IBM Support

PI60820: CWWSS5634E WHEN USING RELATIVE URI

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The following error occurs when attempting to sign a message
    that contains a relative namespace:
    
    [3/30/16 10:30:01:776 IDT] 00000097 SignatureGene E
    CWWSS5634E:
    Signing the message produced the following exception:
    java.lang.RuntimeException: Found a relative URI:
    xmlns:h='helloNamespace'
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  WS-Security enabled JAX-WS applications     *
    *                  and digital signature                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: CWWSS5634E when JAX-WS WS-Security      *
    *                      encounters a relative URI during        *
    *                      canonicalization of a message part      *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When JAX-WS WS-Security encounters a relative URI during
    canonicalization of a message part, an error like the
    following will occur:
    [3/30/16 10:30:01:776 IDT] 00000097 SignatureGene E
    CWWSS5634E:
    Signing the message produced the following exception:
    java.lang.RuntimeException: Found a relative URI:
    xmlns:h='helloNamespace'
    Here is an example of a SOAP message that will produce the
    error message shown above:
    <soapenv:Envelope
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
    <h:sayHello xmlns:h="helloNamespace">
    <name>x</name>
    </h:sayHello>
    </soapenv:Body>
    </soapenv:Envelope>
    This error will happen when generating a signature for a
    message that contains a relative namespace or consuming one.
    

Problem conclusion

  • The JAX-WS WS-Security runtime disallows relative namespaces
    because W3C Canonical XML implies that a relative namespace
    could be a security exposure.  It suggests converting a
    relative namespace to an absolute namespace, but gives no
    guidance on how to do this.  Since there is no standard
    method, interoperability between disparate runtimes would not
    be possible.
    
    The preferred fix to this issue is to change the relative
    namespace to an absolute namespace in the wsdl (for example,
    using http://helloNamespace instead of helloNamespace).
    However, there are conditions where this is not possible such
    as when the wsdl is not under the control of the administrator.
    
    A new WS-Security custom property is added called:
    
    com.ibm.wsspi.wssecurity.dsig.relativeNamespaceAllowed
    
    The values for this property are true and false.  The default
    value is false.  Set this property to true if you want to
    allow the use of relative namespaces.
    
    This custom property is set in the WS-Security policy
    set bindings in the Inbound, Outbound, or Inbound and Outbound
    custom properties.
    
    (bindings) > WS-Security > Custom properties
    
    The property must be set to true for each path that you want
    to allow relative namespaces for the application.  For
    instance, if you only want to allow relative namespaces when
    consuming a message, only set the property in the Inbound
    section.  For only generating, set it in Outbound.  If
    you want to allow a relative namespace for both consuming
    and generating, set the new property to true in the 'Inbound
    and Outbound' section.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.43, 8.0.0.13 and 8.5.5.10.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, WSSEC
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI60820

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-04-14

  • Closed date

    2016-04-25

  • Last modified date

    2016-04-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI60820

Modified date: 25 April 2016