Fixes are available
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as new function.
Error description
Support OnBehalfOf and ActAs elements with a SAML Assertion in a Security Token Service (STS) request.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server * * developers of WS-Security enabled JAX-WS * * web services and SAML * **************************************************************** * PROBLEM DESCRIPTION: A method should exist to put a SAML * * token in the OnBehalfOfElement or * * ActAs elements of an STS request. * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this APAR * * * **************************************************************** The OnBehalfOf and ActAs elements in a Security Token Service (STS) request are not used by the WS-Security runtime. Scenarios exist where a SAML token must be passed in the OnBehalfOf or ActAs elements of an STS request.
Problem conclusion
The JAX-WS WS-Security runtime is updated to allow a SAML token to be inserted in the OnBehalfOf or ActAs elements of an STS request. The token that is to be inserted must exist on the current runAs subject or in the JAAS login shared state object set by a custom login module stacked on com.ibm.ws.wssecurity.wssapi.token.impl.SAMLGenerateLoginModule. A SAML token on the JAAS login shared state object will take precedence over one on the runAs subject. The following properties are added to the SAML token generator callback handler: wstrustOnBehalfOfRequired wstrustOnBehalfOfTokenType wstrustOnBehalfOfReIssue wstrustActAsRequired wstrustActAsTokenType wstrustActAsReIssue Set wstrustOnBehalfOfRequired to true when a SAML token is to be inserted into an STS request in the OnBehalfOf element. Set wstrustActAsRequired to true when a SAML token is to be inserted into an STS request in the ActAs element. Both the OnBehalfOf and ActAs elements cannot be in an STS request. If both wstrustOnBehalfOfRequired and wstrustActAsRequired are set to true, only the OnBehalfOf element will be inserted into the STS request. Set either wstrustOnBehalfOfTokenType or wstrustActAsTokenType to the token type of the SAML token to insert into the message. The following values can be used: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1# SAMLV1.1 http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1# SAMLV2.0 wstrustOnBehalfOfTokenType and wstrustActAsTokenType default to the token type of the token being generated on the SAML generator callback handler. If the SAML token that is in the runAs subject needs to be re-issued using the signature and encryption settings in the callback handler, set one of the corresponding properties to true: wstrustOnBehalfOfReIssue wstrustActAsReIssue A SAML token that is obtained from the JAAS login shared state cannot be re-issued. The following method is added to com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFa ctory to allow a custom JAAS login module stacked on com.ibm.ws.wssecurity.wssapi.token.impl.SAMLGenerateLoginModule to add a SAML token for OnBehalfOf or ActAs to the shared state: public void putBehalfOfTokenToSharedState(Map sharedState, SecurityToken token); The ActAs element in the trust request is only supported by WS-Trust 1.4. The WebSphere WS-Security runtime does not support WS-Trust 1.4. However, the ActAs element is the only element from the WS-Trust 1.4 namespace that the WS-Security runtime will send in an STS request. The fix for this APAR is currently targeted for inclusion in fix packs 7.0.0.39, 8.0.0.11 and 8.5.5.6. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Keywords: IBMWL3WSS, WSSEC, SAMLWSSEC, TRUSTCLIENT
Temporary fix
Comments
APAR Information
APAR number
PI32579
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-01-12
Closed date
2015-03-12
Last modified date
2015-09-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
27 April 2022