IBM Support

PM62535: WS-SECURITY GENERICISSUEDTOKENCONSUMELOGINMODULE CANNOT CONSUME A TOKEN WITHOUT VALIDATING IT

Fixes are available

7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When a token is configured to be consumed using the
    GenericIssuedTokenConsumeLoginModule, there is no way to
    configure the consumer to not pass the token to an STS.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  WS-Security enabled JAX-WS applications     *
    ****************************************************************
    * PROBLEM DESCRIPTION: GenericIssuedTokenConsumeLoginModule    *
    *                      cannot consume a token without          *
    *                      sending it to an STS for exchange or    *
    *                      validation                              *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When a token is configured to be consumed using the
    GenericIssuedTokenConsumeLoginModule in the WS-Security policy
    bindings, there is no way to configure the consumer to not pass
    the token to an STS for token validation or exchange. The
    GenericIssuedTokenConsumeLoginModule should be able to consume
    tokens without sending them to the STS.
    

Problem conclusion

  • The WS-Security GenericIssuedTokenConsumeLoginModule code is
    updated so that it can consume a token without sending it to
    the STS for validation or exchange.
    
    Two new custom properties are added that can be used with the
    GenericIssuedTokenConsumeLoginModule and can be specified
    using any callback handler class:
    
    passTroughToken
    alwaysGeneric
    
    ================
    passThroughToken
    
    This key is valid for use by both
    GenericIssuedTokenConsumeLoginModule and
    GenericIssuedTokenGenerateLoginModule.  It can be specified on
    any of the built-in callback handlers.
    
    When this key is used for the consumer, it is used to direct
    if the inbound token should be sent to the STS or not.  The
    default behavior is to always send the inbound token to the
    STS for validation and/or exchange (depending on other config
    settings).  When this property is set to true, the inbound
    token will not be sent to the STS at all, in effect, 'passing
    through' the consumer.  Also, when this property is set to
    true and a built-in token type is used (UsernameToken,
    Kerberos Token, SAML
    token, etc), the token will be parsed and available on the
    WS-Security context for later processing by a caller
    configuration JAAS login module.
    
    When this key is used for the generator, it is used to direct
    if the outbound token should be obtained from the STS or not.
    The default behavior is to always obtain the token from the
    STS.  When this property is set to true, the inbound token
    will be obtained in this order:
    
    1) From the sharedState from a stacked JAAS login module
    2) From the com.ibm.wsspi.wssecurity.token.tokenHolder list
    on the message context
    3) From the inbound SecurityTokens
    
    Refer to the following constants in
    com.ibm.wsspi.wssecurity.core.Constants for more information:
    
    com.ibm.wsspi.wssecurity.token.tokenHolder
    com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext
    com.ibm.wsspi.wssecurity.token.enableCaptureTokenInboundMsg
    
    =============
    alwaysGeneric
    
    This key is used by the GenericIssuedTokenConsumeLoginModule
    and can be set using any of the built-in callback handlers.
    When passThroughToken is set to true, if this property is also
    set to true, the login module will always create a
    GenericSecurityToken instead of a built-in token type that
    corresponds to the valueType that is configured for the token.
    
    The default value for this property is false.
    
    ==========================================
    com.ibm.wsspi.wssecurity.token.tokenHolder
    
    This key is used to place a token or an list of tokens on the
    message context for use by token generators and/or token
    consumers.  It is important that, if using a list, that each
    token in the list have a different value type.  If there is
    more than one token with the same value type, the token
    retrieved will be indeterminate.
    
    There is no default for this property.  The value can be a
    SecurityToken object or an instance of a Map or List of
    SecurityToken objects.
    
    ========================================================
    com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext
    
    This is the key used to specify that a token consumer and/or
    token generator that is enabled to do so should attempt to
    obtain its token from the tokenHolder on the message context.
    
    This property is false unless it is set to true and is set in
    the token generator/consumer callback handler custom properties
    
    ===========================================================
    com.ibm.wsspi.wssecurity.token.enableCaptureTokenInboundMsg
    
    This is the key used to specify that a token consumer and/or
    token generator that is enabled to do so should attempt to
    obtain its token from the set of SecurityTokens in the inbound
    message.  If there is more than one token in the inbound
    message that matches the value type of the token generator,
    then the token selected will be indeterminate.
    
    This property is false unless it is set to true and is set in
    the token generator/consumer callback handler custom properties.
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.25, 8.0.0.5, 8.5.0.1.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM62535

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-04-16

  • Closed date

    2012-07-10

  • Last modified date

    2012-07-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PM62535

Modified date: 13 July 2012