Replay Attack Prevention ======================== The client adds a signed time stamp header with creation time element populated to the security header. At the server end, messages are rejected if the creation time of the message is outside the window, else if the incoming message matches with one of the message already sent in that time window. An enhancement to the above model would be to use the expiration time element of the timestamp header to ascertain the client's take at how long the said message is valid. The server honors the security requirement of the client if its within its policy on the period for buffering message information to detect replay attack (or any other relevant parameter). If honored, up until the expiration time of the message, identical messages will be rejected. Implementation Specifics: ======================== - The window for the current implementation defaults to (current time - 5 minutes) to (current time + 5 minutes) - TimestampHeader: Class to generate and parse timestamp header element. Timestamp header has creted, expired and nonce elements. Client side =========== - Add methods in WSSecuritySOAPEnvelopeBuilder - add time stamp header and return relevent info required for signing it. - X509WSSignedSOAPEnvelopeBuilder - add in fucntionlality to sign the time stamp header with message body - When support for IDU Encryption has been added, set handlers such that after encryption the flow goes through the X509SignHandler (currently the handler signs only if GSI_SECURE_MSG is set to SIGNATURE) Server side =========== - ExpiredNonceValueSweeper - Deletes any map entry that has timestamp older than current time - ReplayAttackFilter HashMap : - nonce value (key) - expiration time. API to do the following. (It is invoked by the WSSecurityEngine). - Extract creation time from timestamp header - set window: (currentTime-5mins) to (currentTime+5mins) - if (creation time outside of window) reject message - if (nonce in Map) - get corresponding expiration time. - if (expiration time < current time) reject message - store (nonce,current window outer bound as expiration) This store will happen if (message is in window) and (either (nonce exists in Map, but has expired) or (nonce does not exist in Map)) - In the deployment descriptor, on a per service level, property "replayAttackFilter" can be configured to be true or false. If false, then in the case of Secure Message if time stamp header is not set, the message is not rejected. By default (or if the property is set to true), in the above scenario the message will be rejected and a WSSecurityFault will be thrown. - Global property "replayFilterSweeperInterval" determines the frequency of the sweeper that deletes expired nonce values. Defaults to 7 mins. - If the message is outside the window, WSSecurityFault with id as "MessageExpired" is thrown. If the received message is duplicate (i.e a valid message still exists in the window), then WSSecurityFault with id as "Failure" and message indicating its duplicate is thrown. Issues ====== - Namesapce "http://schemas.xmlsoap.org/ws/2002/04/utility" added for all cases i.e both for Secure Conversation and Secure Message as a hack to prevent verification of messages that have both secure mechanisms applied. - Server side window configurable is not configurable and is set to 5 mins. - Consider extension to support client choosing expiration time - pluggable enough to resort to default if expiration is set or some such. - When IDU Encryption is in place, is Encrypt/Sign better than Sign/Encrypt.