Reputation: 67
Since yesterday, I'm trying to integrate security into my web services soap (with apache cxf) via ws-security. For this I have the following configuration: --my endppoint and its interceptors configuration:
@ComponentScan(basePackages ={""})
public class MyConfig extends SpringBootServletInitializer{
public IServicesWeb momoService() {
return new MomoServices();
@Bean(name = Bus.DEFAULT_BUS_ID)
public SpringBus springBus() {
return new SpringBus();
public ServletRegistrationBean cxfServlet() {
ServletRegistrationBean servlet = new ServletRegistrationBean(new CXFServlet(), "/services/*");
return servlet;
public Endpoint endpoint() {
EndpointImpl endpoint = new EndpointImpl(springBus(), momoService());
Map<String, Object> inProps = new HashMap<String, Object>();
inProps.put("action", "UsernameToken");
inProps.put("passwordType", "PasswordText");
inProps.put("passwordCallbackClass", "");
endpoint.getInInterceptors().add(new WSS4JInInterceptor(inProps));
Map<String, Object> outProps = new HashMap<String, Object>();
outProps.put("action", "UsernameToken");
outProps.put("user", "abc");
outProps.put("passwordType", "PasswordText");
outProps.put("passwordCallbackClass", "");
endpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps));
return endpoint;
--my PasswordCallBack class handler:
public class WsPwdCallBack implements CallbackHandler{
protected final Log logger = LogFactory.getLog(getClass());
private Map<String, String> passwords = new HashMap<String, String>();
public WsPwdCallBack() {
passwords.put("abc", "abc");
passwords.put("xyz", "xyz");
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
String pass = passwords.get(pc.getIdentifier());
if (pass != null) {
--finally my soap request from soapUI:
<soapenv:Envelope xmlns:soapenv="" xmlns:web="" xmlns:wsu="">
<wsse:Security xmlns:wsse="" xmlns:wsu="" soapenv:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="UsernameToken-87b7b0c5-31fe-4a01-b333-f9ca564ded57">
<wsse:Password Type="">TlPGdyb/NOoeA2KMO0n6DbmA0AA=</wsse:Password>
<wsse:Nonce EncodingType="">FCG+tTtuZXguO8nUQUQeIQ==</wsse:Nonce>
From SOAPUI when I execute this request, I receive the following error:
<soap:Envelope xmlns:soap="">
<faultcode xmlns:ns1="">ns1:SecurityError</faultcode>
<faultstring>A security error was encountered when verifying the message</faultstring>
So, I'm going to look at the wildfly logs where I have deployed the .ear archive of my app; And there I saw this exception:
Caused by: org.apache.wss4j.common.ext.WSSecurityException: The message has expired
Please help me to fix it, i am very new in ws-security. I don't know how can i resolve this exception.
Upvotes: 0
Views: 5486
Reputation: 1900
WSS4J enforces a time limit of 5 minutes by default on the Creation timestamp of a UsernameToken. So in SOAP UI you'll need to recreate the UsernameToken snippet if more than 5 minutes have elapsed since you last created it. Alternatively, you can configure WSS4J to allow a longer time limit for expiry.
Upvotes: 1