Apache axis2 and Rampart not preventing 'replay attacks'

Question

We use one of the older versions of apache axis2 for our web services framework. We are using rampart 1.2 as part of that.

Am trying to use password digest with ‘nonce’ and ‘timestamp’ mechanism for authentication. We’re getting rampart to do the verification. I’ve got the authentication verification mechanism working fine (inc. password callbacks, etc.)

The issue I’m having concerns getting rampart to recognise a ‘replay attack’, basically the functionality of the rampart module associated with recognising these seems to be inactive. I can send the same security header to my axis2 service any number of times (even sending a security header I generated yesterday) and it authenticates fine and completes the webservice request.

My best guess is : I’m missing a config setting somewhere for the rampart module that enables the functionality to detect replay attacks. I’ve tried both the config suggestions given in the links below (in the services.xml file) and neither seem to work :-

http://hasini-gunasinghe.blogspot.com.au/2012_02_01_archive.html
http://axis.apache.org/axis2/c/rampart/docs/configurations.html (right at the bottom, it mentions ‘Replay attacks’)

Anyone able to help or give me some idea what I'm missing and where (I'd imagine it's config setting related) ?

I've got the module declaration for rampart in my axis2.xml file :- <module ref="rampart"/>

And I have what I believe to be the rampart config settings in my services.xml file after all my operations are declared ;-

<parameter name="InflowSecurity">
      <action>
        <items>UsernameToken Timestamp</items>
        <passwordCallbackClass>com.myCompany.service.dummy.MyAuthenticator</passwordCallbackClass>
      </action>
    </parameter>

    <rampart:rampartconfig xmlns:rampart="http://ws.apache.org/rampart/policy">  
          <rampart:timestampprecisioninmilliseconds>true  
          </rampart:timestampprecisioninmilliseconds>  
          <rampart:timestampttl>300</rampart:timestampttl>  
          <rampart:timestampmaxskew>300</rampart:timestampmaxskew>  
          <rampart:timestampstrict>false</rampart:timestampstrict>  
          <rampart:ReplayDetection>1000</rampart:ReplayDetection>
    </rampart:rampartconfig>

Ruchith Fernando Ruchith Fernando · Accepted Answer · 2013-01-31T13:27:06

If you are using rampart-1.2 you will have to implement the replay detection in your service. The incoming TimeStamp information is available in the Security header processing results included in the message context properties under the key "org.apache.ws.security.handler.WSHandlerConstants.RECV_RESULTS". This is a Vector, and the first item of this is a "org.apache.ws.security.handler.WSHandlerResult" instance (wsResult in the next code snippet).

Then you can obtain the timestamp information as shown below:

actionResult = WSSecurityUtil.fetchActionResult(wsResult,
        WSConstants.TS);

if (actionResult != null) {
    Timestamp timestamp = actionResult.getTimestamp();
    //Your validation goes here...
}

As suggested by the blog post you referenced you can try upgrading to rampart-1.6.2 and using the policy based configuration.

Apache axis2 and Rampart not preventing 'replay attacks'

1 Answers