Fixes are available
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
When SAML Web SSO is enabled and SAML TAI is invoked, a cookie is set to store original request URL. After authentication, this original URL is decoded before it's sent as a redirect. This could cause problems if the original URL contains encoded characters such as a line break or the original encoding is not UTF-8. For example, following exception could appear in WAS log files: servlet E com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0068E: Uncaught exception created in one of the service methods of the servlet IBMWebSphereSamlACSListenerServlet in application WebSphereSamlSP. Exception created : javax.servlet.ServletException: Invalid LF not followed by whitespace at com.ibm.ws.security.web.saml.sp.IBMWebSphereSamlACSListenerServl et.handleRedirect(IBMWebSphereSamlACSListenerServlet.java:76) at com.ibm.ws.security.web.saml.sp.IBMWebSphereSamlACSListenerServl et.doPost(IBMWebSphereSamlACSListenerServlet.java:58) at javax.servlet.http.HttpServlet.service(HttpServlet.java:738) ?? ...
Local fix
modify requests so that they do not cause this issue
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server SAML Web Single Sign On. * **************************************************************** * PROBLEM DESCRIPTION: The SAML Web SSO TAI decodes the * * original URL before sending the * * redirect. * **************************************************************** * RECOMMENDATION: Apply a fix pack that contains this APAR * * and set the security custom property. * **************************************************************** When SAML Web SSO is enabled and SAML TAI is invoked, a cookie is set to store original request URL. After authentication, this original URL is decoded before it is sent as a redirect. This could cause problems if the original URL encoding is not UTF-8 or it contains encoded characters such as a line break.
Problem conclusion
The following security custom property is introduced to provide an option for customer to disable the URL decoding: com.ibm.ws.security.web.saml.disableDecodeURL This property defaults to "false". When this property is set to "true", the original URL for redirect is used, without decoding the URL. To add this new custom property with administrative console, click Security > Global security > Custom properties. Click New to add a new custom property and its associated value. When a fix pack containing this APAR is installed, the fix will not be active until the installed SAML ACS application, WebSphereSamlSP.ear, is updated from the (WAS_HOME)/installableApps directory. The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.33, 8.0.0.9, and 8.5.5.3. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Keywords: IBMWL3WSS, SAMLWSSO
Temporary fix
Comments
APAR Information
APAR number
PI09544
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2014-01-14
Closed date
2014-03-25
Last modified date
2015-09-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
28 April 2022