IBM Support

PI76017: JAX-WS WS-Security Error CWWSS5634E with relative URI

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The following is reported in the logs when WS-Security
    attempts to process a message that contains a relative
    namespace:
    
    [2/3/17 14:58:06:874 UTC] 000000be WSSecurityGen E
    CWWSS5514E: An exception while processing WS-Security message:
    com.ibm.wsspi.wssecurity.core.SoapSecurityException:
    CWWSS5634E: Signing the message produced the following
    exception: Found a relative URI: xmlns:ns4='abc/schemas':
    java.lang.RuntimeException: Found a relative URI:
    xmlns:ns4='abc/schemas'
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and WS-Security enabled JAX-WS       *
    *                  applications and digital signature          *
    ****************************************************************
    * PROBLEM DESCRIPTION: CWWSS5634E when JAX-WS WS-Security      *
    *                      encounters a relative URI during        *
    *                      canonicalization of a message part      *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When JAX-WS WS-Security encounters a relative URI during
    canonicalization of a message part, an error like the
    following may occur:
    [2/3/17 14:58:06:874 UTC] 000000be WSSecurityGen E
    CWWSS5514E: An exception while processing WS-Security message:
    com.ibm.wsspi.wssecurity.core.SoapSecurityException:
    CWWSS5634E: Signing the message produced the following
    exception: Found a relative URI: xmlns:ns4='abc/schemas':
    java.lang.RuntimeException: Found a relative URI:
    xmlns:ns4='abc/schemas'
    

Problem conclusion

  • The JAX-WS WS-Security runtime disallows relative namespaces
    because W3C Canonical XML implies that a relative namespace
    could be a security exposure.  It suggests converting a
    relative namespace to an absolute namespace, but gives no
    guidance on how to do this.  Since there is no standard
    method, interoperability between disparate runtimes would not
    be possible.
    
    The preferred fix to this issue is to change the relative
    namespace to an absolute namespace in the wsdl (for example,
    using http://helloNamespace instead of helloNamespace).
    However, there are conditions where this is not possible such
    as when the wsdl is not under the control of the administrator.
    
    When the followng WS-Security custom property is set to
    true, the WS-Security runtime will allow a relative namespace:
    
    com.ibm.wsspi.wssecurity.dsig.relativeNamespaceAllowed
    
    This custom property is set in the WS-Security policy
    set bindings in the Inbound, Outbound, or Inbound and Outbound
    custom properties.
    
    (bindings) > WS-Security > Custom properties
    
    The property must be set to true for each path that you want
    to allow relative namespaces for the application.  For
    instance, if you only want to allow relative namespaces when
    consuming a message, only set the property in the Inbound
    section.  For only generating, set it in Outbound.  If
    you want to allow a relative namespace for both consuming
    and generating, set the new property to true in the 'Inbound
    and Outbound' section.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.45, 8.0.0.14, 8.5.5.12 and 9.0.0.4.  Please
    refer to the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI76017

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-02-03

  • Closed date

    2017-05-04

  • Last modified date

    2017-05-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI76017

Modified date: 04 May 2017