Fixes are available
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
Setting "mustUnderstand=1" attribute in wsse:Security tag of the SOAP header on the request from the Web Services client is currently hardcoded. There no way of configuring the "mustUnderstand=0" attribute of this SOAP Web Services security header that is needed in some scenarios.
Local fix
N/A.
Problem summary
**************************************************************** * USERS AFFECTED: WebSphere Application Server users of * * ws-security enabled web services * * applications * **************************************************************** * PROBLEM DESCRIPTION: Setting "mustUnderstand=1" attribute in * * wsse:Security tag of the SOAP header on * * the request from the Web Services * * client is currently hardcoded. * **************************************************************** * RECOMMENDATION: * **************************************************************** Setting "mustUnderstand=1" attribute in wsse:Security tag of the SOAP header on the request from the Web Services client is currently hardcoded. There is currently no way of configuring the use of the mustUnderstand attribute in the SOAP security header. There are some scenarios where the user may not want to send mustUnderstand="1" in the SOAP security header.
Problem conclusion
The code was updated to allow the administrator to configure the setting of the mustUnderstand attribute in the SOAP security header. The following generator/outbound web services security custom properties have been added: com.ibm.wsspi.wssecurity.config.request.setMustUnderstand com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqua lsOne com.ibm.wsspi.wssecurity.config.request.setMustUnderstand specifies the mustUnderstand setting in outbound consumer requests. If the value is set to "0", "no", or "false", no mustUnderstand attribute will be set in the ws-security header in outbound consumer requests. The default value is true. In SOAP messages, the default value for the mustUnderstand attribute is "0". According to the SOAP specification, if the intended value for this attribute is "0", it must not be present in the message. Therefore, if com.ibm.wsspi.wssecurity.config.request.setMustUnderstand is set to false, instead of adding a mustUnderstand="0" attribute to the SOAP security header, no mustUnderstand attribute is added. com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqua lsOne is used to specify that the provider should always respond with a mustUnderstand="1" attribute in the SOAP security header. If the value is set to "1", "yes", or "true", the provider will always respond with mustUnderstand="1" in the SOAP security header. The default value is false. By default, the response will contain the same mustUnderstand attribute as the request. For instance, if the inbound request has mustUnderstand="1", the response would have mustUnderstand="1". If the request did not have a mustUnderstand attribute, the response would also not have a mustUnderstand attribute. The default value for the mustUnderstand attribute for inbound messages that do not specify a mustUnderstand attribute has been changed from "1" to "0". This was done so that the outbound messages now being sent without the mustUnderstand attribute will be handled properly by WebSphere web services security. Note that SOAP messages without a mustUnderstand attribute sent to previous levels of WebSphere will result in the receiver of the message to default the value of the missing mustUnderstand attribute to "1", resulting in undesired behavior. In order for this update to be effective, if both the consumer and provider are WebSphere products, both of them must have this fix applied. For Java API for XML-based RPC (JAX-RPC) applications, both properties can be specified in the following locations in the administrative console: Navigate to: Servers->Application Servers->(server name)->Web services: Default bindings for Web services security Add the desired property to one of the following: "Additional Properties"->Properties "Default Generator Bindings"->Properties Properties in the Default Generator Bindings take precedence over those in Additional Properties. Both of these properties together will be referred to as the default bindings. If using an assembly tool with a JAX-RPC WS-Security 1.0 application, the com.ibm.wsspi.wssecurity.config.request.setMustUnderstand property can be set as a Property on the Security Request Generator Extension or Binding. The com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqua lsOne property can be set as a Property on the Response Generator Extension or Binding. A setting in the binding will take precedence over a setting in the extension and both take precedence over the default bindings. If using an assembly tool with a JAX-RPC draft13 application, the com.ibm.wsspi.wssecurity.config.request.setMustUnderstand property can be set as a Parameter on the Port Qualified Name Binding in the deployment descriptor. The com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqua lsOne can be set as a Parameter on the Port Component Binding in the deployment descriptor. Properties set in the WS-Security draft13 deployment descriptor take precedence over those set in the default binding. If using a JAX-WS application on WebSphere Application Server Version 6.1 Feature Pack for Web Services, these properties can be set as parameters or outbound binding properties on your application using wsadmin. The following WS-Security policy type property names are used in setBinding application.parameters application.securityoutboundbindingconfig.properties Properties in application.securityoutboundbindingconfig.properties take precendence over those in application.parameters. Properties set in WS-Security custom bindings take precedence over those set in the WS-Security default policy set bindings. Following is an example of the wsadmin commands to get the id of the policy set attachment for a consumer, then set the com.ibm.wsspi.wssecurity.config.request.setMustUnderstand property to false in the outbound binding config: $AdminTask getPolicySetAttachments {-applicationName HelloSvcClientEAR -attachmentType client} { {pattern.0 WebService:/HelloSvcClient.war:{http://ibm.com/HelloSvc/}HelloSv c} {name testPolicy} {binding testBinding} {id 1557} } $AdminTask setBinding {-policyType WSSecurity -bindingLocation "{ {application HelloSvcClientEAR} {attachmentId 1557} }" -attributes "{ {application.securityoutboundbindingconfig.properties_999.name com.ibm.wsspi.wssecurity.config.request.setMustUnderstand} {application.securityoutboundbindingconfig.properties_999.value false} }" -attachmentType client} Note that the web services security custom properties for JAX-RPC applications can only be set with the administrative console or an assembly tool, not with wsadmin. At this time, the top-level WS-Security policy type properties for JAX-WS applications (application.parameters, application.securityoutboundbindingconfig.properties, and application.securityinboundbindingconfig.properties) can only be set with wsadmin. The fix for this APAR is currently targeted for inclusion in fixpacks 6.0.2.29 and 6.1.0.19. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PK56523
Reported component name
WEBSPH APP SERV
Reported component ID
5724J0800
Reported release
60W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-11-13
Closed date
2008-04-24
Last modified date
2008-05-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPH APP SERV
Fixed component ID
5724J0800
Applicable component levels
R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
Document Information
Modified date:
29 December 2021