IBM Support

PI32262: AUTHENTICATIONCACHE ENTRIES WITH SAML TOKENS GETTING LARGE AND CAUSING OUTOFMEMORY

Fixes are available

8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When using a provider application that exposes web services
that requires SAML tokens for authentication, an Out Of Memory
condition may occur.  The AuthenticationCache contains SAML
tokens that have retained the JAXBContext object causing
extraordinarily large SAML token objects in the
AuthenticationCache.

Local fix

  • N/A

Problem summary

  • ****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server            *
*                  administrators of WS-Security enabled       *
*                  JAX-WS web services and SAML                *
****************************************************************
* PROBLEM DESCRIPTION: When there is an SAML caller token in   *
*                      JAX-WS WS-Security, a memory leak may   *
*                      occur.                                  *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
In JAX-WS WS-Security, when there is an SAML token in a caller
configuration, a memory leak may occur.
This issue also exists for LTPA tokens and was fixed under
APAR PM84740.

Problem conclusion

  • When WS-Security has a caller configuration for a token, both
the identity obtained from the token and the token itself are
put on the runAs subject.  The token is also put in the
authentication cache.

When a token consumer retrieves its token from a SOAP message,
a copy of the token is made that is detached from the SOAP
message so that a reference to the SOAP message does not
follow the token around.  When the SAML token consumer
performs this copy, the SOAP message does not detach from the
copy.  Because of this, when the SAML token copy is put in the
authentication cache, an object the size of the original SOAP
message is put in the cache instead of an object the size of
the SAML token.

The WS-Security runtime is updated:

Before the runtime puts the SAML token in the authentication
cache, a different method is used to make a copy of the SAML
token that successfully detaches the SOAP message.

The fix for this APAR is currently targeted for inclusion in
fix packs 7.0.0.39, 8.0.0.11 and 8.5.5.6.  Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS, WSSEC, SAMLWSSEC

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI32262
    • 

  • Reported component name
    WEBSPHERE APP S
    • 

  • Reported component ID
    5724J0800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-01-06
    • 

  • Closed date
    2015-01-29
    • 

  • Last modified date
    2015-09-24
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBSPHERE APP S
    • 

  • Fixed component ID
    5724J0800
    • 



Applicable component levels


    

  • R700  PSY
       UP
    • 

  • R800  PSY
       UP
    • 

  • R850  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            28 April 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback