WSS4J with Spring WS : (WSSecurityEngine: Invalid timestamp The security semantics of the message have expired)

3
votes

I developped a ws (soap) based on Wss4jSecurityInterceptor's Spring implementation.

The configuration is as follow :

...
securementActions=Timestamp Signature Encrypt
...
securementSignatureParts={Element}{...schemas.xmlsoap.org/soap/envelope/}Body;{Element}...www.w3.org/2005/08/addressing}To;{Element}{...www.w3.org/2005/08/addressing}Action;{Element}{...www.w3.org/2005/08/addressing}MessageID;{Element}{...www.w3.org/2005/08/addressing}RelatesTo;{Element}{...docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp

When i call the ws from a client when the clock is set 2 minutes (or more) latter than server's clock i get the message below :

org.apache.ws.security.WSSecurityException: The message has expired (WSSecurityEngine: Invalid timestamp The security semantics of the message have expired)

I use SoapUI to test the ws. On the response that i get the body block cannot be decrypted on client-side.

Response when clocks are synchronized


    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
       <SOAP-ENV:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
       ...
       </SOAP-ENV:Header>
       <SOAP-ENV:Body wsu:Id="id-148" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <SOAP-ENV:Fault>
             <faultcode>SOAP-ENV:Server</faultcode>
             <faultstring xml:lang="en">error label</faultstring>
             <detail>
                <submissionFault xmlns="xxxxxx">
                   <error xmlns="xxxxxxx">
                      <errorCode>error code here</errorCode>
                      <errorDescription>error description here</errorDescription>
                      <errorDetail>errro detail here</errorDetail>
                   </error>
                </submissionFault>
             </detail>
          </SOAP-ENV:Fault>
       </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

Response when both clocks are not synchronized


    <SOAP-ENV:Envelope xmlns:SOAP-ENV="..." xmlns:xenc=&quot...#">
       <SOAP-ENV:Header xmlns:wsa="...">
       ...
       </SOAP-ENV:Header>
       <SOAP-ENV:Body wsu:Id="id-157" xmlns:wsu="...">
          <xenc:EncryptedData Id="EncDataId-162" Type="...">
             <xenc:EncryptionMethod Algorithm="...#aes256-cbc"/>
             <ds:KeyInfo xmlns:ds="...#">
                <wsse:SecurityTokenReference xmlns:wsse="...">
                   <wsse:Reference URI="#EncKeyId-xxxxxxxxxxxxxhhhhhyyyy"/>
                </wsse:SecurityTokenReference>
             </ds:KeyInfo>
             <xenc:CipherData>
                <xenc:CipherValue>PMam8TSjmX9gHDE7+/fekt575W+qWFC2xcMAXzAlTPfxoQ3ctBG9bUPUAsnMNQm41G9ya0EZaQtV
    zRL59IFW0wrowbJXhUHXvW0YPkAbIUSnnmWreQpHwy5oKA5DQWJ+nZTnyMdXq8ukxDPCP5ALlvGD
    wv685Fs14YmWupzXVBGufcu4XSGFI
    ...
    XhUkjHrOlrBL4PHiZ9imt
    nWLswfcay6friGSfkN2Z0U5oJ3XW034sVCONFBdZVNwia51nNmGTGwsMXJFxXLXCxv/lVP1p3tMq
    StoR11Otn8d/gcc06q+jBJDu5KXTgI5V6fHyW17jvV924AorYA44BiZ6ym5u4dti8fvCSFfj8shg
    /4DhGS16ATWFFfZ+QzTxaGEik1+d/+AbMc031wrO60hm7dIMasOegqD0BKUkEgkBbk0totU4TI55
    C3BHPmv44QPGpoOSmkGAjYYzfbv9GE6HeaUBVXviJqaA1q0BiIIklINMmnry9KU53mi59swqBNKz
    pF6cNDjKFGDNeRW9JLGNJq8dsnqK8nn7zE/sE2PxFGwJ+3qk40TuE6mjhA==</xenc:CipherValue>
             </xenc:CipherData>
          </xenc:EncryptedData>
       </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

Any idea?

Thanks

3
springtimestampws-securitywss4j
For development purposes, can the timestamp constraint be disabled? Because I tried setTimestampStrict(false) but restriction still exist. - Young Emil

3 Answers

2
votes

This is expected, your server and client clock should be synchronized otherwise the default WSS4J TimestampValidator will throw the exception

"org.apache.ws.security.WSSecurityException: The message has expired (WSSecurityEngine: Invalid timestamp The security semantics of the message have expired)"

2
votes

It is working as expected and spring has allowed a maximum delay of 300 seconds for a request to reach from client to server. If it takes more than this it will throw "The message has expired" exception. It is provided in file Wss4jSecurityInterceptor of Spring. So ideally your server should be between 0 to 300 seconds fast from your client.

0
votes

Maybe the tomcat(or your web-app server) and/or its services has been shut down. Please check them all. I had the same issue today and my tomcat service has been shutdown (I don't know why) then I restarted the service and problem went away forever.