Tuesday, August 18, 2009

WSSecurityEngine: Invalid timestamp The security semantics of message have expired

Each message sent by the client contains a time-stamp. The server refuses messages sent more than five minutes ago. This is to prevent replay attacks (where an attacker gets hold of a valid message and then sends it again later).

Handler definition:

<handler name="WSSecurity" type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="action" value="UsernameToken Timestamp"/>
</handler>


How Timestamp handling in WSS4J
WSS4J supports several time features and options. If you just use the action Timestamp without any further configuration WSS4J uses the following defaults :

•All timestaps use millisecond precision
•The default time difference between Created and Expires is set to 300 seconds (5 minutes).
•The handler performs strict timestamp handling, i.e. throws an exception if verification of the timestamp fails.
Use the following handler parameters to change these settings:
timeToLive to specify another time difference between Created and Expires. The value of this parameter is an integer that defines the time difference in seconds.
precisionInMilliseconds to switch off the millisecond time precision. Set the value to false or 0 to generate timestamps without milliseconds.
timestampStrict to switch off strict timestamp handling. Set the value to false or 0 to switch off strict handling. According to WSS specfications it is optional to report a fault if timestamp verification fails.

Check the system clock on your server and make sure it's set to the same time as the client machine.

If both client and server reside in US then we need to set timezone like

For Window Sever – (GMT – 05:00) Eastern Time (US & Canada)
Go to Start-->Control Panel-->Date and Time and change time zone

Changing time zone in Solaris 10 - x86
Create new file /etc/TIMEZONE
vi /etc/TIMEZONE

Change the value for TZ to the zone I want
E.g. TZ=US/Eastern

For full list, refer /usr/share/lib/zoneinfo

Run below command
#rtc –z US/Eastern
#rtc –c

Reboot you system to get date and time zone changed effect.

You can verify your ) Eastern Time (US & Canada) with
http://www.timeanddate.com/library/abbreviations/timezones/na/edt.html

1 comment:

  1. I'm not a developer, i always use the free online timestamp generator to create the unix timestamp.

    ReplyDelete