IBM Support

PI09988: LOGINEXCEPTION ERROR MAY OCCUR IN WSSTOKENPROPAGATIONINBOUNDLOGINMODULE

Fixes are available

7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • An error in wssTokenPropagationInboundLoginModule.commit on
    the application server may cause an invocation to the IBM
    FileNet Content Manager Content Management Interoperability
    Services (CMIS) and Content Platform Engine (CPE) to fail.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  IBM FileNet Content Manager                 *
    ****************************************************************
    * PROBLEM DESCRIPTION: A LoginException error may occur in     *
    *                      the                                     *
    *                      wssTokenPropagationLoginModule.commit   *
    *                      method                                  *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that includes this       *
    *                  APAR.                                       *
    ****************************************************************
    When the IBM FileNet Content Manager Content Management
    Interoperability Services (CMIS) and Content Platform Engine
    (CPE) are used with WebSphere Applicstion Server, and a
    service call is made to the CPE, the call may fail.  On the
    CPE, an error like this can be observed in the ffdc logs on the
    application server profile where the CPE resides:
    [1/28/14 10:30:04:159 EST]     FFDC
    Exception:javax.security.auth.login.LoginException
    SourceId:com.ibm.ws.security.auth.JaasLoginHelper.jaas_login
    ProbeId:256
    Reporter:com.ibm.ws.security.auth.JaasLoginHelper@df5398dd
    javax.security.auth.login.LoginException:
    javax.security.auth.login.LoginException
    at
    com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTo
    kenPropagationInboundLoginModule.commit(wssTokenPropagationInbou
    ndLoginModule.java:224)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    ...
    When WS-Security trace is enabled, the following can be
    observed in trace.log on the application server profile where
    the CPE resides:
    [1/28/14 10:30:04:133 EST] 0000072e wssTokenPropa 3   Restore
    authentication token:
    security.wssecurity_http://www.ibm.com/websphere/appserver/token
    type#LTPAv2
    [1/28/14 10:30:04:139 EST] 0000072e LTPATokenImpl 3   Fail to
    deserialize Token.
    com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl.readEx
    ternal(SecurityTokenImpl.java:278)
    ...
    

Problem conclusion

  • The wssTokenPropagationLoginModule JAAS login module is used
    to transfer WS-Security tokens from a propagation token
    in a request header to the security Subject on the current
    thread of execution.  When an error occurs while either
    extracting the WS-Security tokens or putting them on the
    Subject, the login module with exit with a LoginException
    which will make the request fail.
    
    The WS-Security tokens that exist in the propagation token may
    or may not be needed by the target service.  If the service is
    a web service, but the service is not protected by
    WS-Security, the tokens are not needed.  Even if the service
    is protected by WS-Security, the tokens may not be needed.  If
    the target service is not a web service, like FileNet CPE, the
    tokens are not needed.  An exception that occurs while
    transferring tokens that are not required by a service should
    not make the request fail.
    
    The wssTokenPropagationLoginModule JAAS login module is
    updated to not exit with a LoginException if there are issues
    with either extracting WS-Security tokens from a propagation
    token or when putting the tokens on the Subject on the thread
    of execution.  If the WS-Security tokens are later required by
    the WS-Security runtime, an error will occur there.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.33, 8.0.0.9, and 8.5.5.3.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI09988

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-01-20

  • Closed date

    2014-01-30

  • Last modified date

    2014-01-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI09988

Modified date: 30 January 2014