Fixes are available
8.5.5.2: WebSphere Application Server V8.5.5 Fix Pack 2
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as new function.
Error description
Add SAML APIs to add attributes and re-sign the token
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * WS-Security SAML APIs * **************************************************************** * PROBLEM DESCRIPTION: After a SAMLToken object has been * * created, attributes cannot be added * * to or deleted from the object or the * * token re-signed. * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** After a WS-Security SAMLToken object has been created, SAML attributes cannot be added to or deleted from the object. There are use cases where the ability to do this is necessary. After SAML attributes are added to or deleted from a SAMLToken object, any digital signature contained within the token will become invalid so the ability to re-sign the token must also be included in order to properly support the modification of attributes.
Problem conclusion
SAMLToken are added to add and delete SAML attributes from a SAMLToken object. SAMLTokenFactory APIs are added to add or update the digital signature on a SAMLToken object. The following methods are added to the com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory interface: public abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken, RequesterConfig request, ProviderConfig providerConfig ) throws WSSException; public abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken); public static KeyInformationConfig newKeyInformationConfig(String alias, String keyPass, String keyName) throws WSSException; The following methods are added to the com.ibm.websphere.wssecurity.wssapi.token.SAMLToken interface: public void addSAMLAttribute(SAMLAttribute attr) throws Exception; public void addSAMLAttribute(List<SAMLAttribute> attrList) throws Exception; public void deleteSAMLAttribute(SAMLAttribute attr) throws Exception; The details of the methods added to the com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory interface are: --------------- public abstract SAMLToken newSAMLToken( SAMLToken aSAMLToken, RequesterConfig request, ProviderConfig providerConfig ) throws WSSException; Create a SAMLToken object based on the input SAMLToken and new signature data. The new token is a clone of the original token with the signature element removed and a new signature added based on the input credentials. Since you are in essence re-issuing the token with your new signature, the issuer name that is in the ProviderConfig object will be set on the new SAML token. The issuer name will default to the value in SamlIssuerConfig.properties. You can override that value with the ProviderConfig.setIssuerURI(String) method. If you want to maintain the value in the original token, you must query the value from the original token with SAMLToken.getSAMLIssuerName() then set it on the ProviderConfig. Time-based attributes such as IssueInstant, NotBefore, and NotOnOrAfter will not be modified from the values in the original token. This method can be used to re-sign a signed token after modifying attributes using SAMLToken.addAttribute and SAMLToken.deleteAttribute. This method cannot be used with an encrypted SAMLToken. This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newSAMLToken") Java Security permission. Parameters: aSAMLToken - contains the original SAMLToken to be re-signed request - contains data that describes what kind of assertion should be created. providerConfig - describes issuer, like Signing KeyInfo and Encryption KeyInfo. Returns: SAMLToken. That can be used to initiate service requests. --------------- public abstract SAMLToken newSAMLToken( SAMLToken aSAMLToken); Create a SAMLToken object that is a clone of the input SAMLToken object. Parameters: aSAMLToken - SAMLToken to copy Returns: SAMLToken. That can be used to initiate service requests. --------------- public static KeyInformationConfig newKeyInformationConfig( String alias, String keyPass, String keyName) throws WSSException; Create a KeyInformationConfig that encapsulates KeyInformation configuration attributes. Parameters: alias - is a String that represents type of alias of the key keyPass - is a String that represents the password for the key keyName - is a String that represents the name for the key Returns: A default embedded KeyInformationConfig that encapsulates the following attributes: the alias, keyPass, and keyName. =============== The details of the methods added to the com.ibm.websphere.wssecurity.wssapi.token.SAMLToken interface are: --------------- public void addSAMLAttribute(SAMLAttribute attr) throws Exception; Adds a SAMLAttribute to the SAML token. If more than one AttributeStatment exists in the SAML token, the new attribute will be added to the first AttributeStatement in the XML. Since adding attributes to a token will invalidate a digital signature, if a digital signature is present in the XML, it will be removed. Encrypted Assertions and encrypted attributes are not supported. If you want the SAML token to contain a digital signature, after the token has been modified, create a new SAMLToken using SAMLTokenFactory.newSAMLToken(SAMLToken, RequesterConfig, ProviderConfig). This method requires the SecurityPermission("wssapi.SAMLToken.getSAMLAttributes") Java Security permission. Parameters: attr - is the SAMLAttribute to add to the token --------------- public void addSAMLAttribute(List<SAMLAttribute> attrList) throws Exception; Adds a list of SAMLAttributes to the SAML token. If more than one AttributeStatment exists in the SAML token, the new attributes will be added to the first AttributeStatement in the XML. Since adding attributes to a token will invalidate a digital signature, if a digital signature is present in the XML, it will be removed. Encrypted Assertions and encrypted attributes are not supported. If you want the SAML token to contain a digital signature, after the token has been modified, create a new SAMLToken using SAMLTokenFactory.newSAMLToken(SAMLToken, RequesterConfig, ProviderConfig). This method requires the SecurityPermission("wssapi.SAMLToken.getSAMLAttributes") Java Security permission. Parameters: attrList - is the List of SAMLAttributes to add to the token --------------- public void deleteSAMLAttribute(SAMLAttribute attr) throws Exception; Delete a SAMLAttribute that matches the input from a SAML token. For a SAML 2.0 token, the Name, FriendlyName, and NameFormat will be matched. For a SAML 1.1 token, the AttributeName and AttributeNamespace will be matched; all other fields will be ignored. All matching SAMLAttributes will be deleted. Since deleting an attribute from a token will invalidate a digital signature, if a digital signature is present in the XML, it will be removed. Encrypted Assertions and encrypted attributes are not supported. If you want the SAML token to contain a digital signature, after the token has been modified, create a new SAMLToken using SAMLTokenFactory.newSAMLToken(SAMLToken, RequesterConfig, ProviderConfig). This method requires the SecurityPermission("wssapi.SAMLToken.getSAMLAttributes") Java Security permission. Parameters: attr - is the SAMLAttribute to delete from the token =============== Sample code of re-signing a SAMLToken using the the com.ibm.websphere.wssecurity.wssapi.token.SAMLToken interface: SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11) ; // 1. Create RequesterConfig object. RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig(); // -or- RequesterConfig reqData = samlFactory.newSenderVouchesTokenGenerateConfig(); // 2. Create ProviderConfig object which will specify the key // store and key for SAML signing. The object will initialize // with the settings from the SAMLIssuerConfig.properties // file. ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig(); // 3. (Optional) If you want to use keystore and/or key // properties other than what are set in the // SAMLIssuerConfig.properties file, reset the keystore // and key information in the ProviderConfig object. KeyStoreConfig ksc = samlFactory.newKeyStoreConfig( "jks", "$WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/dsig-sender .ks, "client"); samlIssuerCfg.setKeyStoreConfig(ksc); KeyInformationConfig kic = samlFactory.newKeyInformationConfig("soaprequester", "client", "SOAPRequester"); samlIssuerCfg.setKeyInformationConfig(kic); // 4. (Optional) If you want to use issuer name/format values // other than the ones specified in // SamlIssuerConfig.properties, do the following: samlIssuerCfg.setIssuerURI("myIssuerURI"); //Only supported on SAML 2.0 tokens: samlIssuerCfg.setIssuerFormat("myIssuerFormat"); // 5. (Optional) If you want to ensure that the original // issuer is maintained on the token and that issuer does // not match what is in SamlIssuerConfig.properties, // do the following: samlIssuerCfg.setIssuerURI(originalSamlToken.getSAMLIssuerName() ); // Create a new SAML token that is a clone of the original, // but a new signature SAMLToken resignedSamlToken = samlFactory.newSAMLToken(originalSamlToken, reqData, samlIssuerCfg); The fix for this APAR is currently targeted for inclusion in fix packs 7.0.0.33, 8.0.0.9, and 8.5.5.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI07877
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-12-12
Closed date
2014-01-15
Last modified date
2014-01-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
28 April 2022