IBM Support

PI09544: The SAML Web SSO TAI decodes the original URL before sending the redirect.

Fixes are available

7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When SAML Web SSO is enabled and SAML TAI is invoked, a cookie
    is set to store original request URL.  After authentication,
    this original URL is decoded before it's sent as a redirect.
    This could cause problems if the original URL contains encoded
    characters such as a line break or the original encoding is
    not UTF-8.
    
    For example, following exception could appear in WAS log files:
    
    servlet E com.ibm.ws.webcontainer.servlet.ServletWrapper
    service SRVE0068E: Uncaught exception created in one of the
    service methods of the servlet
    IBMWebSphereSamlACSListenerServlet in application
    WebSphereSamlSP. Exception created :
    javax.servlet.ServletException: Invalid LF not followed by
    whitespace at
    com.ibm.ws.security.web.saml.sp.IBMWebSphereSamlACSListenerServl
    et.handleRedirect(IBMWebSphereSamlACSListenerServlet.java:76)
    at
    com.ibm.ws.security.web.saml.sp.IBMWebSphereSamlACSListenerServl
    et.doPost(IBMWebSphereSamlACSListenerServlet.java:58) at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:738)  ??
    ...
    

Local fix

  • modify requests so that they do not cause this issue
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server SAML Web Single Sign On.             *
    ****************************************************************
    * PROBLEM DESCRIPTION: The SAML Web SSO TAI decodes the        *
    *                      original URL before sending the         *
    *                      redirect.                               *
    ****************************************************************
    * RECOMMENDATION:  Apply a fix pack that contains this APAR    *
    *                  and set the security custom property.       *
    ****************************************************************
    When SAML Web SSO is enabled and SAML TAI is invoked, a cookie
    is set to store original request URL.  After authentication,
    this original URL is decoded before it is sent as a redirect.
    This could cause problems if the original URL encoding is not
    UTF-8 or it contains encoded characters such as a line break.
    

Problem conclusion

  • The following security custom property is introduced to
    provide an option for customer to disable the URL decoding:
    
    com.ibm.ws.security.web.saml.disableDecodeURL
    
    This property defaults to "false".  When this property is set
    to "true", the original URL for redirect is used, without
    decoding the URL.
    
    To add this new custom property with
    administrative console, click Security > Global security >
    Custom properties.  Click New to add a new custom property and
    its associated value.
    
    When a fix pack containing this APAR is installed, the fix
    will not be active until the installed SAML ACS application,
    WebSphereSamlSP.ear, is updated from the
    (WAS_HOME)/installableApps directory.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.33, 8.0.0.9, and 8.5.5.3.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, SAMLWSSO
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI09544

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-01-14

  • Closed date

    2014-03-25

  • Last modified date

    2015-09-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI09544

Modified date: 09 September 2015