We use one of the older versions of apache axis2 for our web services framework. We are using rampart 1.2 as part of that.
Am trying to use password digest with ‘nonce’ and ‘timestamp’ mechanism for authentication. We’re getting rampart to do the verification.
I’ve got the authentication verification mechanism working fine (inc. password callbacks, etc.)
The issue I’m having concerns getting rampart to recognise a ‘replay attack’, basically the functionality of the rampart module associated with recognising these seems to be inactive.
I can send the same security header to my axis2 service any number of times (even sending a security header I generated yesterday) and it authenticates fine and completes the webservice request.
I can't speak to the ReplayDetection feature, but there used to be a timeToLive element in the parameter/action section that would allow you to specify how long security credentials were good - something like "<timeToLive>10</timeToLive>" - in conjunction with a parameter/action/items: Timestamp. That would prevent such attacks after "timeToLive" seconds have passed. Not the same, but a start.
subject: Apache axis2 and Rampart not preventing 'replay attacks'