Webservices V2 failures - The creation time is ahead of the

Use this forum for questions regarding adoption and functionality of OpenEMM

Moderator: moderator

Anton
Posts: 46
Joined: Sun Jun 24, 2012 9:58 pm

Webservices V2 failures - The creation time is ahead of the

Post by Anton » Wed Aug 21, 2013 11:35 pm

I'm getting "The creation time is ahead of the current time" security exceptions. It's very strange and annoying! It worked *once*, and now all of my tests continue to fail. The worst part is that I am issuing the calls *on the same machine* (or another, makes no diff). I can sleep for 5 seconds and it has no effect.
I am doing my testing in Python with a class I borrowed from https://gist.github.com/copitux/5029872. As it worked once, I was assuming the code was ok... If I look in the logs, the logging dates look fine, and of course are not ahead of the created time.
Can anyone help on this?
Thanks!

Code: Select all

ERROR:suds.client:<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns0="http://agnitas.org/ws/schemas" xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header>
      <wsse:Security mustUnderstand="true">
         <wsse:UsernameToken>
            <wsse:Username>myusername</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">the_password_token</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">the_nonce</wsse:Nonce>
            <wsu:Created>2013-08-21T22:23:23.649940Z</wsu:Created>
         </wsse:UsernameToken>
      </wsse:Security>
   </SOAP-ENV:Header>
   <ns1:Body>
      <ns0:GetBlacklistItemsRequest/>
   </ns1:Body>
</SOAP-ENV:Envelope>
DEBUG:suds.client:http failed:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring xml:lang="en">com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
Traceback (most recent call last):
  File "test.py", line 114, in <module>
    print client.service.GetBlacklistItems()
  File "/usr/lib/python2.7/dist-packages/suds/client.py", line 542, in __call__
    return client.invoke(args, kwargs)
  File "/usr/lib/python2.7/dist-packages/suds/client.py", line 602, in invoke
    result = self.send(soapenv)
  File "/usr/lib/python2.7/dist-packages/suds/client.py", line 653, in send
    result = self.failed(binding, e)
  File "/usr/lib/python2.7/dist-packages/suds/client.py", line 708, in failed
    r, p = binding.get_fault(reply)
  File "/usr/lib/python2.7/dist-packages/suds/bindings/binding.py", line 265, in get_fault
    raise WebFault(p, faultroot)
suds.WebFault: Server raised fault: 'com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.'
And from the WS server logs:

Code: Select all

2013-08-22 00:23:24,715: DEBUG [http-8080-1] org.springframework.ws.server.MessageTracing.received - Received request [<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns0="http://agnitas.org/ws/schemas" xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><wsse:Security mustUnderstand="true"><wsse:UsernameToken><wsse:Username>myusername</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">the_password_token</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">the_nonce</wsse:Nonce><wsu:Created>2013-08-21T22:23:23.649940Z</wsu:Created></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><ns1:Body><ns0:GetBlacklistItemsRequest/></ns1:Body></SOAP-ENV:Envelope>]
2013-08-22 00:23:24,723: DEBUG [http-8080-1] org.agnitas.emm.springws.security.SpringDigestPasswordValidationCallbackHandler - Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken@2f0426ee: Principal: org.springframework.security.userdetails.User@bc4300: Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: USER_1; Password: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities
2013-08-22 00:23:24,725: WARN  [http-8080-1] org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor - Could not validate request: com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.
2013-08-22 00:23:24,726: DEBUG [http-8080-1] org.springframework.ws.server.MessageTracing.sent - Sent response [<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring xml:lang="en">com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.callback.TimestampValidationCallback$TimestampValidationException: The creation time is ahead of the current time.</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>] for request [<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns0="http://agnitas.org/ws/schemas" xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><wsse:Security mustUnderstand="true"><wsse:UsernameToken><wsse:Username>myusername</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">the_password_token</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">the_nonce</wsse:Nonce><wsu:Created>2013-08-21T22:23:23.649940Z</wsu:Created></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><ns1:Body><ns0:GetBlacklistItemsRequest/></ns1:Body></SOAP-ENV:Envelope>]

Anton
Posts: 46
Joined: Sun Jun 24, 2012 9:58 pm

Re: Webservices V2 failures - The creation time is ahead of

Post by Anton » Thu Aug 22, 2013 1:24 am

Ok, something very strange is going on here... I suppose there is something I haven't configured properly - I have tried this on a couple of different installs...

If I change the Created value to be utc minus about an hour (between 59 and 65 minutes to be exact, outside this it fails with either ahead or too old), then everything works just hunky dory. I guess it's an hour out somehow...

Code: Select all

        UsernameToken.__init__(self, username, password)
        fudged_datetime = datetime.datetime.utcnow() - datetime.timedelta(minutes=59)
        self.setcreated(fudged_datetime.strftime("%Y-%m-%dT%H:%M:%SZ"))
        self.setnonce()
instead of

Code: Select all

        UsernameToken.__init__(self, username, password)
        self.setcreated()
        self.setnonce()
Can someone tell me what I'm doing wrong here? I guess I can just keep with the fudged version but I'd love to know what is going on!
Thanks.

maschoff
Site Admin
Posts: 2261
Joined: Thu Aug 03, 2006 10:20 am
Location: Munich, Germany
Contact:

Re: Webservices V2 failures - The creation time is ahead of

Post by maschoff » Tue Sep 17, 2013 8:41 pm

We can not reproduce your problem.

Some remarks: Client and server both need the correct time for authentification. A difference of up to 5 minutes is accepted. The basis for calculating the PW hash is the current UTC time.

We see 3 potential sources for your problem:

1. The time of your client is wrong or it uses a wrong time zone.
2. The time of your cserver is wrong or it uses a wrong time zone.
3. The transformation of local time to UTC is wrong.

Hope this helps!
OpenEMM Maintainer

Post Reply