Error in WS-Secured header validation(WSS4j) with UsernameToken TimeStamp for different time zone

Question

I have built a web service(top down based) in Apache CXF (2.7.11) with WSS4J with UsernameToken Timestamp feature. When I test the same with SOAP UI the server & client code seems to work fine.

But there is a client code who sends the data in IST (Indian Standard Time) timezone in WS Security header; for that, client receives the error The message has expired (WSSecurityEngine: Invalid timestamp The security semantics of the message have expired) is being thrown. Investigating I found the timezone used by WSS4J is UTC. Making the timestampStrict false in WSS4JInterceptor also did not work. Any help would be appreciated.

<jaxws:inInterceptors>                  
     <bean class="org.apache.cxf.interceptor.LoggingInInterceptor" />
     <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
        <property name="properties">
              <map>
                     <entry key="action" value="UsernameToken Timestamp" />
                     <entry key="timestampStrict" value="false"/>
                     <entry key="user" value="test_user" />
                     <entry key="passwordType" value="PasswordText" />
                     <entry>
                            <key>
                                   <value>passwordCallbackRef</value>
                            </key>
                            <ref bean="passwordCallback" />
                     </entry>
              </map>
        </property>
     </bean>
</jaxws:inInterceptors>

Answer 1

It is invalid to send a Timestamp in any time other than UTC time as per the SOAP Message Security profile: "All references MUST be in UTC time.".

Colm.