Results 1 to 4 of 4

Thread: XWSSecurityException: The creation time is older than currenttime - timestamp

  1. Feb 15th, 2009, 12:23 AM #1
    vbose
    vbose is offline Senior Member
    Join Date
    Apr 2005
    Posts
    112

    Default XWSSecurityException: The creation time is older than currenttime - timestamp

    Code:
    2009-02-15 00:58:33,322 WARN [org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor] - Could not validate request: com.sun.xml.wss.impl.WssSoapFaultException: The creation time is older than  currenttime - timestamp-freshness-limit - max-clock-skew; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: The creation time is older than  currenttime - timestamp-freshness-limit - max-clock-skew


2009-02-15 00:58:33,322 DEBUG [org.springframework.ws.soap.server.endpoint.interceptor.SoapEnvelopeLoggingInterceptor] - Fault: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring xml:lang="en">com.sun.xml.wss.impl.WssSoapFaultException: The creation time is older than  currenttime - timestamp-freshness-limit - max-clock-skew; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: The creation time is older than  currenttime - timestamp-freshness-limit - max-clock-skew</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
    Could some explain the error above? What is the root cause of this error. The same code works fine in Windows Environment. But when I tested the same in Linux Ubuntu 8.04.02 JDK 1.6.07_b6 environment, I got the above said error. Please help me out. I am using Spring WS 1.5.5, Spring framework 2.5.6, spring security 2.0.4 and tomcat 6.0.18.

    The following is my webservices request using usernametoken and password digest configured in SOAP UI.
    Code:
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sch="http://eis/services/knowledgeTest/schema" xmlns:sch1="http://eis/services/common/schema">
   <soapenv:Header/>
   <soapenv:Body>
      <sch:knowledgeTestSearchRequest>
         <sch:searchRequest>
            <sch1:clientId>103</sch1:clientId>
            <sch1:region>T</sch1:region>
            <sch:firstName>Fred</sch:firstName>
            <sch:middleName></sch:middleName>
            <sch:lastName>Smith</sch:lastName>
            <sch:dateOfBirth>2009-14-02</sch:dateOfBirth>
            <sch:citizenFlag>Y</sch:citizenFlag>
            <sch:ssn>222222222</sch:ssn>
            <sch:alienNumber>?</sch:alienNumber>
            <!--1 or more repetitions:-->
            <sch:testType>DIE</sch:testType>
         </sch:searchRequest>
      </sch:knowledgeTestSearchRequest>
   </soapenv:Body>
</soapenv:Envelope>
    securityPolicy.xml

    Code:
    <xwss:SecurityConfiguration dumpMessages="false" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/>
</xwss:SecurityConfiguration>
    We have to give this to testing on Monday and I am kind of desperate. I tested the service using SOAP UI to send the request to the server both in Windows and LINUX.
    Last edited by vbose; Mar 9th, 2009 at 12:09 PM. Reason: adding security policy file
    Reply With Quote Reply With Quote
  2. Feb 15th, 2009, 01:24 AM #2
    tareq
    tareq is offline Senior Member
    Join Date
    Aug 2004
    Posts
    278

    Default

    Make sure that the system clocks on the your client and test machines are synchronized.
    And please, use the code tags for future posting. It makes reading your posts much easier for people who are willing to help.
    Tareq Abedrabbo

    My Twitter
    My Blog
    Reply With Quote Reply With Quote
  3. Feb 15th, 2009, 08:00 AM #3
    vbose
    vbose is offline Senior Member
    Join Date
    Apr 2005
    Posts
    112

    Default

    Thanks so much Tareq. Next time, I will post the code using <code> tags. However, I have a question. In production, the request comes from a .NET client and they could be in a different timezone. So do we enforce the rule of making client and server clock time to be synchronized.
    Reply With Quote Reply With Quote
  4. Mar 9th, 2009, 12:07 PM #4
    vbose
    vbose is offline Senior Member
    Join Date
    Apr 2005
    Posts
    112

    Default

    Alternatively, you may also increase the maxClockSkew to a higher number from the default 300 seconds to by pass this error. In this case, the client also has to issue a Timestamp in the soap header where it clearly states the created time and the expiry time for the request.

    See the example below: In this example, the maxClockSkew is set to 1 hour.

    Code:
    <xwss:SecurityConfiguration dumpMessages="false" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/>
    <xwss:RequireTimestamp maxClockSkew="3600"/> 
</xwss:SecurityConfiguration>
    An example of timestamp in the soap header is given below.

    Code:
    <wsu:Timestamp wsu:Id="Timestamp-22800595" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<wsu:Created>2009-03-09T17:01:37Z</wsu:Created>
	<wsu:Expires>2009-03-09T18:01:37Z</wsu:Expires>
</wsu:Timestamp>
    Last edited by vbose; Mar 9th, 2009 at 01:55 PM.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules