Environment :
- Apache CXF 2.7.8
- Jboss EAP 6
- SoapUI for testing client Side
I tried to implement for simple authentication i.e with password simple text type, it is working but when i tried to implement for password digest type ,then giving me exception:
unwinding now: org.apache.cxf.binding.soap.SoapFault: The message has expired org.apache.ws.security.WSSecurityException: The message has expired
I am giving new nonce value for each request and time within five min diff
WSS4JInInterceptor Bean class defination:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint id="orderProcess" implementor="demo.order.OrderProcessImpl" address="/OrderProcess" >
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="passwordType" value="PasswordDigest"/>
<entry key="passwordCallbackRef" value-ref="myPasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
</jaxws:endpoint>
<bean id="myPasswordCallback" class="service.ServerPasswordCallback" />
</beans>
Client xml request Code:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ord="http://order.demo/"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soapenv:Header>
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>joe</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">PE7F51/oyWFVMsiZURuUwjoZVPY=</wsse:Password>
<!--<wsu:Created>2013-12-17T13:12:00.429Z</wsu:Created>-->
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">efPSkfHXTM6NFDDD1CJHsw==</wsse:Nonce>
<wsu:Created>2013-12-23T12:17:15Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ord:processOrder>
<!--Optional:-->
<arg0>
<!--Optional:-->
<customerID>234</customerID>
<!--Optional:-->
<itemID>0908923</itemID>
<price>23423</price>
<qty>1000</qty>
</arg0>
</ord:processOrder>
</soapenv:Body>
</soapenv:Envelope>
When i tried to call the service i am getting exception as
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:MessageExpired</faultcode>
<faultstring>The message has expired</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
Can any one tell me where i am making mistake?
I suspect this is a bug in earlier version of wss4j. If you are parsing the date using SimpleDateFormat, you might want to set the time zone to UTC (Zulu time).
This however has been fixed in 2.0-beta.
http://grepcode.com/file/repo1.maven.org/maven2/org.apache.wss4j/wss4j-ws-security-dom/2.0-beta/org/apache/wss4j/dom/message/token/UsernameToken.java#226
Edit: This is not a bug in wss4j. The specification states that the time zone must be in UTC.