Announcement Announcement Module
Collapse
No announcement yet.
XWSSecurityException: The creation time is older than currenttime - timestamp Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • XWSSecurityException: The creation time is older than currenttime - timestamp

    Code:
    2009-02-15 00:58:33,322 WARN [org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor] - Could not validate request: com.sun.xml.wss.impl.WssSoapFaultException: The creation time is older than  currenttime - timestamp-freshness-limit - max-clock-skew; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: The creation time is older than  currenttime - timestamp-freshness-limit - max-clock-skew
    
    
    2009-02-15 00:58:33,322 DEBUG [org.springframework.ws.soap.server.endpoint.interceptor.SoapEnvelopeLoggingInterceptor] - Fault: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring xml:lang="en">com.sun.xml.wss.impl.WssSoapFaultException: The creation time is older than  currenttime - timestamp-freshness-limit - max-clock-skew; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: The creation time is older than  currenttime - timestamp-freshness-limit - max-clock-skew</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
    Could some explain the error above? What is the root cause of this error. The same code works fine in Windows Environment. But when I tested the same in Linux Ubuntu 8.04.02 JDK 1.6.07_b6 environment, I got the above said error. Please help me out. I am using Spring WS 1.5.5, Spring framework 2.5.6, spring security 2.0.4 and tomcat 6.0.18.

    The following is my webservices request using usernametoken and password digest configured in SOAP UI.
    Code:
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sch="http://eis/services/knowledgeTest/schema" xmlns:sch1="http://eis/services/common/schema">
       <soapenv:Header/>
       <soapenv:Body>
          <sch:knowledgeTestSearchRequest>
             <sch:searchRequest>
                <sch1:clientId>103</sch1:clientId>
                <sch1:region>T</sch1:region>
                <sch:firstName>Fred</sch:firstName>
                <sch:middleName></sch:middleName>
                <sch:lastName>Smith</sch:lastName>
                <sch:dateOfBirth>2009-14-02</sch:dateOfBirth>
                <sch:citizenFlag>Y</sch:citizenFlag>
                <sch:ssn>222222222</sch:ssn>
                <sch:alienNumber>?</sch:alienNumber>
                <!--1 or more repetitions:-->
                <sch:testType>DIE</sch:testType>
             </sch:searchRequest>
          </sch:knowledgeTestSearchRequest>
       </soapenv:Body>
    </soapenv:Envelope>
    securityPolicy.xml

    Code:
    <xwss:SecurityConfiguration dumpMessages="false" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
        <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/>
    </xwss:SecurityConfiguration>
    We have to give this to testing on Monday and I am kind of desperate. I tested the service using SOAP UI to send the request to the server both in Windows and LINUX.
    Last edited by vbose; Mar 9th, 2009, 12:09 PM. Reason: adding security policy file

  • #2
    Make sure that the system clocks on the your client and test machines are synchronized.
    And please, use the code tags for future posting. It makes reading your posts much easier for people who are willing to help.

    Comment


    • #3
      Thanks so much Tareq. Next time, I will post the code using <code> tags. However, I have a question. In production, the request comes from a .NET client and they could be in a different timezone. So do we enforce the rule of making client and server clock time to be synchronized.

      Comment


      • #4
        Alternatively, you may also increase the maxClockSkew to a higher number from the default 300 seconds to by pass this error. In this case, the client also has to issue a Timestamp in the soap header where it clearly states the created time and the expiry time for the request.

        See the example below: In this example, the maxClockSkew is set to 1 hour.

        Code:
        <xwss:SecurityConfiguration dumpMessages="false" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
            <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/>
            <xwss:RequireTimestamp maxClockSkew="3600"/> 
        </xwss:SecurityConfiguration>
        An example of timestamp in the soap header is given below.

        Code:
        <wsu:Timestamp wsu:Id="Timestamp-22800595" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        	<wsu:Created>2009-03-09T17:01:37Z</wsu:Created>
        	<wsu:Expires>2009-03-09T18:01:37Z</wsu:Expires>
        </wsu:Timestamp>
        Last edited by vbose; Mar 9th, 2009, 01:55 PM.

        Comment

        Working...
        X