wsit
  1. wsit
  2. WSIT-1615

Timestamp Validation error in Samoa Timezone

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 2.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None
    • Environment:

      Netbeans 7.1.1, Glassfish 3.1.2, JDK 7 update 3, Windows 7 x64, Metro 2.1

      Description

      Samoa swapped sides of the international dateline in late 2011 and are currently UTC +13

      Our web services are secured with Username Authentication with Symmetric Key using Development Defaults.

      Attempting to run the our application in the Samoa time zone gives the exceptions noted below. The errors do not occur if the timezone is set to UTC +12

      > Error after changing timezone to Samoa and running application without restarting Glassfish...

      Mar 21, 2012 11:07:48 PM com.sun.xml.wss.impl.misc.DefaultCallbackHandler validateCreationTime
      SEVERE: WSS1515: The creation time is older than currenttime - timestamp-freshness-limit - max-clock-skew"
      Mar 21, 2012 11:07:48 PM com.sun.xml.wss.impl.misc.DefaultCallbackHandler validateCreationTime
      SEVERE: Creation time:Wed Mar 21 09:07:47 WSDT 2012
      Mar 21, 2012 11:07:48 PM com.sun.xml.wss.impl.misc.DefaultCallbackHandler validateCreationTime
      SEVERE: Current time:Wed Mar 21 09:57:48 WSDT 2012
      Mar 21, 2012 11:07:48 PM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl validateTimestamp
      SEVERE: WSS0229: Exception occured in validating Timestamp
      com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is older than currenttime - timestamp-freshness-limit - max-clock-skew
      at com.sun.xml.wss.impl.misc.DefaultCallbackHandler.validateCreationTime(DefaultCallbackHandler.java:1555)
      at com.sun.xml.wss.impl.misc.DefaultCallbackHandler$DefaultTimestampValidator.validate(DefaultCallbackHandler.java:1519)
      at com.sun.xml.wss.impl.callback.TimestampValidationCallback.getResult(TimestampValidationCallback.java:75)
      at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateTimestamp(DefaultSecurityEnvironmentImpl.java:1432)
      at com.sun.xml.ws.security.opt.impl.incoming.TimestampHeader.validate(TimestampHeader.java:109)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:334)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:275)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:225)
      at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:449)
      at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientResponsePacket(SecurityClientTube.java:434)
      at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processResponse(SecurityClientTube.java:362)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:651)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)
      at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)
      at com.sun.xml.ws.client.Stub.process(Stub.java:323)
      at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:161)
      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:113)
      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93)
      at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:144)
      at $Proxy43.checkConnection(Unknown Source)
      at org.sola.services.boundary.wsclients.SearchClientImpl.checkConnection(SearchClientImpl.java:80)
      at org.sola.services.boundary.wsclients.WSManager.initWebServices(WSManager.java:110)
      at org.sola.clients.beans.security.SecurityBean.authenticate(SecurityBean.java:124)
      at org.sola.clients.beans.security.SecurityBean.authenticate(SecurityBean.java:104)
      at org.sola.clients.swing.ui.security.LoginPanel$1.doTask(LoginPanel.java:100)
      at org.sola.clients.swing.ui.security.LoginPanel$1.doTask(LoginPanel.java:90)
      at org.sola.clients.swing.common.tasks.SolaTask$1.doInBackground(SolaTask.java:153)
      at javax.swing.SwingWorker$1.call(SwingWorker.java:296)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
      at java.util.concurrent.FutureTask.run(FutureTask.java:166)
      at javax.swing.SwingWorker.run(SwingWorker.java:335)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
      at java.lang.Thread.run(Thread.java:722)

      javax.xml.ws.WebServiceException: com.sun.xml.wss.impl.WssSoapFaultException: The creation time is older than currenttime - timestamp-freshness-limit - max-clock-skew

      > Error after changing timezone to Samoa and restarting Glassfish before running the application...

      SEVERE: WSITPVD0035: Error in Verifying Security in Inbound Message.
      com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
      at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:159)
      at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.validateCreationTime(WSITProviderSecurityEnvironment.java:2636)
      at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.validateTimestamp(WSITProviderSecurityEnvironment.java:2496)
      at com.sun.xml.ws.security.opt.impl.incoming.TimestampHeader.validate(TimestampHeader.java:109)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:350)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:291)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:241)
      at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:588)
      at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:361)
      at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:264)
      at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:173)
      at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:144)
      at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
      at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
      at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:386)
      at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:640)
      at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:263)
      at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:163)
      at org.glassfish.webservices.JAXWSServlet.doPost(JAXWSServlet.java:145)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
      at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1542)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
      at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
      at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
      at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
      at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849)
      at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746)
      at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045)
      at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228)
      at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
      at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
      at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
      at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
      at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
      at java.lang.Thread.run(Thread.java:722)

        Activity

        Hide
        armcd5712 added a comment -

        Samoa ended daylight savings on March 31st 2012 and the issue reported above is no longer occuring. Samoa start daylight savings again on September 30th 2012. Testing our application with the clock set forward to October 2012 does not replicate the original issue. The issue is likely to be related to the shift in the international date line on 29th December 2011. The error can be replicated if the clock is set to a date prior to March 31st 2012.

        Show
        armcd5712 added a comment - Samoa ended daylight savings on March 31st 2012 and the issue reported above is no longer occuring. Samoa start daylight savings again on September 30th 2012. Testing our application with the clock set forward to October 2012 does not replicate the original issue. The issue is likely to be related to the shift in the international date line on 29th December 2011. The error can be replicated if the clock is set to a date prior to March 31st 2012.
        Hide
        Nithya Ramakrishnan added a comment -

        A similar issue (Timezone related) was fixed in Metro 2.2. Can you please try with the final Metro 2.2 build? Else, you could try with the latest Metro trunk and let us know if your issue still exists?

        Show
        Nithya Ramakrishnan added a comment - A similar issue (Timezone related) was fixed in Metro 2.2. Can you please try with the final Metro 2.2 build? Else, you could try with the latest Metro trunk and let us know if your issue still exists?
        Hide
        armcd5712 added a comment -

        Looks like the EAR for our application doesn't actually package the metro jars and uses the ones installed with Glassfish 3.1.2 (i.e. version 2.2). I have packaged the latest Metro build (2.3-b10) into our EAR, but cannot deploy the EAR into Glassfish. I get the following error.

        java.lang.IllegalArgumentException: Servlet [CoordinatorPortTypePortImpl] and Servlet [ParticipantPortTypePortImpl] have the same url pattern: [/WSAT10Service]

        Show
        armcd5712 added a comment - Looks like the EAR for our application doesn't actually package the metro jars and uses the ones installed with Glassfish 3.1.2 (i.e. version 2.2). I have packaged the latest Metro build (2.3-b10) into our EAR, but cannot deploy the EAR into Glassfish. I get the following error. java.lang.IllegalArgumentException: Servlet [CoordinatorPortTypePortImpl] and Servlet [ParticipantPortTypePortImpl] have the same url pattern: [/WSAT10Service]
        Hide
        kumarjayanti added a comment -

        You are not supposed to bundle metro jars into an EAR. Instead you can update the metro jars present in 3.1.2 build of glassfish. The metro jars are located in glassfish/modules

        Show
        kumarjayanti added a comment - You are not supposed to bundle metro jars into an EAR. Instead you can update the metro jars present in 3.1.2 build of glassfish. The metro jars are located in glassfish/modules
        Hide
        armcd5712 added a comment -

        Thanks for the clarification. So the actual steps I need to follow are...?

        Show
        armcd5712 added a comment - Thanks for the clarification. So the actual steps I need to follow are...?
        Hide
        Nithya Ramakrishnan added a comment -

        Steps:

        Take the latest 3.1.2 GF build.
        Build Metro 2.2
        Replace the webservices-osgi.jar in GF-home/modules with the built webservices-osgi.jar in metro/bundles/webservices-osgi
        Restart GF
        Test the scenario again

        HTH
        Nithya

        Show
        Nithya Ramakrishnan added a comment - Steps: Take the latest 3.1.2 GF build. Build Metro 2.2 Replace the webservices-osgi.jar in GF-home/modules with the built webservices-osgi.jar in metro/bundles/webservices-osgi Restart GF Test the scenario again HTH Nithya
        Hide
        armcd5712 added a comment -

        Thanks - that did help. I did replicate the issue using a build of the latest wsit trunk with the clock set prior to 31st March 2012. The issue does not occur using the current date (as noted above). The priority of this bug can be reduced.

        Show
        armcd5712 added a comment - Thanks - that did help. I did replicate the issue using a build of the latest wsit trunk with the clock set prior to 31st March 2012. The issue does not occur using the current date (as noted above). The priority of this bug can be reduced.
        Hide
        Nithya Ramakrishnan added a comment -

        This is a duplicate of wsit-1585 and has been fixed in the metro trunk.
        Fix would be available in metro 2.2.1

        Show
        Nithya Ramakrishnan added a comment - This is a duplicate of wsit-1585 and has been fixed in the metro trunk. Fix would be available in metro 2.2.1

          People

          • Assignee:
            Nithya Ramakrishnan
            Reporter:
            armcd5712
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: