You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Darren Clarke <da...@mfuse.com> on 2009/11/02 15:28:07 UTC

[Axis2] WS-Security Header Timestamp issue since clock change

Hello

Sorry in advance if this is addressed to the wrong list - it's Axis2 related, but could be a WSS4J or Rampart issue.

We have a web service developed with Axis2 v1.5, using Rampart v1.4 for WS-Security.  The service is configured such that each request requires a WS-Security Header that contains a UsernameToken and Timestamp.

So, an example request looks like this (uninteresting bits replaced with ... for brevity):

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" ... >

        <soapenv:Header>
            <wsse:Security xmlns:wsse="..." xmlns:wsu="..." soapenv:mustUnderstand="1">
                <wsu:Timestamp wsu:Id="Timestamp-31497800">
                    <wsu:Created>2009-11-02T14:00:00Z</wsu:Created>
                    <wsu:Expires>2009-11-02T15:00:00Z</wsu:Expires>
                </wsu:Timestamp>

                <wsse:UsernameToken wsu:Id="UsernameToken-10697954">
                    <wsse:Username>...</wsse:Username>
                    <wsse:Password Type="...#PasswordText">...</wsse:Password>
                </wsse:UsernameToken>
            </wsse:Security>
        </soapenv:Header>

        <soapenv:Body>.... </soapenv:Body>

    </soapenv:Envelope>

Up until recently, this worked without a hitch.  However, it stopped working last weekend when the clocks went back (I'm in London, the local time used to be GMT +1h, i.e. UTC+01:00, it's now UTC).

So, whilst we were in British Summer Time (i.e. UTC +1h), everything was OK.  If the current time was 14:30, I could send a request such as that above with Created=14:00 and Expires=15:00 and it would work.

However, since the clocks have changed (BST is now over and the local time is UTC+0h), it doesn't work anymore.  Now, if the current time is 14:30 and I send the request with Created=14:00 and Expired=15:00, I get an error in Tomcat's STDOUT:
[ERROR] WSDoAllReceiver: The timestamp could not be validated
org.apache.axis2.AxisFault: WSDoAllReceiver: The timestamp could not be validated
    at org.apache.rampart.handler.WSDoAllReceiver.processBasic(WSDoAllReceiver.java:334)
    at org.apache.rampart.handler.WSDoAllReceiver.processMessage(WSDoAllReceiver.java:86)
    at org.apache.rampart.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:72)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160)
    at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:167)
    at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:142)
    ...

Instead, I have to add an hour to each of the timestamps (even though they're specified as Z, i.e. UTC).  So, if the current time is 14:30 and I send the request with Created=15:00 and Expired=16:00, it works.

I got concerned about timezones on different machines, clock sync, etc., so in the end I decided to run everything locally.  I've restarted the machine since the clocks changed, Java agrees that that local timezone is GMT+00:00 and yet with the client and the server both on the same machine, I still get the error unless I force the timestamps to an hour in the future.

Note that I do not have a problem with a smaller window.  I.e. If the current time is 14:30 and I send the request with Created=14:29 and Expired=14:34 (i.e. a five-minute instead of one-hour timespan), it works.

Any ideas on what's causing this?

Thanks very much
Darren Clarke
________________________________
The information contained in this message is confidential and is intended for the addressee only. Any unauthorised dissemination or copying or use or disclosure of information contained herein is strictly prohibited and may be illegal. If you are not the named or intended recipient please notify us immediately by telephone (+44 207 154 2070) or return e-mail. We have installed active virus software but do not accept liability or responsibility for the security or reliability of transmission or for any virus transmitted; as such you should carry out your own virus checks before opening any attachment.
Mfuse Limited registered in England and Wales, company number 04468412. Registered Office: 3rd Floor, Mitre House, 177 Regent Street, London W1B 4JN