[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: [jira] [Created] (WSS-509) SecurityToken::isExpired: add clock skew option
From: "Willem Salembier (JIRA)" <jira () apache ! org>
Date: 2014-08-28 9:33:58
Message-ID: JIRA.12737346.1409218364535.31775.1409218438667 () arcas
[Download RAW message or body]
Willem Salembier created WSS-509:
------------------------------------
Summary: SecurityToken::isExpired: add clock skew option
Key: WSS-509
URL: https://issues.apache.org/jira/browse/WSS-509
Project: WSS4J
Issue Type: Improvement
Components: WSS4J Core
Affects Versions: 1.6.16
Reporter: Willem Salembier
Assignee: Colm O hEigeartaigh
Fix For: 1.6.17
We notice race conditions with some of our clients when CXF verifies if \
SecurityTokens cached locally are still valid or expired. One reason could be clock \
desynchronization, another reason is that while the token was still valid at the \
moment of request construction, it isn't when the SOAP message arrives on the server \
(1s difference suffices).
Is it possible to add a clock skew option to \
org.apache.cxf.ws.security.tokenstore.SecurityToken.isExpired() cfr whats been done \
in org.apache.ws.security.validate.SamlAssertionValidator.checkConditions(AssertionWrapper) \
with the futureTTL property. In SamlAssertionValidator the futureTTl is only used in \
the validFrom comparison, but in our case it should be considered also in the \
validTill comparison.
A possible workaround is to configure our STS to initialize Lifetime>Expires in the \
RSTR response to SAMLAssertion > Conditions > NotOnOrAfter - clock skew.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic