Contents
You can use the Validate Timestamp filter to validate a
timestamp that has been stored in a message attribute by a previous filter
in a policy. For example, you can extract the value of a wsu:Created
element from a WS-Security token and store it in a created attribute using the
Retrieve from Message filter in the Attributes
category. You can then use the Validate Timestamp filter to
ensure that the created timestamp is not after the current
time.
Similarly, you can use the Retrieve from Message filter
to extract the value of the wsu:Expires
element and store
it in a timestamp message attribute. You can use the Validate
Timestamp filter to check that the timestamp is not
before the current time.
This ensures that the current time is between the Created
time
and the Expires
time. By taking into account the drift time
(to resolve discrepancies between clock times on the machine that generated
the timestamp, and the machine running the API Gateway), this ensures that the
current time is after the Created
time minus the drift time, and
before the Expires
time plus the drift time. The current time is
within the following time frame:
[Created Time - Drift, Expiry Time + Drift]
Important | |
---|---|
If you wish to validate the timestamp stored in a WS-Security Username Token or SAML assertion, you can use the WS-Security Username Token Authentication, SAML Authentication, SAML Authorization, or SAML Attribute filters to perform this validation. You can use the Validate Timestamp filter to validate non-standard timestamps, such as those not transmitted in WS-Security tokens or SAML assertions. |
The Validate Timestamp filter does not require an entire WS-Utility Timestamp element (unlike the Insert Timestamp filter). Instead, this filter requires a simple date-formatted string.
Complete the following fields to configure the API Gateway to validate a timestamp that has been stored in a message attribute:
Name:
Enter a name for the filter.
Selector Expression to Retrieve Timestamp:
Enter the name of the selector expression that contains the value of the timestamp.
Defaults to ${timestamp}
. The specified selector is expanded at runtime
to the corresponding message attribute value. For more details, see
Selecting configuration values at runtime.
Note | |
---|---|
You must configure a predecessor of this filter to extract the timestamp from the message and store it in the specified attribute (for example, the Retrieve from Message filter in the Attributes filter. |
Format of Timestamp:
Enter the format of the timestamp that is contained in the specified message attribute.
The default date/time format is yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
,
which can be altered if necessary. For more information on how to use this format,
see the Javadoc for the
java.text.SimpleDateFormat
class.
Timezone:
Select the time zone to use to interpret the time stored in the message attribute selected above. The default option is GMT.
Drift (secs):
Specify the drift time to use when determining whether or not the current time falls within a certain time interval. The drift time can be used to account for differences in the clock times of the machine running the API Gateway and the machine on which the timestamp was generated.
Timestamp must be in the past:
The time in the timestamp must be before the time at which the
server validates the timestamp. This is used for validating a timestamp that represents
a Created
time (the created time must be before the validation time).
Timestamp must be in the future:
The time in the timestamp must be after the time at which the
server validates the timestamp. This is used for validating a timestamp that represents
an Expires
time (the expiry time must be some time in the future relative
to the validation time).