IBM Support

PI32579: ALLOW THE ONBEHALFOF OR ACTAS ELEMENTS IN AN STS REQUEST TO CONTAIN A SAML TOKEN

Fixes are available

8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • Support OnBehalfOf and ActAs elements with a SAML Assertion in
    a Security Token Service (STS) request.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server            *
    *                  developers of WS-Security enabled JAX-WS    *
    *                  web services and SAML                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: A method should exist to put a SAML     *
    *                      token in the OnBehalfOfElement or       *
    *                      ActAs elements of an STS request.       *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this APAR  *
    *                                                              *
    ****************************************************************
    The OnBehalfOf and ActAs elements in a Security Token Service
    (STS) request are not used by the WS-Security runtime.
    Scenarios exist where a SAML token must be passed in the
    OnBehalfOf or ActAs elements of an STS request.
    

Problem conclusion

  • The JAX-WS WS-Security runtime is updated to allow a SAML
    token to be inserted in the OnBehalfOf or ActAs elements of an
    STS request.  The token that is to be inserted must
    exist on the current runAs subject or in the JAAS login shared
    state object set by a custom login module stacked on
    com.ibm.ws.wssecurity.wssapi.token.impl.SAMLGenerateLoginModule.
    A SAML token on the JAAS login shared state object will take
    precedence over one on the runAs subject.
    
    The following properties are added to the SAML token generator
    callback handler:
    
    wstrustOnBehalfOfRequired
    wstrustOnBehalfOfTokenType
    wstrustOnBehalfOfReIssue
    
    wstrustActAsRequired
    wstrustActAsTokenType
    wstrustActAsReIssue
    
    Set wstrustOnBehalfOfRequired to true when a SAML token is to
    be inserted into an STS request in the OnBehalfOf element.
    
    Set wstrustActAsRequired to true when a SAML token is to be
    inserted into an STS request in the ActAs element.
    
    Both the OnBehalfOf and ActAs elements cannot be in an STS
    request.  If both wstrustOnBehalfOfRequired and
    wstrustActAsRequired are set to true, only the OnBehalfOf
    element will be inserted into the STS request.
    
    Set either wstrustOnBehalfOfTokenType or
    wstrustActAsTokenType to the token type of the SAML token to
    insert into the message.  The following values can be used:
    
    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#
    SAMLV1.1
    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#
    SAMLV2.0
    
    wstrustOnBehalfOfTokenType and wstrustActAsTokenType default
    to the token type of the token being generated on the SAML
    generator callback handler.
    
    If the SAML token that is in the runAs subject needs to be
    re-issued using the signature and encryption settings in the
    callback handler, set one of the corresponding properties to
    true:
    
    wstrustOnBehalfOfReIssue
    wstrustActAsReIssue
    
    A SAML token that is obtained from the JAAS login shared state
    cannot be re-issued.
    
    The following method is added to
    com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFa
    ctory to allow a custom JAAS login module stacked on
    com.ibm.ws.wssecurity.wssapi.token.impl.SAMLGenerateLoginModule
    to add a SAML token for OnBehalfOf or ActAs to the shared state:
    
    public void putBehalfOfTokenToSharedState(Map sharedState,
    SecurityToken token);
    
    
    The ActAs element in the trust request is only supported by
    WS-Trust 1.4.  The WebSphere WS-Security runtime does not
    support WS-Trust 1.4.  However, the ActAs element is the only
    element from the WS-Trust 1.4 namespace that the WS-Security
    runtime will send in an STS request.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.39, 8.0.0.11 and 8.5.5.6.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, WSSEC, SAMLWSSEC, TRUSTCLIENT
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI32579

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-01-12

  • Closed date

    2015-03-12

  • Last modified date

    2015-09-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
27 April 2022