IBM Support

PI32262: AUTHENTICATIONCACHE ENTRIES WITH SAML TOKENS GETTING LARGE AND CAUSING OUTOFMEMORY

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When using a provider application that exposes web services
    that requires SAML tokens for authentication, an Out Of Memory
    condition may occur.  The AuthenticationCache contains SAML
    tokens that have retained the JAXBContext object causing
    extraordinarily large SAML token objects in the
    AuthenticationCache.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server            *
    *                  administrators of WS-Security enabled       *
    *                  JAX-WS web services and SAML                *
    ****************************************************************
    * PROBLEM DESCRIPTION: When there is an SAML caller token in   *
    *                      JAX-WS WS-Security, a memory leak may   *
    *                      occur.                                  *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    In JAX-WS WS-Security, when there is an SAML token in a caller
    configuration, a memory leak may occur.
    This issue also exists for LTPA tokens and was fixed under
    APAR PM84740.
    

Problem conclusion

  • When WS-Security has a caller configuration for a token, both
    the identity obtained from the token and the token itself are
    put on the runAs subject.  The token is also put in the
    authentication cache.
    
    When a token consumer retrieves its token from a SOAP message,
    a copy of the token is made that is detached from the SOAP
    message so that a reference to the SOAP message does not
    follow the token around.  When the SAML token consumer
    performs this copy, the SOAP message does not detach from the
    copy.  Because of this, when the SAML token copy is put in the
    authentication cache, an object the size of the original SOAP
    message is put in the cache instead of an object the size of
    the SAML token.
    
    The WS-Security runtime is updated:
    
    Before the runtime puts the SAML token in the authentication
    cache, a different method is used to make a copy of the SAML
    token that successfully detaches the SOAP message.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.39, 8.0.0.11 and 8.5.5.6.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, WSSEC, SAMLWSSEC
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI32262

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-01-06

  • Closed date

    2015-01-29

  • Last modified date

    2015-09-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI32262

Modified date: 24 September 2015