A time stamp is the value of an object that
indicates the system time at some critical point in the history of
the object.
A time stamp is included in a message to reduce the vulnerability
of an application to replay attacks. In web services, a replay attack
occurs when an HTTP request is intercepted and the content is resent
to the provider in its original form.
Avoid trouble: When you include a time stamp in a message,
you must protect its integrity using transport security, such as secure
sockets layer (SSL) or message-level security, such as XML digital
signature. If you do not protect the integrity of the time stamp,
it is possible to capture the message and retransmit the content with
a different time stamp, message expiration date, or both.
gotcha
For both the JAX-RPC and JAX-WS WS-Security run times, 5 minutes
is the default message expiration time that is used for the receiver
if a value is not specified in the message. If a different expiration
is required for a specific client or you are unsure of the target
service default value, configure a message expiration time value for
the outbound time stamp.
Supported configurations:
- When the Web Services Security JAX-RPC and JAX-WS run times generate
or consume a message, they do not enforce that the integrity of the
time stamp is protected.
- The Web Services Security JAX-RPC and JAX-WS run times do not
have a default outbound message expiration value. If you want to include
a message expiration value in a message, you must configure it. Although
the JAX-WS run time does not have a default outbound message expiration
value, you can configure an outbound message expiration value in the
default general bindings. This value is acquired by all applications
at the level for which the default bindings apply. For example, the
value might be acquired at the cell or application level.
- For the JAX-RPC run time, the time stamp expiration value is specified
in the web services deployment descriptor extension. You cannot modify
the web services deployment descriptor extension from the administrative
console; you can only view it. To modify the deployment descriptor
extension, you must use an assembly tool and add or change the time
stamp expiration value for a JAX-RPC application.
- If WS-Security constraints exist to consume
a timestamp, the client must send a timestamp.
sptcfg
The JAX-WS WS-Security runtime complies with the OASIS WS-SecurityPolicy
1.2 specification Timestamp Required requirement. If you want to configure
an application to not require an inbound time stamp when an outbound time
stamp is configured you can add the com.ibm.wsspi.wssecurity.consumer.timestampRequired custom property
as either an inbound or an inbound/outbound web services security
custom property.