IBM Support

PI07877: ADD SAML APIS TO ADD ATTRIBUTES AND RE-SIGN THE TOKEN

Fixes are available

8.5.5.2: WebSphere Application Server V8.5.5 Fix Pack 2
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • Add SAML APIs to add attributes and re-sign the token
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  WS-Security SAML APIs                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: After a SAMLToken object has been       *
    *                      created, attributes cannot be added     *
    *                      to or deleted from the object or the    *
    *                      token re-signed.                        *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    After a WS-Security SAMLToken object has been created, SAML
    attributes cannot be added to or deleted from the object.
    There are use cases where the ability to do this is necessary.
    After SAML attributes are added to or deleted from a SAMLToken
    object, any digital signature contained within the token will
    become invalid so the ability to re-sign the token must also
    be included in order to properly support the modification of
    attributes.
    

Problem conclusion

  • SAMLToken are added to add and delete SAML attributes from a
    SAMLToken object.  SAMLTokenFactory APIs are added to add or
    update the digital signature on a SAMLToken object.
    
    The following methods are added to the
    com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
    interface:
    
    public abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken,
    RequesterConfig request, ProviderConfig providerConfig )
    throws WSSException;
    public abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken);
    public static KeyInformationConfig
    newKeyInformationConfig(String alias, String keyPass, String
    keyName) throws WSSException;
    
    
    The following methods are added to the
    com.ibm.websphere.wssecurity.wssapi.token.SAMLToken interface:
    
    public void addSAMLAttribute(SAMLAttribute attr) throws
    Exception;
    public void addSAMLAttribute(List<SAMLAttribute> attrList)
    throws Exception;
    public void deleteSAMLAttribute(SAMLAttribute attr) throws
    Exception;
    
    
    The details of the methods added to the
    com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
    interface are:
    
    ---------------
    public abstract SAMLToken newSAMLToken( SAMLToken aSAMLToken,
    RequesterConfig request, ProviderConfig providerConfig )
    throws WSSException;
    
    Create a SAMLToken object based on the input SAMLToken and new
    signature data.  The new token is a clone of the original
    token with the signature element removed and a new signature
    added based on the input credentials.
    
    Since you are in essence re-issuing the token with your new
    signature, the issuer name that is in the ProviderConfig
    object will be set on the new SAML token.  The issuer name
    will default to the value in SamlIssuerConfig.properties.  You
    can override that value with the
    ProviderConfig.setIssuerURI(String) method.  If you want to
    maintain the value in the original token, you must query the
    value from the original token with
    SAMLToken.getSAMLIssuerName() then set it on the
    ProviderConfig.
    
    Time-based attributes such as IssueInstant, NotBefore, and
    NotOnOrAfter will not be modified from the values in the
    original token.
    
    This method can be used to re-sign a signed token after
    modifying attributes using SAMLToken.addAttribute and
    SAMLToken.deleteAttribute.  This method cannot be used with an
    encrypted SAMLToken.
    
    This method requires the
    SecurityPermission("wssapi.SAMLTokenFactory.newSAMLToken")
    Java Security permission.
    
    Parameters:
      aSAMLToken - contains the original SAMLToken to be re-signed
      request - contains data that describes what kind of
    assertion should be created.
      providerConfig - describes issuer, like Signing KeyInfo and
    Encryption KeyInfo.
    Returns:
      SAMLToken. That can be used to initiate service requests.
    
    ---------------
    public abstract SAMLToken newSAMLToken( SAMLToken aSAMLToken);
    
    Create a SAMLToken object that is a clone of the input
    SAMLToken object.
    
    Parameters:
      aSAMLToken - SAMLToken to copy
    Returns:
      SAMLToken. That can be used to initiate service requests.
    
    ---------------
    public static KeyInformationConfig newKeyInformationConfig(
    String alias, String keyPass, String keyName) throws
    WSSException;
    
    Create a KeyInformationConfig that encapsulates KeyInformation
    configuration attributes.
    
    Parameters:
      alias - is a String that represents type of alias of the key
      keyPass - is a String that represents the password for the key
      keyName - is a String that represents the name for the key
    Returns:
      A default embedded KeyInformationConfig that encapsulates
    the following attributes: the alias, keyPass, and keyName.
    
    ===============
    The details of the methods added to the
    com.ibm.websphere.wssecurity.wssapi.token.SAMLToken interface
    are:
    
    ---------------
    public void addSAMLAttribute(SAMLAttribute attr) throws
    Exception;
    
    Adds a SAMLAttribute to the SAML token.  If more than one
    AttributeStatment exists in the SAML token, the new attribute
    will be added to the first AttributeStatement in the XML.
    Since adding attributes to a token will invalidate a digital
    signature, if a digital signature is present in the XML, it
    will be removed.
    
    Encrypted Assertions and encrypted attributes are not supported.
    
    If you want the SAML token to contain a digital signature,
    after the token has been modified, create a new SAMLToken
    using SAMLTokenFactory.newSAMLToken(SAMLToken,
    RequesterConfig, ProviderConfig).
    
    This method requires the
    SecurityPermission("wssapi.SAMLToken.getSAMLAttributes") Java
    Security permission.
    
    Parameters:
      attr - is the SAMLAttribute to add to the token
    
    ---------------
    public void addSAMLAttribute(List<SAMLAttribute> attrList)
    throws Exception;
    
    Adds a list of SAMLAttributes to the SAML token.  If more than
    one AttributeStatment exists in the SAML token, the new
    attributes will be added to the first AttributeStatement in
    the XML.  Since adding attributes to a token will invalidate a
    digital signature, if a digital signature is present in the
    XML, it will be removed.
    
    Encrypted Assertions and encrypted attributes are not supported.
    
    If you want the SAML token to contain a digital signature,
    after the token has been modified, create a new SAMLToken
    using SAMLTokenFactory.newSAMLToken(SAMLToken,
    RequesterConfig, ProviderConfig).
    
    This method requires the
    SecurityPermission("wssapi.SAMLToken.getSAMLAttributes") Java
    Security permission.
    
    
    Parameters:
      attrList - is the List of SAMLAttributes to add to the token
    
    ---------------
    public void deleteSAMLAttribute(SAMLAttribute attr) throws
    Exception;
    
    Delete a SAMLAttribute that matches the input from a SAML
    token.  For a SAML 2.0 token, the Name, FriendlyName,
    and NameFormat will be matched.  For a SAML 1.1 token, the
    AttributeName and AttributeNamespace will be matched; all
    other fields will be ignored.  All matching SAMLAttributes
    will be deleted.  Since deleting an attribute from a token
    will invalidate a digital signature, if a digital signature is
    present in the XML, it will be removed.
    
    Encrypted Assertions and encrypted attributes are not supported.
    
    If you want the SAML token to contain a digital signature,
    after the token has been modified, create a new SAMLToken
    using SAMLTokenFactory.newSAMLToken(SAMLToken,
    RequesterConfig, ProviderConfig).
    
    This method requires the
    SecurityPermission("wssapi.SAMLToken.getSAMLAttributes") Java
    Security permission.
    
    Parameters:
      attr - is the SAMLAttribute to delete from the token
    
    
    ===============
    Sample code of re-signing a SAMLToken using the the
    com.ibm.websphere.wssecurity.wssapi.token.SAMLToken interface:
    
    SAMLTokenFactory samlFactory =
    SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11)
    ;
    
    // 1. Create RequesterConfig object.
    RequesterConfig reqData =
     samlFactory.newBearerTokenGenerateConfig();
    // -or-
    RequesterConfig reqData =
     samlFactory.newSenderVouchesTokenGenerateConfig();
    
    // 2. Create ProviderConfig object which will specify the key
    // store and key for SAML signing. The object will initialize
    // with the settings from the SAMLIssuerConfig.properties
    // file.
    ProviderConfig samlIssuerCfg =
     samlFactory.newDefaultProviderConfig();
    
    // 3. (Optional) If you want to use keystore and/or key
    // properties other than what are set in the
    // SAMLIssuerConfig.properties file, reset the keystore
    // and key information in the ProviderConfig object.
    KeyStoreConfig ksc = samlFactory.newKeyStoreConfig( "jks",
    "$WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/dsig-sender
    .ks, "client");
    samlIssuerCfg.setKeyStoreConfig(ksc);
    KeyInformationConfig kic =
     samlFactory.newKeyInformationConfig("soaprequester", "client",
     "SOAPRequester");
    samlIssuerCfg.setKeyInformationConfig(kic);
    
    // 4. (Optional) If you want to use issuer name/format values
    // other than the ones specified in
    // SamlIssuerConfig.properties, do the following:
    samlIssuerCfg.setIssuerURI("myIssuerURI");
    
    //Only supported on SAML 2.0 tokens:
    samlIssuerCfg.setIssuerFormat("myIssuerFormat");
    
    // 5. (Optional) If you want to ensure that the original
    // issuer is maintained on the token and that issuer does
    // not match what is in SamlIssuerConfig.properties,
    // do the following:
    samlIssuerCfg.setIssuerURI(originalSamlToken.getSAMLIssuerName()
    );
    
    // Create a new SAML token that is a clone of the original,
    // but a new signature
    SAMLToken resignedSamlToken =
     samlFactory.newSAMLToken(originalSamlToken, reqData,
     samlIssuerCfg);
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.33, 8.0.0.9, and 8.5.5.2.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI07877

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-12-12

  • Closed date

    2014-01-15

  • Last modified date

    2014-01-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI07877

Modified date: 15 January 2014