Fixes are available
PK61315; Attribute in SOAP security header may cause security exposure
PK75992; JAX-RPC WS-Security Runtime May Improperly Validate UsernameTokens
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
When a web service protected by WS-Security is invoked, authentication to the registry occurs twice. The first time occurs the JAAS login configuration WSSecurity. UsernameToken is invoked and succeeded. The Web Services trace indicates that because the subject is not in the AuthCache, the authentication occurs again using the default JAAS configuration . Excerpt of the trace: [27/10/06 14:37:11:291 EST] 0000004a LoginProcesso 3 Subject not found in AuthCache. [27/10/06 14:37:11:291 EST] 0000004a LoginProcesso 3 authMech is system.DEFAULT . The problem only occurs with Username/Password only.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server version 6 * * administrators of web services applications * * utilizing ws-security with UsernameTokens * **************************************************************** * PROBLEM DESCRIPTION: Authentication to the registry occurs * * twice when using UsernameTokens with * * ws-security enabled web services * * applications. * **************************************************************** * RECOMMENDATION: * **************************************************************** Authentication to the registry occurs twice when using UsernameTokens with ws-security enabled web services applications. This may not be a problem when access to the registry is fast, but can cause problems when access to the registry is slow.
Problem conclusion
The ws-security code was updated so that it would only authenticate to the registry once when using UsernameTokens. Previously, the username/password was checked with the registry very early in the process, then again if WebSphere credentials were required. This way, if the username/password combination weren't valid, all that would be returned was "Login failed" instead of a SoapSecurityException. With this new implementation, if the UsernameToken will be used to obtain WebSphere credentials, the username/password won't be checked against the registry until later in the process; if the username/password combination is not valid, instead of just returning "Login failed", a SoapSecurityException will be thrown: WebServicesFault faultCode: {http://docs.oasis-open.org/wss/ 2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd} FailedAuthentication faultString: com.ibm.wsspi.wssecurity. SoapSecurityException: WSEC6510E: Failed to login: com.ibm.websphere.security.auth.WSLoginFailedException: No user invaliduname found faultActor: null faultDetail: com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC6510E: Failed to login: com.ibm.websphere.security.auth.WSLoginFailedException: No user invalid uname found at com.ibm.ws.webservices.engine.WebServicesFault.makeUserFault (WebServicesFault.java:221) at ... If the UsernameToken will not be used to obtain WebSphere credentials and the username/password is not vaild, then a "Login failed" message will be returned as before. Customer applications that will be using UsernameTokens to acquire WebSphere credentials that are programmatically expecting to receive a single "Login failed" message returned from the server upon a failed login will need to be updated accordingly. Ordinarily this is not the case. This fix is currently targeted forfixpacks 6.0.2.25 and 6.1.0.15. Please refer to the recommended updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
ZE Fix Error, see PK75992. 2008/12/15
Comments
APAR Information
APAR number
PK41002
Reported component name
WEBSPH APP SERV
Reported component ID
5724J0800
Reported release
60W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-03-12
Closed date
2007-04-19
Last modified date
2008-12-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
SECURITY SERVICES WEB
Fix information
Fixed component name
WEBSPH APP SERV
Fixed component ID
5724J0800
Applicable component levels
R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
Document Information
Modified date:
29 December 2021