I would like to ask you for your help with the following question:
I have created an AAA policy in order to authenticate a username token with password digest. Authentication is working fine, however I am puzzled concerning the following recommendations from the standard "Web Services Security UsernameToken Profile 1.0":
120 1. It is RECOMMENDED that web service producers reject any UsernameToken not
121 using both nonce and creation timestamps.
122 2. It is RECOMMENDED that web service producers provide a timestamp “freshness”
123 limitation, and that any UsernameToken with “stale” timestamps be rejected. As a
124 guideline, a value of five minutes can be used as a minimum to detect, and thus
125 reject, replays.
126 3. It is RECOMMENDED that used nonces be cached for a period at least as long as
127 the timestamp freshness limitation period, above, and that UsernameToken with
128 nonces that have already been used (and are thus in the cache) be rejected.
129 Note that the nonce is hashed using the octet sequence of its decoded value while the timestamp
I wonder where in my policy, I can define the "timestamp freshness limitation" and nonce cache settings?
Without setting anything, I was able to replay a message more than half an hour old without getting an authentication failure.