A time stamp is the value of an object that
indicates the system time at some critical point in the history of
the object.
A time stamp is included in a message to reduce the vulnerability
of an application to replay attacks. In Web services, a replay attack
occurs when an HTTP request is intercepted and the content is resent
to the provider in its original form.
Avoid trouble: When you include a time stamp in a message,
you must protect its integrity using transport security, such as secure
sockets layer (SSL) or message-level security, such as XML digital
signature. If you do not protect the integrity of the time stamp,
it is possible to capture the message and retransmit the content with
a different time stamp, message expiration date, or both.
gotcha
For the JAX-RPC run time, 5 minutes is the default message expiration
time that is used for the receiver if a value is not specified in
the message. If a different expiration is required for a specific
client or you are unsure of the target service default value, configure
a message expiration time value for the outbound time stamp.
Supported configurations:
- When the Web Services Security JAX-RPC run time generates or consumes
a message, it does not enforce that the integrity of the time stamp
is protected.
- The Web Services Security JAX-RPC run time does not have a default
outbound message expiration value. If you want to include a message
expiration value in a message, you must configure it.
- The time stamp expiration value is specified in the Web services
deployment descriptor extension. You cannot modify the Web services
deployment descriptor extension from the administrative console; you
can only view it. To modify the deployment descriptor extension, you
must use an assembly tool and add or change the time stamp expiration
value for a JAX-RPC application.
- If WS-Security constraints exist to consume a timestamp,
the client must send a timestamp.
- WebSphere® Application Server supports
the Created and Expires attributes. The freshness of the message,
which indicates whether the message complies with predefined time
constraints, is checked only if the Expires attribute is present in
the message.
- WebSphere Application Server does
not support the Received attribute, which is defined in the addendum.
Instead, WebSphere Application Server uses
the TimestampTraceReceived attribute, which is defined in the OASIS
specification.
sptcfg
The JAX-WS WS-Security runtime is updated
to comply with the OASIS WS-SecurityPolicy 1.2 specification Timestamp
Required requirement. If you want to configure an application to not
require an inbound time stamp when an outbound time stamp is configured
you can add the com.ibm.wsspi.wssecurity.consumer.timestampRequired
custom property as either an inbound or an inbound/outbound web services
security custom property.
![[Updated in April 2012]](../../delta.gif)
The JAX-WS runtime always puts the timestamp first,
but the JAX-RPC runtime does not. If you are using the JAX-RPC WS-Security
1.0 runtime, and want to emit the Timestamp first in the Security
header, you must:
- Set the property com.ibm.wsspi.wssecurity.timestamp.keyword to SecurityFirst.
- Set the property com.ibm.wsspi.wssecurity.timestamp.dialect to http://www.ibm.com/websphere/webservices/wssecurity/dialect-was.
The default value for com.ibm.wsspi.wssecurity.timestamp.dialect is
dialect-was, but for the desired function to work, the property must
be set explicitly.
These properties are set as properties on the Timestamp generator
in the Web services deployment descriptor extension. Because it is
in the extension, it can only be edited with an Assembly Tool.
![[Updated in April 2012]](../../deltaend.gif)
apr2012