1

Is there any way to make wss4j not add the Timestamp element from ws-security in the SOAP header?

What I have now is this: 

     <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header>
<ns3:Security xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns4="http://www.w3.org/2005/08/addressing" xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice" xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns7="http://www.w3.org/2000/09/xmldsig#" xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation" soap:mustUnderstand="1">

<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1"><wsu:Created>2015-11-18T16:32:21.705Z</wsu:Created><wsu:Expires>2015-11-18T16:37:21.705Z</wsu:Expires></wsu:Timestamp>

<ns2:Timestamp xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns4="http://www.w3.org/2005/08/addressing" xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice" xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns7="http://www.w3.org/2000/09/xmldsig#" xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation" ns2:Id="_32c97089-04ac-49b0-8758-3d176d110ec7"><ns2:Created>2015-11-18T16:32:19.373Z</ns2:Created><ns2:Expires>2015-11-18T16:42:19.373Z</ns2:Expires></ns2:Timestamp>

..........Truncated

The < wsu:Timestamp > element is being added by wss4j. The < ns2:Timestamp > element is added by a custom timestamp handler.

How do I prevent wss4j from adding the timestamp element so that there is only 1 timestamp(the one added by the custom timestamp handler) in the SOAP header?

Any help would be appreciated!

DThomas
  • 11
  • 3

1 Answers1

0

I'm not really familiar with CXF, but I have used WSS4J with Spring and I guess it is quite similar.

The following snippet can be found on http://cxf.apache.org/docs/ws-security.html:

outProps.put(WSHandlerConstants.ACTION, 
WSHandlerConstants.TIMESTAMP + " " + 
WSHandlerConstants.SIGNATURE + " " + 
WSHandlerConstants.ENCRYPT);

This defines three "securement" actions that you want WSS4J to do, separated by a blank character. You probably have something similar in your config; if you want to get rid of the Timestamp header generated by WSS4J, just remove the WSHandlerConstants.TIMESTAMP.

mfred
  • 177
  • 6