How to configure Timestamp created/expires in Rampart

2.8k views Asked by At

I'm using Rampart as my WS-Security module over Axis2.

My policy XML file is below:

<wsp:Policy wsu:Id="UsernameToken"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wsp:ExactlyOne>
    <wsp:All>
        <sp:TransportBinding
            xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>>
                <sp:IncludeTimestamp />
            </wsp:Policy>
        </sp:TransportBinding>
        <sp:SupportingTokens
            xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
            <wsp:Policy>
                <sp:UsernameToken
                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient" />
            </wsp:Policy>
        </sp:SupportingTokens>
    </wsp:All>
</wsp:ExactlyOne>

<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
    <ramp:passwordType>PasswordText</ramp:passwordType>
</ramp:RampartConfig>

It's working OK as shown in the below SOAP call:

  <soapenv:Header>
     <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
        <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
           <wsu:Created>2013-12-24T12:55:39.089Z</wsu:Created>
           <wsu:Expires>2013-12-24T13:00:39.089Z</wsu:Expires>
        </wsu:Timestamp>
        <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-2">
           <wsse:Username>username</wsse:Username>
           <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
        </wsse:UsernameToken>
     </wsse:Security>
  </soapenv:Header>

What I would like to do is configure the Created value so it is not necessarily bound to the server time, and also configure the duration between Created and Expires.

How can I do that?

2

There are 2 answers

0
SiN On BEST ANSWER

Ok so I'm answering my own question.

It seems like there is no point in setting different timestamps as, per standards, the Timestamp should be sent in UTC format.

As for the TTL, this can be configured from the policy.xml file:

<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
  <ramp:timestampTTL>600</ramp:timestampTTL>
  <ramp:timestampMaxSkew>600</ramp:timestampMaxSkew>
<ramp:RampartConfig>

I will keep the thread open for a day or two to see if anyone else would like to present a different opinion.

0
user3750342 On

Right now we have an issue concerning the duration between created and expires dates. It seems like the message is received on server after it expires, this is because server and client clocks have big differences (I mean more than 2 or 5 seconds) between each other. A workaround is to increase

<ramp:timestampTTL>600</ramp:timestampTTL>
<ramp:timestampMaxSkew>600</ramp:timestampMaxSkew>

This can be done by using rampartConfig.setTimestampTTL and rampartConfig.setTimestampmaxSkew methods on the client side.