PI07877: ADD SAML APIS TO ADD ATTRIBUTES AND RE-SIGN THE TOKEN

Fixes are available

APAR status

Closed as new function.

Error description

Add SAML APIs to add attributes and re-sign the token

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  WS-Security SAML APIs                       *
****************************************************************
* PROBLEM DESCRIPTION: After a SAMLToken object has been       *
*                      created, attributes cannot be added     *
*                      to or deleted from the object or the    *
*                      token re-signed.                        *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
After a WS-Security SAMLToken object has been created, SAML
attributes cannot be added to or deleted from the object.
There are use cases where the ability to do this is necessary.
After SAML attributes are added to or deleted from a SAMLToken
object, any digital signature contained within the token will
become invalid so the ability to re-sign the token must also
be included in order to properly support the modification of
attributes.

Problem conclusion

SAMLToken are added to add and delete SAML attributes from a
SAMLToken object.  SAMLTokenFactory APIs are added to add or
update the digital signature on a SAMLToken object.

The following methods are added to the
com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
interface:

public abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken,
RequesterConfig request, ProviderConfig providerConfig )
throws WSSException;
public abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken);
public static KeyInformationConfig
newKeyInformationConfig(String alias, String keyPass, String
keyName) throws WSSException;


The following methods are added to the
com.ibm.websphere.wssecurity.wssapi.token.SAMLToken interface:

public void addSAMLAttribute(SAMLAttribute attr) throws
Exception;
public void addSAMLAttribute(List<SAMLAttribute> attrList)
throws Exception;
public void deleteSAMLAttribute(SAMLAttribute attr) throws
Exception;


The details of the methods added to the
com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
interface are:

---------------
public abstract SAMLToken newSAMLToken( SAMLToken aSAMLToken,
RequesterConfig request, ProviderConfig providerConfig )
throws WSSException;

Create a SAMLToken object based on the input SAMLToken and new
signature data.  The new token is a clone of the original
token with the signature element removed and a new signature
added based on the input credentials.

Since you are in essence re-issuing the token with your new
signature, the issuer name that is in the ProviderConfig
object will be set on the new SAML token.  The issuer name
will default to the value in SamlIssuerConfig.properties.  You
can override that value with the
ProviderConfig.setIssuerURI(String) method.  If you want to
maintain the value in the original token, you must query the
value from the original token with
SAMLToken.getSAMLIssuerName() then set it on the
ProviderConfig.

Time-based attributes such as IssueInstant, NotBefore, and
NotOnOrAfter will not be modified from the values in the
original token.

This method can be used to re-sign a signed token after
modifying attributes using SAMLToken.addAttribute and
SAMLToken.deleteAttribute.  This method cannot be used with an
encrypted SAMLToken.

This method requires the
SecurityPermission("wssapi.SAMLTokenFactory.newSAMLToken")
Java Security permission.

Parameters:
  aSAMLToken - contains the original SAMLToken to be re-signed
  request - contains data that describes what kind of
assertion should be created.
  providerConfig - describes issuer, like Signing KeyInfo and
Encryption KeyInfo.
Returns:
  SAMLToken. That can be used to initiate service requests.

---------------
public abstract SAMLToken newSAMLToken( SAMLToken aSAMLToken);

Create a SAMLToken object that is a clone of the input
SAMLToken object.

Parameters:
  aSAMLToken - SAMLToken to copy
Returns:
  SAMLToken. That can be used to initiate service requests.

---------------
public static KeyInformationConfig newKeyInformationConfig(
String alias, String keyPass, String keyName) throws
WSSException;

Create a KeyInformationConfig that encapsulates KeyInformation
configuration attributes.

Parameters:
  alias - is a String that represents type of alias of the key
  keyPass - is a String that represents the password for the key
  keyName - is a String that represents the name for the key
Returns:
  A default embedded KeyInformationConfig that encapsulates
the following attributes: the alias, keyPass, and keyName.

===============
The details of the methods added to the
com.ibm.websphere.wssecurity.wssapi.token.SAMLToken interface
are:

---------------
public void addSAMLAttribute(SAMLAttribute attr) throws
Exception;

Adds a SAMLAttribute to the SAML token.  If more than one
AttributeStatment exists in the SAML token, the new attribute
will be added to the first AttributeStatement in the XML.
Since adding attributes to a token will invalidate a digital
signature, if a digital signature is present in the XML, it
will be removed.

Encrypted Assertions and encrypted attributes are not supported.

If you want the SAML token to contain a digital signature,
after the token has been modified, create a new SAMLToken
using SAMLTokenFactory.newSAMLToken(SAMLToken,
RequesterConfig, ProviderConfig).

This method requires the
SecurityPermission("wssapi.SAMLToken.getSAMLAttributes") Java
Security permission.

Parameters:
  attr - is the SAMLAttribute to add to the token

---------------
public void addSAMLAttribute(List<SAMLAttribute> attrList)
throws Exception;

Adds a list of SAMLAttributes to the SAML token.  If more than
one AttributeStatment exists in the SAML token, the new
attributes will be added to the first AttributeStatement in
the XML.  Since adding attributes to a token will invalidate a
digital signature, if a digital signature is present in the
XML, it will be removed.

Encrypted Assertions and encrypted attributes are not supported.

If you want the SAML token to contain a digital signature,
after the token has been modified, create a new SAMLToken
using SAMLTokenFactory.newSAMLToken(SAMLToken,
RequesterConfig, ProviderConfig).

This method requires the
SecurityPermission("wssapi.SAMLToken.getSAMLAttributes") Java
Security permission.


Parameters:
  attrList - is the List of SAMLAttributes to add to the token

---------------
public void deleteSAMLAttribute(SAMLAttribute attr) throws
Exception;

Delete a SAMLAttribute that matches the input from a SAML
token.  For a SAML 2.0 token, the Name, FriendlyName,
and NameFormat will be matched.  For a SAML 1.1 token, the
AttributeName and AttributeNamespace will be matched; all
other fields will be ignored.  All matching SAMLAttributes
will be deleted.  Since deleting an attribute from a token
will invalidate a digital signature, if a digital signature is
present in the XML, it will be removed.

Encrypted Assertions and encrypted attributes are not supported.

If you want the SAML token to contain a digital signature,
after the token has been modified, create a new SAMLToken
using SAMLTokenFactory.newSAMLToken(SAMLToken,
RequesterConfig, ProviderConfig).

This method requires the
SecurityPermission("wssapi.SAMLToken.getSAMLAttributes") Java
Security permission.

Parameters:
  attr - is the SAMLAttribute to delete from the token


===============
Sample code of re-signing a SAMLToken using the the
com.ibm.websphere.wssecurity.wssapi.token.SAMLToken interface:

SAMLTokenFactory samlFactory =
SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11)
;

// 1. Create RequesterConfig object.
RequesterConfig reqData =
 samlFactory.newBearerTokenGenerateConfig();
// -or-
RequesterConfig reqData =
 samlFactory.newSenderVouchesTokenGenerateConfig();

// 2. Create ProviderConfig object which will specify the key
// store and key for SAML signing. The object will initialize
// with the settings from the SAMLIssuerConfig.properties
// file.
ProviderConfig samlIssuerCfg =
 samlFactory.newDefaultProviderConfig();

// 3. (Optional) If you want to use keystore and/or key
// properties other than what are set in the
// SAMLIssuerConfig.properties file, reset the keystore
// and key information in the ProviderConfig object.
KeyStoreConfig ksc = samlFactory.newKeyStoreConfig( "jks",
"$WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/dsig-sender
.ks, "client");
samlIssuerCfg.setKeyStoreConfig(ksc);
KeyInformationConfig kic =
 samlFactory.newKeyInformationConfig("soaprequester", "client",
 "SOAPRequester");
samlIssuerCfg.setKeyInformationConfig(kic);

// 4. (Optional) If you want to use issuer name/format values
// other than the ones specified in
// SamlIssuerConfig.properties, do the following:
samlIssuerCfg.setIssuerURI("myIssuerURI");

//Only supported on SAML 2.0 tokens:
samlIssuerCfg.setIssuerFormat("myIssuerFormat");

// 5. (Optional) If you want to ensure that the original
// issuer is maintained on the token and that issuer does
// not match what is in SamlIssuerConfig.properties,
// do the following:
samlIssuerCfg.setIssuerURI(originalSamlToken.getSAMLIssuerName()
);

// Create a new SAML token that is a clone of the original,
// but a new signature
SAMLToken resignedSamlToken =
 samlFactory.newSAMLToken(originalSamlToken, reqData,
 samlIssuerCfg);


The fix for this APAR is currently targeted for inclusion in
fix packs 7.0.0.33, 8.0.0.9, and 8.5.5.2.  Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PI07877
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-12-12
Closed date
2014-01-15
Last modified date
2014-01-15

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800

Applicable component levels

R700 PSY
UP
R800 PSY
UP
R850 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022

Tips

PI07877: ADD SAML APIS TO ADD ATTRIBUTES AND RE-SIGN THE TOKEN

Fixes are available

Subscribe

APAR status

Closed as new function.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

R800 PSY

R850 PSY

Document Information

Share your feedback

Need support?