Fixes are available
8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as new function.
Error description
When policy export is enabled on a JAX-WS web service that has a SAML policy set attached, the policy assertion contains a CustomToken that is defined in an IBM proprietary namespace http://www.ibm.com/xmlns/prod/websphere/200710/ws-securitypolicy -ext. An IBM proprietary namespace should not be used.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * WS-Security enabled web services * * applications using a SAML Policy Set. * **************************************************************** * PROBLEM DESCRIPTION: When WebSphere defines a SAML policy * * assertion on exported WSDL it uses a * * CustomToken in an IBM namespace. * **************************************************************** * RECOMMENDATION: * **************************************************************** When policy export is enabled on a JAX-WS web service that has a SAML policy set attached, the SAML token in the policy assertion is contained within a CustomToken. For example: <ns9:CustomToken xmlns:ns9=" http://www.ibm.com/xmlns/prod/websphere/200710/ws- securitypolicy -ext" ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-secur itypolicy/200702/IncludeToken/Always"> <wsp:Policy> <ns9:WssCustomToken localname="http://docs.oasis-open.org/wss/oasis-wss-saml-token- p rofile-1.1#SAMLV2.0"/> </wsp:Policy> </ns9:CustomToken> This is not correct. According to OASIS WS-SecurityPolicy 1.2, the SAML token should be defined within an IssuedToken element or an SamlToken element.
Problem conclusion
The WS-Security runtime is changed to create a SamlToken assertion instead of a CustomToken. For example: <wsp:Policy wsu:Id="7fecb967-51b4-4ea3-9851-f07eb6dc1651"> <ns1:SupportingTokens xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 0702"> <wsp:Policy> <ns1:SamlToken ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypo licy/200702/IncludeToken/Always"> <wsp:Policy> <ns1:WssSamlV11Token11/> </wsp:Policy> </ns1:SamlToken> </wsp:Policy> </ns1:SupportingTokens> </wsp:Policy> We do not emit policies with IssuedToken elements. To enable this new behavior, set the following WS-Security custom property in the Inbound, or Inbound and Oubound custom properties in the WS-Security policy set bindings: com.ibm.wsspi.wssecurity.wsdlexport.exportAsSamlToken=true Without this property the exported wsdl will be unchanged and will emit a CustomToken. The fix for this APAR is currently targeted for inclusion in fix packs 7.0.0.25 and 8.0.0.4. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM51727
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-11-07
Closed date
2012-03-08
Last modified date
2012-03-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
Document Information
Modified date:
28 October 2021