PK56523: NOT ABLE TO CONFIGURE "MUSTUNDERSTAND=0" IN THE WSSE:SECURITY HEADER SENT BY THE WEB SERVICES CLIENT.

Fixes are available

APAR status

Closed as program error.

Error description

Setting "mustUnderstand=1" attribute in wsse:Security tag of the
SOAP header on the request from the Web Services client is
currently hardcoded.  There no way of configuring the
"mustUnderstand=0" attribute of this SOAP Web Services security
header that is needed in some scenarios.

Local fix

```
N/A.
```

Problem summary

****************************************************************
* USERS AFFECTED:  WebSphere Application Server users of       *
*                  ws-security enabled web services            *
*                  applications                                *
****************************************************************
* PROBLEM DESCRIPTION: Setting "mustUnderstand=1" attribute in *
*                      wsse:Security tag of the SOAP header on *
*                      the request from the Web Services       *
*                      client is currently hardcoded.          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Setting "mustUnderstand=1" attribute in wsse:Security tag of the
SOAP header on the request from the Web Services client is
currently hardcoded.  There is currently no way of configuring
the use of the mustUnderstand attribute in the SOAP security
header.  There are some scenarios where the user may not want to
send mustUnderstand="1" in the SOAP security header.

Problem conclusion

The code was updated to allow the administrator to configure the
setting of the mustUnderstand attribute in the SOAP security
header.  The following generator/outbound web services security
custom properties have been added:

com.ibm.wsspi.wssecurity.config.request.setMustUnderstand
com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqua
lsOne

com.ibm.wsspi.wssecurity.config.request.setMustUnderstand
specifies the mustUnderstand setting in outbound consumer
requests.  If the value is set to "0", "no", or "false", no
mustUnderstand attribute will be set in the ws-security header
in outbound consumer requests.  The default value is true.

In SOAP messages, the default value for the mustUnderstand
attribute is "0".  According to the SOAP specification, if the
intended value for this attribute is "0", it must not be present
in the message.  Therefore, if
com.ibm.wsspi.wssecurity.config.request.setMustUnderstand is set
to false, instead of adding a mustUnderstand="0" attribute to
the SOAP security header, no mustUnderstand attribute is added.

com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqua
lsOne is used to specify that the provider should always respond
with a mustUnderstand="1" attribute in the SOAP security header.
If the value is set to "1", "yes", or "true", the provider will
always respond with mustUnderstand="1" in the SOAP security
header.  The default value is false.

By default, the response will contain the same mustUnderstand
attribute as the request.  For instance, if the inbound request
has mustUnderstand="1", the response would have
mustUnderstand="1".  If the request did not have a
mustUnderstand attribute, the response would also not have a
mustUnderstand attribute.

The default value for the mustUnderstand attribute for inbound
messages that do not specify a mustUnderstand attribute has been
changed from "1" to "0".  This was done so that the outbound
messages now being sent without the mustUnderstand attribute
will be handled properly by WebSphere web services security.
Note that SOAP messages without a mustUnderstand attribute sent
to previous levels of WebSphere will result in the receiver of
the message to default the value of the missing mustUnderstand
attribute to "1", resulting in undesired behavior.  In order for
this update to be effective, if both the consumer and provider
are WebSphere products, both of them must have this fix applied.

For Java API for XML-based RPC (JAX-RPC) applications, both
properties can be specified in the following locations in the
administrative console:

Navigate to:

Servers->Application Servers->(server name)->Web services:
Default bindings for Web services security

Add the desired property to one of the following:

"Additional Properties"->Properties
"Default Generator Bindings"->Properties

Properties in the Default Generator Bindings take precedence
over those in Additional Properties.  Both of these properties
together will be referred to as the default bindings.

If using an assembly tool with a JAX-RPC WS-Security 1.0
application, the
com.ibm.wsspi.wssecurity.config.request.setMustUnderstand
property can be set as a Property on the Security Request
Generator Extension or Binding.  The
com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqua
lsOne property can be set as a Property on the Response
Generator Extension or Binding.  A setting in the binding will
take precedence over a setting in the extension and both take
precedence over the default bindings.

If using an assembly tool with a JAX-RPC draft13 application,
the com.ibm.wsspi.wssecurity.config.request.setMustUnderstand
property can be set as a Parameter on the Port Qualified Name
Binding in the deployment descriptor.  The
com.ibm.wsspi.wssecurity.config.response.forceMustUnderstandEqua
lsOne can be set as a Parameter on the Port Component Binding in
the deployment descriptor.  Properties set in the WS-Security
draft13 deployment descriptor take precedence over those set in
the default binding.


If using a JAX-WS application on WebSphere Application Server
Version 6.1 Feature Pack for Web Services, these properties can
be set as parameters or outbound binding properties on your
application using wsadmin. The following WS-Security policy type
property names are used in setBinding

application.parameters
application.securityoutboundbindingconfig.properties

Properties in
application.securityoutboundbindingconfig.properties take
precendence over those in application.parameters.  Properties
set in WS-Security custom bindings take precedence over those
set in the WS-Security default policy set bindings.

Following is an example of the wsadmin commands to get the id of
the policy set attachment for a consumer, then set the
com.ibm.wsspi.wssecurity.config.request.setMustUnderstand
property to false in the outbound binding config:


$AdminTask getPolicySetAttachments {-applicationName
HelloSvcClientEAR  -attachmentType client}

{ {pattern.0
WebService:/HelloSvcClient.war:{http://ibm.com/HelloSvc/}HelloSv
c} {name testPolicy} {binding testBinding} {id 1557} }


$AdminTask setBinding {-policyType WSSecurity -bindingLocation
"{ {application HelloSvcClientEAR} {attachmentId 1557} }"
-attributes "{
{application.securityoutboundbindingconfig.properties_999.name
com.ibm.wsspi.wssecurity.config.request.setMustUnderstand}
{application.securityoutboundbindingconfig.properties_999.value
false}  }" -attachmentType client}


Note that the web services security custom properties for
JAX-RPC applications can only be set with the administrative
console or an assembly tool, not with wsadmin.  At this time,
the top-level WS-Security policy type properties for JAX-WS
applications (application.parameters,
application.securityoutboundbindingconfig.properties, and
application.securityinboundbindingconfig.properties) can only be
set with wsadmin.

The fix for this APAR is currently targeted for inclusion in
fixpacks 6.0.2.29 and 6.1.0.19.  Please refer to the Recommended
Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK56523
Reported component name
WEBSPH APP SERV
Reported component ID
5724J0800
Reported release
60W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-11-13
Closed date
2008-04-24
Last modified date
2008-05-12

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPH APP SERV
Fixed component ID
5724J0800

Applicable component levels

R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021

Tips

PK56523: NOT ABLE TO CONFIGURE "MUSTUNDERSTAND=0" IN THE WSSE:SECURITY HEADER SENT BY THE WEB SERVICES CLIENT.

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R60A PSY

R60H PSY

R60I PSY

R60P PSY

R60S PSY

R60W PSY

R60Z PSY

R61A PSY

R61H PSY

R61I PSY

R61P PSY

R61S PSY

R61W PSY

R61Z PSY

Document Information

Share your feedback

Need support?