IBM Support

PM26939: JAX-WS WS-Security is rejecting SAML 2.0 tokens referenced by SecurityTokenReference/Reference

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • JAX-WS WS-Security is rejecting SAML 2.0 tokens referenced by
    SecurityTokenReference/Reference.
    
    The following is example of a SecurityTokenReference to a SAML
    2.0 token that is not working:
    
    <wsse:SecurityTokenReference
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
    ss-wssecurity-utility-1.0.xsd"
    wsu:Id="cc089ca5-a5ad-4f43-baa7-40a0448bbec5">
        <wsse:Reference
    URI="#83e63758-25d7-4b9f-a0ff-7bc10d04a5e7"></wsse:Reference>
    </wsse:SecurityTokenReference>
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server V7.0 users *
    *                  of WS-Security enabled JAX-WS applications  *
    *                  and SAML 2.0                                *
    ****************************************************************
    * PROBLEM DESCRIPTION: JAX-WS WS-Security is rejecting SAML    *
    *                      2.0 tokens referenced by                *
    *                      SecurityTokenReference/Reference        *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that includes this APAR. *
    ****************************************************************
    JAX-WS WS-Security is rejecting SAML 2.0 tokens referenced by
    SecurityTokenReference/Reference.
    
    According to the SAML specification, SAML 1.1 tokens can only
    be referenced by SecurityTokenReference/KeyIdentifier, but SAML
    2.0 tokens can additionaly be referenced by
    SecurityTokenReference/Reference.
    
    Following is example of a SecurityTokenReference to a SAML
    2.0 token that JAX-WS WS-Security is rejecting:
    
    <wsse:SecurityTokenReference
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
    ss-wssecurity-utility-1.0.xsd"
    wsu:Id="cc089ca5-a5ad-4f43-baa7-40a0448bbec5">
        <wsse:Reference
    URI="#83e63758-25d7-4b9f-a0ff-7bc10d04a5e7">
        </wsse:Reference>
    </wsse:SecurityTokenReference>
    

Problem conclusion

  • The WS-Security runtime is treating references to SAML 1.1 and
    SAML 2.0 tokens the same, therefore only
    SecurityTokenReference/KeyIdentifier is allowed.
    
    The WS-Security runtime is updated to allow a SAML 2.0 to be
    referenced with SecurityTokenReference/Reference.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.17.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM26939

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-11-17

  • Closed date

    2011-01-17

  • Last modified date

    2011-01-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PM26939

Modified date: 17 January 2011