Here is the solution:
I started developing a secure web service in my development computer.
However when I deployed the application (in another server[JBoss]) to
simulate different clients connecting to the web service with different
LOCAL TIME ZONES, things went bad...
Problems with TIMESTAMP validation...
I got error the following error depending on the tested client (either
dotnet or java):
In Microsoft
[dotnet framework 2.0, WSE 3.0]
WSE065: Creation time of the timestamp is in the future. This typically
indicates lack of synchronization between
sender and receiver clocks.
or for java
[Axis 1.4, wss4j 1.5.3]
Exception: WSDoAllReceiver: security processing failed; nested exception is:
org.apache.ws.security.WSSecurityException: An error was discovered
processing the <wsse:Security> header. (WSSecurityEngine: Invalid timestamp
The security semantics of message have expired)
The problems are due that the two clocks in the clients and the server are
not synchonized.
JAVA World: WSS4J - Use the timeToLive parameter in the handler to resolve
this problem [1] [2].
MICROSOFT World: WSE 3.0 - Use the tags timeToleranceInSeconds and
defaultTtlInSeconds in the app.config file of the web service in your
project (illustration follows with the corresponding xml tags) [3]
<configuration>
<microsoft.web.services3>
<security>
<timeToleranceInSeconds value = "3600" />
<defaultTtlInSeconds value = "3600" />
[1] - http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#time
[2] -
http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHandlerConstants.html#TTL_TIMESTAMP
[3] - http://msdn.microsoft.com/en-us/library/ms824668.aspx
[fyi] -
http://www.google.ch/search?q=Secure+Web+Services+Interoperability+using+X.509+Certificate+Token+Profile+(AXIS+1.4%2C+WSS4J+1.5.3%2C+dotnet+2.0%2C+WSE+3.0+)&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr-FR:official&client=firefox-a
Hope this helps!
Jose Ferreiro
On Wed, May 14, 2008 at 1:38 PM, José Ferreiro <> wrote:
> Dear newsgroup,
>
> I successfully developed a server side service using axis 1.4 and wss4j
> 1.5.3.
> I implemented the signature, encryption and timestamp features.
>
> I may manage the local time in the server.
> Nevertheless, I will have clients from different local times (not same
> time as in the server. the local time in the server is GMT+1 ).
>
> How can a java client implement/apply the right timestamp according to the
> server GMT+1 using axis 1.4 and wss4j 1.5.3?
>
> All suggestions are welcome.
>
> Thank you in advance
>
> Jose Ferreiro
>
--
José Ferreiro
EPFL Communication Systems engineer
