You can use the Validate Timestamp filter to validate a
timestamp that has been stored in a message attribute by a previous filter
in a policy.
For example, you can extract the value of a wsu:Created element
from a WS-Security token and store it in a created attribute using the
Retrieve from Message filter in the Attributes
category. You can then use the Validate Timestamp filter
to ensure that the created timestamp is not after
the current time.
Similarly, you can use the Retrieve from Message filter
to extract the value of the wsu:Expires element and store
it in a timestamp message attribute. You can use the Validate
Timestamp filter to check that the timestamp is not
before the current time.
This ensures that the current time is between the Created time
and the Expires time. By taking into account the drift time
(to resolve discrepancies between clock times on the machine that generated
the timestamp, and the machine running the Enterprise Gateway), this ensures that the
current time is after the Created time minus the drift time, and
before the Expires time plus the drift time. The current time is
within the following timeframe:
| | |
|
[Created Time - Drift, Expiry Time + Drift]
| |
| | |
|
Important Note:
If you wish to validate the timestamp stored in a WS-Security Username Token or
SAML assertion, you can use the WS-Security Username Token Authentication,
SAML Authentication, SAML Authorization, or
SAML Attribute filters to perform this validation. You can use
the Validate Timestamp filter to validate non-standard timestamps,
such as those not transmitted in WS-Security tokens or SAML assertions.
The Validate Timestamp filter does not require an entire WS-Utility
Timestamp element (unlike the Insert Timestamp filter). Instead, this
filter requires a simple date-formatted string.
|