp:All>
             <rampart:RampartConfig 
xmlns:rampart="http://ws.apache.org/rampart/policy";>
-                
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
+                
<rampart:timestampPrecisionInMs>true</rampart:timestampPrecisionInMs>
                 <rampart:timestampTTL>300</rampart:timestampTTL>
                 <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
                 <rampart:timestampStrict>false</rampart:timestampStrict>
-                <rampart:timeStampFutureTTL>60</rampart:timeStampFutureTTL>
+                <rampart:timestampFutureTTL>60</rampart:timestampFutureTTL>
                 <rampart:utTTL>300</rampart:utTTL>
                 <rampart:utFutureTTL>60</rampart:utFutureTTL>
                 
<rampart:disableBSPEnforcement>false</rampart:disableBSPEnforcement>
diff --git 
a/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java 
b/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java
index 056d0402..7c4debf5 100644
--- a/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java
+++ b/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java
@@ -150,7 +150,10 @@ public class RahasConstants {
     public static final String DISABLE_BSP_ENFORCEMENT = 
"disableBSPEnforcement";
     public final static String ALLOW_USERNAME_TOKEN_NO_PASSWORD = 
"allowUsernameTokenNoPassword";
 
-    public final static String TIMESTAMP_FUTURE_TTL = "timeStampFutureTTL";
+    public final static String TIMESTAMP_STRICT_LN = "timestampStrict";
+
+    public final static String TIMESTAMP_PRECISION_IN_MS_LN = 
"timestampPrecisionInMs";
+    public final static String TIMESTAMP_FUTURE_TTL = "timestampFutureTTL";
 
     public final static String UT_TTL = "utTTL";
 
diff --git 
a/modules/rampart-trust/src/main/java/org/apache/rahas/client/STSClient.java 
b/modules/rampart-trust/src/main/java/org/apache/rahas/client/STSClient.java
index 060e2cc8..f8ca8789 100644
--- a/modules/rampart-trust/src/main/java/org/apache/rahas/client/STSClient.java
+++ b/modules/rampart-trust/src/main/java/org/apache/rahas/client/STSClient.java
@@ -541,6 +541,18 @@ public class STSClient {
                         
requestData.setAllowRSA15KeyTransportAlgorithm(allowRSA15KeyTransportAlgorithm);
                    }
 
+                    boolean timestampStrict = false;
+                    if (this.options != null && 
this.options.getProperty(RahasConstants.TIMESTAMP_STRICT_LN) != null) {
+                       timestampStrict = Boolean.valueOf((String) 
this.options.getProperty(RahasConstants.TIMESTAMP_STRICT_LN));
+                        requestData.setTimeStampStrict(timestampStrict);
+                   }
+
+                    boolean timestampPrecisionInMs = false;
+                    if (this.options != null && 
this.options.getProperty(RahasConstants.TIMESTAMP_STRICT_LN) != null) {
+                       timestampPrecisionInMs = Boolean.valueOf((String) 
this.options.getProperty(RahasConstants.TIMESTAMP_PRECISION_IN_MS_LN));
+                        
requestData.setPrecisionInMilliSeconds(timestampPrecisionInMs);
+                   }
+
                     secret = CommonUtil.getDecryptedBytes(this.cbHandler, 
this.crypto, domChild, requestData);
                 } catch (WSSecurityException e) {
                     log.error("Error decrypting encrypted key element", e);

Reply via email to