Apache CXF：消息已过期

Question

环境：

1. Apache CXF 2.7.8
2. Jboss EAP 6
3. SoapUI 用于测试客户端

我尝试实现简单身份验证，即使用密码简单文本类型，它正在工作，但是当我尝试实现密码摘要类型时，给了我异常：

现在展开：org.apache.cxf.binding.soap.SoapFault：消息有 expired org.apache.ws.security.WSSecurityException：消息有 过期了

我在 5 分钟内为每个请求和时间赋予新的 nonce 值

WSS4JInInterceptor Bean 类定义：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:jaxws="http://cxf.apache.org/jaxws"
    xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">

    <import resource="classpath:META-INF/cxf/cxf.xml" /> 
    <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
    <import resource="classpath:META-INF/cxf/cxf-servlet.xml" /> 

    <jaxws:endpoint id="orderProcess" implementor="demo.order.OrderProcessImpl" address="/OrderProcess" >

      <jaxws:inInterceptors>
         <bean
            class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
            <constructor-arg>
                <map>
                  <entry key="action" value="UsernameToken"/>
                  <entry key="passwordType" value="PasswordDigest"/>
                  <entry key="passwordCallbackRef" value-ref="myPasswordCallback"/>
               </map> 
            </constructor-arg>
         </bean>
      </jaxws:inInterceptors>
      </jaxws:endpoint>
      <bean id="myPasswordCallback" class="service.ServerPasswordCallback" />  
</beans>

客户端xml请求代码：

  <soapenv:Envelope 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
xmlns:ord="http://order.demo/" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <soapenv:Header>
<wsse:Security>
           <wsse:UsernameToken>
                                <wsse:Username>joe</wsse:Username>
                                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">PE7F51/oyWFVMsiZURuUwjoZVPY=</wsse:Password>
                         <!--<wsu:Created>2013-12-17T13:12:00.429Z</wsu:Created>-->
                           <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">efPSkfHXTM6NFDDD1CJHsw==</wsse:Nonce>
                              <wsu:Created>2013-12-23T12:17:15Z</wsu:Created>
               </wsse:UsernameToken>


</wsse:Security>
</soapenv:Header>
   <soapenv:Body>
      <ord:processOrder>
         <!--Optional:-->
         <arg0>
            <!--Optional:-->
            <customerID>234</customerID>
            <!--Optional:-->
            <itemID>0908923</itemID>
            <price>23423</price>
            <qty>1000</qty>
         </arg0>
      </ord:processOrder>
   </soapenv:Body>
</soapenv:Envelope>

当我尝试调用该服务时，我收到异常

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <soap:Fault>
         <faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:MessageExpired</faultcode>
         <faultstring>The message has expired</faultstring>
      </soap:Fault>
   </soap:Body>
</soap:Envelope>

谁能告诉我哪里出错了？

Answer 1

我怀疑这是 wss4j 早期版本中的错误。如果您使用 SimpleDateFormat 解析日期，您可能需要将时区设置为 UTC（祖鲁时间）。

sdf.setTimeZone("UTC");

不过，这个问题已在 2.0 测试版中得到修复。

http://grepcode.com/file/repo1.maven.org/maven2/org.apache.wss4j/wss4j-ws-security-dom/2.0-beta/org/apache/wss4j/dom/message/token/UsernameToken.java#226

编辑：这不是 wss4j 中的错误。规范规定时区必须是 UTC。