Validate timestamp

Overview

You can use the Validate Timestamp filter to validate a timestamp that has been stored in a message attribute by a previous filter in a policy. For example, you can extract the value of a wsu:Created element from a WS-Security token and store it in a created attribute using the Retrieve from Message filter in the Attributes category. You can then use the Validate Timestamp filter to ensure that the created timestamp is not after the current time.

Similarly, you can use the Retrieve from Message filter to extract the value of the wsu:Expires element and store it in a timestamp message attribute. You can use the Validate Timestamp filter to check that the timestamp is not before the current time.

This ensures that the current time is between the Created time and the Expires time. By taking into account the drift time (to resolve discrepancies between clock times on the machine that generated the timestamp, and the machine running the API Gateway), this ensures that the current time is after the Created time minus the drift time, and before the Expires time plus the drift time. The current time is within the following time frame:

[Created Time - Drift, Expiry Time + Drift]

[Important] Important

If you wish to validate the timestamp stored in a WS-Security Username Token or SAML assertion, you can use the WS-Security Username Token Authentication, SAML Authentication, SAML Authorization, or SAML Attribute filters to perform this validation. You can use the Validate Timestamp filter to validate non-standard timestamps, such as those not transmitted in WS-Security tokens or SAML assertions.

The Validate Timestamp filter does not require an entire WS-Utility Timestamp element (unlike the Insert Timestamp filter). Instead, this filter requires a simple date-formatted string.

Configuration

Complete the following fields to configure the API Gateway to validate a timestamp that has been stored in a message attribute:

Name:

Enter a name for the filter.

Selector Expression to Retrieve Timestamp:

Enter the name of the selector expression that contains the value of the timestamp. Defaults to ${timestamp}. The specified selector is expanded at runtime to the corresponding message attribute value. For more details, see Selecting configuration values at runtime.

[Note] Note

You must configure a predecessor of this filter to extract the timestamp from the message and store it in the specified attribute (for example, the Retrieve from Message filter in the Attributes filter.

Format of Timestamp:

Enter the format of the timestamp that is contained in the specified message attribute. The default date/time format is yyyy-MM-dd'T'HH:mm:ss.SSS'Z', which can be altered if necessary. For more information on how to use this format, see the Javadoc for the java.text.SimpleDateFormat class.

Timezone:

Select the time zone to use to interpret the time stored in the message attribute selected above. The default option is GMT.

Drift (secs):

Specify the drift time to use when determining whether or not the current time falls within a certain time interval. The drift time can be used to account for differences in the clock times of the machine running the API Gateway and the machine on which the timestamp was generated.

Timestamp must be in the past:

The time in the timestamp must be before the time at which the server validates the timestamp. This is used for validating a timestamp that represents a Created time (the created time must be before the validation time).

Timestamp must be in the future:

The time in the timestamp must be after the time at which the server validates the timestamp. This is used for validating a timestamp that represents an Expires time (the expiry time must be some time in the future relative to the validation time).