IBM Support

PI72422: JAX-WS WS-SECURITY DUPLICATES CREDENTIALS ON SUBJECT IN AUTHCACHE WITH LTPA PROPAGATION TOKEN

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When an LTPA Propagation token is consumed in JAX-WS
    WS-Security, if the Subject from the token already exists in
    the auth cache, you may end up with more than one copy of the
    WSCredentialImpl object in the credentials.  This can happen
    for all credential objects.
    

Local fix

  • Working on it
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Administrators of IBM WebSphere             *
    *                  Application Server V7.0 and WS-Security     *
    *                  enabled JAX-WS applications and LTPA        *
    *                  Propagation tokens                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: When using LTPA Propagation tokens,     *
    *                      JAX-WS WS-Security may duplicate        *
    *                      credentials on the Subject              *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When an LTPA Propagation token is received by JAX-WS
    WS-Security, if the Subject for the Principal in the token
    already exists in the authcache, most of the credential
    objects that exist on the Subject will be replicated.  The
    Subject with the extra credentials will appear in the
    authcache.
    When this happens, you will see something like this when the
    Subject is printed in a trace:
    Subject:
    Principal: IBMRealm/user1
    Public Credential:
    com.ibm.ws.security.auth.WSCredentialImpl@75107510
    Public Credential:
    com.ibm.ws.security.auth.WSCredentialImpl@32563256
    Private
    Credential:com.ibm.ws.security.token.SingleSignonTokenImpl@607d6
    07d
    Private
    Credential:com.ibm.ws.security.token.AuthenticationTokenImpl@50e
    c50ec
    Private
    Credential:com.ibm.ws.security.token.AuthorizationTokenImpl@531b
    531b
    Private
    Credential:com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagati
    onTokenImpl:ltpa_20
    Private
    Credential:com.ibm.ws.security.token.SingleSignonTokenImpl@26dc2
    6dc
    Private
    Credential:com.ibm.ws.security.token.AuthenticationTokenImpl@690
    e690e
    Private
    Credential:com.ibm.ws.security.token.AuthorizationTokenImpl@6474
    6474
    This issue does not happen on v80 and above, nor does it
    happen with the JAX-RPC runtime.
    

Problem conclusion

  • When the JAX-WS runtime receives an LTPA Propagation token,
    after deserializing the propagation token, it adds the
    credentials from that deserialized token to the current
    Subject.  When the current subject is obtained from the
    authcache, it should be checking to see if the credentials are
    already there before adding them.
    
    The WS-Security runtime is updated to not add any credentials
    from an inbound LTPA Propagation token to a Subject if a
    matching credential already exists.  A matching credential
    means that the type and contents of the credential are the
    same, not just the object type or the object instance are the
    same.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.43.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI72422

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-11-16

  • Closed date

    2016-12-14

  • Last modified date

    2016-12-14

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI72422

Modified date: 14 December 2016