IBM Support

PI25681: REMOVE EXPORT PACKAGES OF THE ORG.APACHE.COMMONS.CODEC FROM THE COM.IBM.WS.SECURITY.OIDC.CLIENT.JAR

Fixes are available

PI25681;8.5.5: remove export packages of the org.apache.commons.codec from com.ibm.ws.security.oidc.client.jar
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The application cannot load its own version of the
    org.apache.commons.codec.binary.Base64 class that is packaged
    within the application. The new WAS_HOME/plugins/
    com.ibm.ws.security.oidc.client_1.0.0.jar shipped
    with fix pack v8.5.5.3 is loaded instead. This causes the
    application failed with NoSuchMethodError:
    
    java.lang.NoSuchMethodError:
    org/apache/commons/codec/binary/Base64.isBase64(Ljava/lang/Strin
    g;)
    

Local fix

  • Change the classloader mode for the WAR to parent_last.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: Export packages in                      *
    *                      com.ibm.ws.security.oidc.client_1.0.0.j *
    *                      ar may cause application                *
    *                      initialization failures                 *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    An application that has packaged org.apache.commons packages
    with its application may experience an initializion failure.
    Setting the PARENT_LAST classloader policy can illeviate the
    problem.
    

Problem conclusion

  • In com.ibm.ws.security.oidc.client_1.0.0.jar,
    org.apache.commons packages are exported for use by
    com.ibm.ws.security.openid20.client.jar.  These exports
    may cause applications that package their own version of the
    org.apache.commons.code packages to fail to initialize.
    
    The org.apache.commons.codec, org.apache.commons.codec.binary,
    and org.apache.commons.codec.net packages are removed from
    com.ibm.ws.security.oidc.client_1.0.0.jar.  These packages are
    now bundled in both com.ibm.ws.security.oidc.client_1.0.0.jar
    and com.ibm.ws.security.openid20.client.jar.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.4.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, OIDC
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI25681

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-09-12

  • Closed date

    2014-10-15

  • Last modified date

    2015-09-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022