cxf upgrade: 2.2.6 --> 2.3.3: wss4j message expiration problems with timestamps

Fri, 02 Dec 2011 03:52:09 -0800 

Hi everybody,
We have upgraded to 2.3.3 and we have the an issue with the Timestamp action: when the client's clock is set to the future (even for a single second) the timestamp is invalid and the call throws an exception. 

The problem is also reported here

https://issues.apache.org/jira/browse/WSS-291

It is my understanding that
        -cxf-2.2.6 had wss4j 1.5.8 which is not affected by the bug.

	-If we update some we will get rid of that bug. We will update, but not 
right now.


So I have the following questions

 1) Where should I put the timeToLive and futureTimeToLive spring 
configuration variables? If I put them in the 
WSS4JInInterceptor/property/map/entry and they didn't have any effect



 2) What is the default value of futureTimeToLive before wss4j-1.5.11? 
The bug report doesn't mention it.



 3) Does the timeToLive and futureTimeToLive variables need to be also 
specified in the client? That would be very bad since we can't control 
the software of our clients.


Here is the relevant configuration fragment

<simple:inInterceptors>
 <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
  <property name="properties">
   <map>
    <entry key="action" value="UsernameToken Timestamp" />
    <entry key="passwordType" value="PasswordDigest" />
    <entry key="passwordCallbackClass" value="OurHandler" />

<!-- ----------------------------------------------------- -->
<!-- unfortunately these value don't seem to play any role -->
    <entry key="timeToLive" value="3600" />
    <entry key="futureTimeToLive" value="3600" />
<!-- ----------------------------------------------------- -->
   </map>
  </property>
 </bean>
</simple:inInterceptors>

And here is the exception

ERROR 2011-12-02 05:57:46,238 TP-Processor7:
org.apache.cxf.binding.soap.SoapFault: The message has expired

        at 
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:649)
        at 
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:278)
        at 
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:80)
        at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
        at 
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
        at 
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:97)
        at 
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:461)
        at 
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188)
        at 
org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148)
        at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
        at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)

        at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at 
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
        at 
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
        at 
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774)
        at 
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
        at 
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)

        at java.lang.Thread.run(Thread.java:662)

Caused by: org.apache.ws.security.WSSecurityException: The message has 
expired
        at 
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkTimestamps(WSS4JInInterceptor.java:366)
        at 
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:236)

        ... 26 more


Thanks in advance

       .bill























					Reply via email to