'[jira] [Commented] (WSS-509) SecurityToken::isExpired: add clock skew option'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webservices-general
Subject:    [jira] [Commented] (WSS-509) SecurityToken::isExpired: add clock skew option
From:       "Willem Salembier (JIRA)" <jira () apache ! org>
Date:       2014-08-28 10:10:57
Message-ID: JIRA.12737346.1409218364535.32050.1409220657951 () arcas
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/WSS-509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14113629#comment-14113629 \
] 

Willem Salembier commented on WSS-509:
--------------------------------------

I didn't open the issue in the right project. I should move it to the CXF project \
that uses the WSS4J library to check its expiration. You can close this issue. Thanks

> SecurityToken::isExpired: add clock skew option
> -----------------------------------------------
> 
> Key: WSS-509
> URL: https://issues.apache.org/jira/browse/WSS-509
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.6.16
> Reporter: Willem Salembier
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6.17
> 
> 
> We notice race conditions with some of our clients when CXF verifies if \
> SecurityTokens cached locally are still valid or expired. One reason could be clock \
> desynchronization, another reason is that while the token was still valid at the \
> moment of request construction, it isn't when the SOAP message arrives on the \
> server (1s difference suffices). Is it possible to add a clock skew option to \
> org.apache.cxf.ws.security.tokenstore.SecurityToken.isExpired() cfr whats been done \
> in org.apache.ws.security.validate.SamlAssertionValidator.checkConditions(AssertionWrapper) \
> with the futureTTL property. In SamlAssertionValidator the futureTTl is only used \
> in the validFrom comparison, but in our case it should be considered also in the \
> validTill comparison. A possible workaround is to configure our STS to initialize \
> Lifetime>Expires in the RSTR response to SAMLAssertion > Conditions > NotOnOrAfter \
> - clock skew.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic