Getting 'A replay attack has been detected' error in when the request is rehit with WS-SecurityPolicy in place in JBossWS-CXF

Solution Unverified - Updated -

Issue

  • We are using JBoss EAP 6.1.0 and jbossws-cxf (i.e. cxf2.6.6) . We are also using wsse authentication and configured in cxf.xml. When the request does not contain <nonce> and <created> tags in the security header, then our application flows but when these are added in the header we get below error
An invalid security token was provided (An error happened processing a Username Token "{0}")
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:765) [cxf-rt-ws-security-2.6.6-redhat-3.jar:2.6.6-redhat-3]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:334) [cxf-rt-ws-security-2.6.6-redhat-3.jar:2.6.6-redhat-3]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:96) [cxf-rt-ws-security-2.6.6-redhat-3.jar:2.6.6-redhat-3]
  • We have an EAR we are configuring the jboss-deployment-strcuture.xml in the WAR.
  • After placing the jboss-deployment-strcuture in the top level deployment, and having the annotation @EndpointProperty on the service it works i.e service gets executed with <nonce> and <created> tags, but when it is rehit again we get "A replay attack has been detected" error. If we change some value in nonce then it works again.

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.1.0
  • JBossWS-CXF

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content