WSS4J with Spring WS : (WSSecurityEngine: Invalid timestamp The security semantics of the message have expired)

Question

I developped a ws (soap) based on Wss4jSecurityInterceptor's Spring implementation.

The configuration is as follow :

...
securementActions=Timestamp Signature Encrypt
...
securementSignatureParts={Element}{...schemas.xmlsoap.org/soap/envelope/}Body;{Element}...www.w3.org/2005/08/addressing}To;{Element}{...www.w3.org/2005/08/addressing}Action;{Element}{...www.w3.org/2005/08/addressing}MessageID;{Element}{...www.w3.org/2005/08/addressing}RelatesTo;{Element}{...docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp

When i call the ws from a client when the clock is set 2 minutes (or more) latter than server's clock i get the message below :

org.apache.ws.security.WSSecurityException: The message has expired (WSSecurityEngine: Invalid timestamp The security semantics of the message have expired)

I use SoapUI to test the ws. On the response that i get the body block cannot be decrypted on client-side.

Response when clocks are synchronized


    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
       <SOAP-ENV:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
       ...
       </SOAP-ENV:Header>
       <SOAP-ENV:Body wsu:Id="id-148" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <SOAP-ENV:Fault>
             <faultcode>SOAP-ENV:Server</faultcode>
             <faultstring xml:lang="en">error label</faultstring>
             <detail>
                <submissionFault xmlns="xxxxxx">
                   <error xmlns="xxxxxxx">
                      <errorCode>error code here</errorCode>
                      <errorDescription>error description here</errorDescription>
                      <errorDetail>errro detail here</errorDetail>
                   </error>
                </submissionFault>
             </detail>
          </SOAP-ENV:Fault>
       </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

Response when both clocks are not synchronized


    <SOAP-ENV:Envelope xmlns:SOAP-ENV="..." xmlns:xenc=&quot...#">
       <SOAP-ENV:Header xmlns:wsa="...">
       ...
       </SOAP-ENV:Header>
       <SOAP-ENV:Body wsu:Id="id-157" xmlns:wsu="...">
          <xenc:EncryptedData Id="EncDataId-162" Type="...">
             <xenc:EncryptionMethod Algorithm="...#aes256-cbc"/>
             <ds:KeyInfo xmlns:ds="...#">
                <wsse:SecurityTokenReference xmlns:wsse="...">
                   <wsse:Reference URI="#EncKeyId-xxxxxxxxxxxxxhhhhhyyyy"/>
                </wsse:SecurityTokenReference>
             </ds:KeyInfo>
             <xenc:CipherData>
                <xenc:CipherValue>PMam8TSjmX9gHDE7+/fekt575W+qWFC2xcMAXzAlTPfxoQ3ctBG9bUPUAsnMNQm41G9ya0EZaQtV
    zRL59IFW0wrowbJXhUHXvW0YPkAbIUSnnmWreQpHwy5oKA5DQWJ+nZTnyMdXq8ukxDPCP5ALlvGD
    wv685Fs14YmWupzXVBGufcu4XSGFI
    ...
    XhUkjHrOlrBL4PHiZ9imt
    nWLswfcay6friGSfkN2Z0U5oJ3XW034sVCONFBdZVNwia51nNmGTGwsMXJFxXLXCxv/lVP1p3tMq
    StoR11Otn8d/gcc06q+jBJDu5KXTgI5V6fHyW17jvV924AorYA44BiZ6ym5u4dti8fvCSFfj8shg
    /4DhGS16ATWFFfZ+QzTxaGEik1+d/+AbMc031wrO60hm7dIMasOegqD0BKUkEgkBbk0totU4TI55
    C3BHPmv44QPGpoOSmkGAjYYzfbv9GE6HeaUBVXviJqaA1q0BiIIklINMmnry9KU53mi59swqBNKz
    pF6cNDjKFGDNeRW9JLGNJq8dsnqK8nn7zE/sE2PxFGwJ+3qk40TuE6mjhA==</xenc:CipherValue>
             </xenc:CipherData>
          </xenc:EncryptedData>
       </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

Any idea?

Thanks

For development purposes, can the timestamp constraint be disabled? Because I tried `setTimestampStrict(false)` but restriction still exist. — Young Emil, Apr 19 '20 at 18:42

score 2 · Answer 1 · answered Jul 13 '15 at 16:47

2

This is expected, your server and client clock should be synchronized otherwise the default WSS4J TimestampValidator will throw the exception

"org.apache.ws.security.WSSecurityException: The message has expired (WSSecurityEngine: Invalid timestamp The security semantics of the message have expired)"

answered Jul 13 '15 at 16:47

RoundPi

5,819
7
49
75

1

For development purposes, can the timestamp constraint be disabled? Because I tried `new Wss4jSecurityInterceptor().setTimestampStrict(false)` but restriction still exist. – Young Emil Apr 19 '20 at 18:47

score 2 · Answer 2 · answered May 09 '17 at 11:54

2

It is working as expected and spring has allowed a maximum delay of 300 seconds for a request to reach from client to server. If it takes more than this it will throw "The message has expired" exception. It is provided in file Wss4jSecurityInterceptor of Spring. So ideally your server should be between 0 to 300 seconds fast from your client.

answered May 09 '17 at 11:54

Gaurav Agarwal

21
2

Hmmm...interesting, maximum delay of 5 minutes? this works like charm.. – Young Emil Oct 05 '19 at 17:37

score 0 · Answer 3 · answered Jul 29 '15 at 10:51

0

Maybe the tomcat(or your web-app server) and/or its services has been shut down. Please check them all. I had the same issue today and my tomcat service has been shutdown (I don't know why) then I restarted the service and problem went away forever.

answered Jul 29 '15 at 10:51

StarCrafter

451
5
12

WSS4J with Spring WS : (WSSecurityEngine: Invalid timestamp The security semantics of the message have expired)

3 Answers3