PM62535: WS-SECURITY GENERICISSUEDTOKENCONSUMELOGINMODULE CANNOT CONSUME A TOKEN WITHOUT VALIDATING IT

Fixes are available

APAR status

Closed as program error.

Error description

When a token is configured to be consumed using the
GenericIssuedTokenConsumeLoginModule, there is no way to
configure the consumer to not pass the token to an STS.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  WS-Security enabled JAX-WS applications     *
****************************************************************
* PROBLEM DESCRIPTION: GenericIssuedTokenConsumeLoginModule    *
*                      cannot consume a token without          *
*                      sending it to an STS for exchange or    *
*                      validation                              *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
When a token is configured to be consumed using the
GenericIssuedTokenConsumeLoginModule in the WS-Security policy
bindings, there is no way to configure the consumer to not pass
the token to an STS for token validation or exchange. The
GenericIssuedTokenConsumeLoginModule should be able to consume
tokens without sending them to the STS.

Problem conclusion

The WS-Security GenericIssuedTokenConsumeLoginModule code is
updated so that it can consume a token without sending it to
the STS for validation or exchange.

Two new custom properties are added that can be used with the
GenericIssuedTokenConsumeLoginModule and can be specified
using any callback handler class:

passTroughToken
alwaysGeneric

================
passThroughToken

This key is valid for use by both
GenericIssuedTokenConsumeLoginModule and
GenericIssuedTokenGenerateLoginModule.  It can be specified on
any of the built-in callback handlers.

When this key is used for the consumer, it is used to direct
if the inbound token should be sent to the STS or not.  The
default behavior is to always send the inbound token to the
STS for validation and/or exchange (depending on other config
settings).  When this property is set to true, the inbound
token will not be sent to the STS at all, in effect, 'passing
through' the consumer.  Also, when this property is set to
true and a built-in token type is used (UsernameToken,
Kerberos Token, SAML
token, etc), the token will be parsed and available on the
WS-Security context for later processing by a caller
configuration JAAS login module.

When this key is used for the generator, it is used to direct
if the outbound token should be obtained from the STS or not.
The default behavior is to always obtain the token from the
STS.  When this property is set to true, the inbound token
will be obtained in this order:

1) From the sharedState from a stacked JAAS login module
2) From the com.ibm.wsspi.wssecurity.token.tokenHolder list
on the message context
3) From the inbound SecurityTokens

Refer to the following constants in
com.ibm.wsspi.wssecurity.core.Constants for more information:

com.ibm.wsspi.wssecurity.token.tokenHolder
com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext
com.ibm.wsspi.wssecurity.token.enableCaptureTokenInboundMsg

=============
alwaysGeneric

This key is used by the GenericIssuedTokenConsumeLoginModule
and can be set using any of the built-in callback handlers.
When passThroughToken is set to true, if this property is also
set to true, the login module will always create a
GenericSecurityToken instead of a built-in token type that
corresponds to the valueType that is configured for the token.

The default value for this property is false.

==========================================
com.ibm.wsspi.wssecurity.token.tokenHolder

This key is used to place a token or an list of tokens on the
message context for use by token generators and/or token
consumers.  It is important that, if using a list, that each
token in the list have a different value type.  If there is
more than one token with the same value type, the token
retrieved will be indeterminate.

There is no default for this property.  The value can be a
SecurityToken object or an instance of a Map or List of
SecurityToken objects.

========================================================
com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext

This is the key used to specify that a token consumer and/or
token generator that is enabled to do so should attempt to
obtain its token from the tokenHolder on the message context.

This property is false unless it is set to true and is set in
the token generator/consumer callback handler custom properties

===========================================================
com.ibm.wsspi.wssecurity.token.enableCaptureTokenInboundMsg

This is the key used to specify that a token consumer and/or
token generator that is enabled to do so should attempt to
obtain its token from the set of SecurityTokens in the inbound
message.  If there is more than one token in the inbound
message that matches the value type of the token generator,
then the token selected will be indeterminate.

This property is false unless it is set to true and is set in
the token generator/consumer callback handler custom properties.


The fix for this APAR is currently targeted for inclusion in
fix packs 7.0.0.25, 8.0.0.5, 8.5.0.1.  Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PM62535
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-04-16
Closed date
2012-07-10
Last modified date
2012-07-13

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800

Applicable component levels

R700 PSY
UP
R800 PSY
UP
R850 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 October 2021

Tips

PM62535: WS-SECURITY GENERICISSUEDTOKENCONSUMELOGINMODULE CANNOT CONSUME A TOKEN WITHOUT VALIDATING IT

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

R800 PSY

R850 PSY

Document Information

Share your feedback

Need support?