OpenEMM Technical Support Forum

The purpose of these forums is to get and give free technical support for OpenEMM. Spammers and their posts will be removed without prior warning.
https://iframe.agnitas.de/

Webservices V2 failures - The creation time is ahead of the

https://iframe.agnitas.de/viewtopic.php?t=2607

Page 1 of 1

Webservices V2 failures - The creation time is ahead of the

Posted: Wed Aug 21, 2013 11:35 pm
by Anton
I'm getting "The creation time is ahead of the current time" security exceptions. It's very strange and annoying! It worked *once*, and now all of my tests continue to fail. The worst part is that I am issuing the calls *on the same machine* (or another, makes no diff). I can sleep for 5 seconds and it has no effect.
I am doing my testing in Python with a class I borrowed from https://gist.github.com/copitux/5029872. As it worked once, I was assuming the code was ok... If I look in the logs, the logging dates look fine, and of course are not ahead of the created time.
Can anyone help on this?
Thanks!

Code: Select all

ERROR:suds.client:<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns0="http://agnitas.org/ws/schemas" xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header>
      <wsse:Security mustUnderstand="true">
         <wsse:UsernameToken>
            <wsse:Username>myusername</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">the_password_token</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">the_nonce</wsse:Nonce>
            <wsu:Created>2013-08-21T22:23:23.649940Z</wsu:Created>
         </wsse:UsernameToken>
      </wsse:Security>
   </SOAP-ENV:Header>
   <ns1:Body>
      <ns0:GetBlacklistItemsRequest/>
   </ns1:Body>
</SOAP-ENV:Envelope>
DEBUG:suds.client:http failed:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring xml:lang="en">com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
Traceback (most recent call last):
  File "test.py", line 114, in <module>
    print client.service.GetBlacklistItems()
  File "/usr/lib/python2.7/dist-packages/suds/client.py", line 542, in __call__
    return client.invoke(args, kwargs)
  File "/usr/lib/python2.7/dist-packages/suds/client.py", line 602, in invoke
    result = self.send(soapenv)
  File "/usr/lib/python2.7/dist-packages/suds/client.py", line 653, in send
    result = self.failed(binding, e)
  File "/usr/lib/python2.7/dist-packages/suds/client.py", line 708, in failed
    r, p = binding.get_fault(reply)
  File "/usr/lib/python2.7/dist-packages/suds/bindings/binding.py", line 265, in get_fault
    raise WebFault(p, faultroot)
suds.WebFault: Server raised fault: 'com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.'
And from the WS server logs:

Code: Select all

2013-08-22 00:23:24,715: DEBUG [http-8080-1] org.springframework.ws.server.MessageTracing.received - Received request [<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns0="http://agnitas.org/ws/schemas" xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><wsse:Security mustUnderstand="true"><wsse:UsernameToken><wsse:Username>myusername</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">the_password_token</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">the_nonce</wsse:Nonce><wsu:Created>2013-08-21T22:23:23.649940Z</wsu:Created></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><ns1:Body><ns0:GetBlacklistItemsRequest/></ns1:Body></SOAP-ENV:Envelope>]
2013-08-22 00:23:24,723: DEBUG [http-8080-1] org.agnitas.emm.springws.security.SpringDigestPasswordValidationCallbackHandler - Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken@2f0426ee: Principal: org.springframework.security.userdetails.User@bc4300: Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: USER_1; Password: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities
2013-08-22 00:23:24,725: WARN  [http-8080-1] org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor - Could not validate request: com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.
2013-08-22 00:23:24,726: DEBUG [http-8080-1] org.springframework.ws.server.MessageTracing.sent - Sent response [<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring xml:lang="en">com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>] for request [<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns0="http://agnitas.org/ws/schemas" xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><wsse:Security mustUnderstand="true"><wsse:UsernameToken><wsse:Username>myusername</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">the_password_token</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">the_nonce</wsse:Nonce><wsu:Created>2013-08-21T22:23:23.649940Z</wsu:Created></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><ns1:Body><ns0:GetBlacklistItemsRequest/></ns1:Body></SOAP-ENV:Envelope>]

Re: Webservices V2 failures - The creation time is ahead of

Posted: Thu Aug 22, 2013 1:24 am
by Anton
Ok, something very strange is going on here... I suppose there is something I haven't configured properly - I have tried this on a couple of different installs...

If I change the Created value to be utc minus about an hour (between 59 and 65 minutes to be exact, outside this it fails with either ahead or too old), then everything works just hunky dory. I guess it's an hour out somehow...

Code: Select all

        UsernameToken.__init__(self, username, password)
        fudged_datetime = datetime.datetime.utcnow() - datetime.timedelta(minutes=59)
        self.setcreated(fudged_datetime.strftime("%Y-%m-%dT%H:%M:%SZ"))
        self.setnonce()
instead of

Code: Select all

        UsernameToken.__init__(self, username, password)
        self.setcreated()
        self.setnonce()
Can someone tell me what I'm doing wrong here? I guess I can just keep with the fudged version but I'd love to know what is going on!
Thanks.

Re: Webservices V2 failures - The creation time is ahead of

Posted: Tue Sep 17, 2013 8:41 pm
by maschoff
We can not reproduce your problem.

Some remarks: Client and server both need the correct time for authentification. A difference of up to 5 minutes is accepted. The basis for calculating the PW hash is the current UTC time.

We see 3 potential sources for your problem:

1. The time of your client is wrong or it uses a wrong time zone.
2. The time of your cserver is wrong or it uses a wrong time zone.
3. The transformation of local time to UTC is wrong.

Hope this helps!
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited