Fixes are available
APAR status
Closed as program error.
Error description
When an LTPA Propagation token is consumed in JAX-WS WS-Security, if the Subject from the token already exists in the auth cache, you may end up with more than one copy of the WSCredentialImpl object in the credentials. This can happen for all credential objects.
Local fix
Working on it
Problem summary
**************************************************************** * USERS AFFECTED: Administrators of IBM WebSphere * * Application Server V7.0 and WS-Security * * enabled JAX-WS applications and LTPA * * Propagation tokens * **************************************************************** * PROBLEM DESCRIPTION: When using LTPA Propagation tokens, * * JAX-WS WS-Security may duplicate * * credentials on the Subject * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** When an LTPA Propagation token is received by JAX-WS WS-Security, if the Subject for the Principal in the token already exists in the authcache, most of the credential objects that exist on the Subject will be replicated. The Subject with the extra credentials will appear in the authcache. When this happens, you will see something like this when the Subject is printed in a trace: Subject: Principal: IBMRealm/user1 Public Credential: com.ibm.ws.security.auth.WSCredentialImpl@75107510 Public Credential: com.ibm.ws.security.auth.WSCredentialImpl@32563256 Private Credential:com.ibm.ws.security.token.SingleSignonTokenImpl@607d6 07d Private Credential:com.ibm.ws.security.token.AuthenticationTokenImpl@50e c50ec Private Credential:com.ibm.ws.security.token.AuthorizationTokenImpl@531b 531b Private Credential:com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagati onTokenImpl:ltpa_20 Private Credential:com.ibm.ws.security.token.SingleSignonTokenImpl@26dc2 6dc Private Credential:com.ibm.ws.security.token.AuthenticationTokenImpl@690 e690e Private Credential:com.ibm.ws.security.token.AuthorizationTokenImpl@6474 6474 This issue does not happen on v80 and above, nor does it happen with the JAX-RPC runtime.
Problem conclusion
When the JAX-WS runtime receives an LTPA Propagation token, after deserializing the propagation token, it adds the credentials from that deserialized token to the current Subject. When the current subject is obtained from the authcache, it should be checking to see if the credentials are already there before adding them. The WS-Security runtime is updated to not add any credentials from an inbound LTPA Propagation token to a Subject if a matching credential already exists. A matching credential means that the type and contents of the credential are the same, not just the object type or the object instance are the same. The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.43. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI72422
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-11-16
Closed date
2016-12-14
Last modified date
2016-12-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R700 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
19 October 2021