IBM Support

PM51727: THE SAML TOKEN SHOULD NOT BE DEFINED WITHIN A CUSTOMTOKEN ELEMENT USING AN IBM PROPRIETARY NAMESPACE

Fixes are available

8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  WS-Security enabled web services            *
    *                  applications using a SAML Policy Set.       *
    ****************************************************************
    * PROBLEM DESCRIPTION: When WebSphere defines a SAML policy    *
    *                      assertion on exported WSDL it uses a    *
    *                      CustomToken in an IBM namespace.        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When policy export is enabled on a JAX-WS web service that has
    a SAML policy set attached, the SAML token in the policy
    assertion is contained within a CustomToken.  For example:
    <ns9:CustomToken xmlns:ns9="
    http://www.ibm.com/xmlns/prod/websphere/200710/ws-
    securitypolicy
    -ext"
    ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-secur
    itypolicy/200702/IncludeToken/Always">
    <wsp:Policy>
    <ns9:WssCustomToken
    localname="http://docs.oasis-open.org/wss/oasis-wss-saml-token-
    p
    rofile-1.1#SAMLV2.0"/>
    </wsp:Policy>
    </ns9:CustomToken>
    This is not correct.  According to OASIS WS-SecurityPolicy
    1.2, the SAML token should be defined within an IssuedToken
    element or an SamlToken element.
    

Problem conclusion

  • The WS-Security runtime is changed to create a SamlToken
    assertion instead of a CustomToken. For example:
    
    <wsp:Policy wsu:Id="7fecb967-51b4-4ea3-9851-f07eb6dc1651">
      <ns1:SupportingTokens
    xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20
    0702">
        <wsp:Policy>
          <ns1:SamlToken
    ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypo
    licy/200702/IncludeToken/Always">
            <wsp:Policy>
              <ns1:WssSamlV11Token11/>
            </wsp:Policy>
          </ns1:SamlToken>
        </wsp:Policy>
      </ns1:SupportingTokens>
    </wsp:Policy>
    
    We do not emit policies with IssuedToken elements.
    
    To enable this new behavior, set the following WS-Security
    custom property in the Inbound, or Inbound and Oubound custom
    properties in the WS-Security policy set bindings:
    
    com.ibm.wsspi.wssecurity.wsdlexport.exportAsSamlToken=true
    
    Without this property the exported wsdl will be unchanged and
    will emit a CustomToken.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.25 and 8.0.0.4.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM51727

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-11-07

  • Closed date

    2012-03-08

  • Last modified date

    2012-03-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PM51727

Modified date: 08 March 2012