Time stamp

A time stamp is the value of an object that indicates the system time at some critical point in the history of the object.

A time stamp is included in a message to reduce the vulnerability of an application to replay attacks. In web services, a replay attack occurs when an HTTP request is intercepted and the content is resent to the provider in its original form.

避免困難 避免困難: When you include a time stamp in a message, you must protect its integrity using transport security, such as secure sockets layer (SSL) or message-level security, such as XML digital signature. If you do not protect the integrity of the time stamp, it is possible to capture the message and retransmit the content with a different time stamp, message expiration date, or both.gotcha

For both the JAX-RPC and JAX-WS WS-Security run times, 5 minutes is the default message expiration time that is used for the receiver if a value is not specified in the message. If a different expiration is required for a specific client or you are unsure of the target service default value, configure a message expiration time value for the outbound time stamp.

支援的配置 支援的配置:
  • When the Web Services Security JAX-RPC and JAX-WS run times generate or consume a message, they do not enforce that the integrity of the time stamp is protected.
  • The Web Services Security JAX-RPC and JAX-WS run times do not have a default outbound message expiration value. If you want to include a message expiration value in a message, you must configure it. Although the JAX-WS run time does not have a default outbound message expiration value, you can configure an outbound message expiration value in the default general bindings. This value is acquired by all applications at the level for which the default bindings apply. For example, the value might be acquired at the cell or application level.
  • For the JAX-RPC run time, the time stamp expiration value is specified in the web services deployment descriptor extension. You cannot modify the web services deployment descriptor extension from the administrative console; you can only view it. To modify the deployment descriptor extension, you must use an assembly tool and add or change the time stamp expiration value for a JAX-RPC application.
  • If WS-Security constraints exist to consume a timestamp, the client must send a timestamp.
  • WebSphere® Application Server 會施行 IncludeTimestamp 原則主張。不過,很多服務提供者需要要求中有 <wsu:Timestamp> 元素,卻不會在回應中傳送任何一個元素。回應中也可能完全沒有 Security 標頭,更不用說有時間戳記。當原則中有 IncludeTimestamp,而回應中沒有傳回時間戳記時,用戶端上會發生下列錯誤:
    CWWSS5730E: 找不到必要的時間戳記。
    如果要解決這個問題,請配置服務提供者來傳送時間戳記,或在 WS-Security 原則連結中,將 com.ibm.wsspi.wssecurity.consumer.timestampRequired 自訂內容設為 false,以將用戶端配置成不需要時間戳記。如需相關資訊,請參閱Web services security custom properties
sptcfg

The JAX-WS WS-Security runtime complies with the OASIS WS-SecurityPolicy 1.2 specification Timestamp Required requirement. If you want to configure an application to not require an inbound time stamp when an outbound time stamp is configured you can add the com.ibm.wsspi.wssecurity.consumer.timestampRequired custom property as either an inbound or an inbound/outbound web services security custom property.

The JAX-WS runtime always puts the timestamp first, but the JAX-RPC runtime does not. If you are using the JAX-RPC WS-Security 1.0 runtime, and want to emit the Timestamp first in the Security header, you must:
  • Set the property com.ibm.wsspi.wssecurity.timestamp.keyword to SecurityFirst.
  • Set the property com.ibm.wsspi.wssecurity.timestamp.dialect to http://www.ibm.com/websphere/webservices/wssecurity/dialect-was. The default value for com.ibm.wsspi.wssecurity.timestamp.dialect is dialect-was, but for the desired function to work, the property must be set explicitly.
These properties are set as properties on the Timestamp generator in the Web services deployment descriptor extension. Because it is in the extension, it can only be edited with an Assembly Tool.

指出主題類型的圖示 概念主題



時間戳記圖示 前次更新: July 9, 2016 11:12
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=cwbs_timestamp
檔名:cwbs_timestamp.html