I'm going to relax the default for accepted Timestamps created in the future from 0 to 60 seconds:
https://issues.apache.org/jira/browse/WSS-291 In the meantime, you can relax the default in configuration via the following jaxws property: "ws-security.timestamp.futureTimeToLive" http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#TIMESTAMP_FUTURE_TTL Colm. On Fri, May 27, 2011 at 11:52 PM, mmeiners <meiners.micha...@mayo.edu> wrote: > Trying to setup CXF / WS-Security on client and server, but am getting the > following error: > org.apache.ws.security.WSSecurityException: The message has expired > (WSSecurityEngine: Invalid timestamp The security semantics of the message > have expired) > at > org.apache.ws.security.validate.TimestampValidator.validate(TimestampValidator.java:73) > at > org.apache.ws.security.processor.TimestampProcessor.handleToken(TimestampProcessor.java:62) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:260) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:1) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) > at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:736) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1563) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1448) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1356) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at > org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:614) > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:484) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:414) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:317) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:269) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124) > at $Proxy57.setupListQuery(Unknown Source) > at > info.minnesotapartnership.chn.service.client.BaseQueryServiceImpl.queryForLists(BaseQueryServiceImpl.java:104) > at > info.minnesotapartnership.chn.service.client.SearchServiceImpl.getInteractionSummary(SearchServiceImpl.java:82) > at > info.minnesotapartnership.chn.service.client.SearchServiceImpl.getInteractionSummary(SearchServiceImpl.java:75) > at > info.minnesotapartnership.chn.editui.SearchController$_closure2.doCall(SearchController.groovy:68) > at > info.minnesotapartnership.chn.editui.SearchController$_closure2.doCall(SearchController.groovy) > at java.lang.Thread.run(Thread.java:619) > > > In the TimestampValidator class, here are the variables: > timeStamp = <wsu:Timestamp > wsu:Id="TS-281"><wsu:Created>2011-05-27T22:22:51.526Z</wsu:Created><wsu:Expires>2011-05-27T22:27:51.526Z</wsu:Expires></wsu:Timestamp> > date now = Fri May 27 17:21:45 CDT 2011 > timeStamp expires = Fri May 27 17:27:51 CDT 2011 > timeStamp expired? = false > timeStampTTL = 300 > futureTimeToLive = 0 > timeStampStrict = true > > Since the futureTimeToLive variable defaults to 0 seconds, how does this > code ever allow CXF services on two different physical servers to > communicate??? If one server is off by even a few milliseconds compared to > the other, the "message has expired" error appears. If the client is ahead, > the server throws the Exception. If the server is ahead, the client throws > the exception. Shouldn't the default value for this be 300 like the > timeStampTTL? Otherwise I'm not sure how you would get this to work unless > the services are on the same server. If I wanted to change this variable in > a properties/xml file, how/where would I do this? > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Message-has-expired-error-due-to-default-timeStampFutureTTL-setting-of-0-seconds-tp4433619p4433619.html > Sent from the cxf-issues mailing list archive at Nabble.com. > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com
