PK72440: WS-SECURITY FOR JAX-WS APPLICATIONS IS RETURNING NON-STANDARD FAULT CODES

Fixes are available

APAR status

Closed as program error.

Error description

Oasis Web Services Security (WSS) specifies faultstrings and
faultcodes to be used for specific security errors, but it does
not require implementations to use them. It even goes so far as
to say that that implementations may elect not to return errors
at all because the implementation may decide that returning a
security error reveals too much information about the security
framework to the consumer.

Consider the WebSphere generated faults attached below. They
are raised by WebSphere JAX-RPC and JAX-WS services.

Suppose a service provider uses WebSphere JAX-RPC and then
upgrades to WebSphere JAX-WS. The consumers of that service
provider might be correctly checking the faultcode to determine
if a security error occurred and taking specific action on that
faultcode. But when the service provider upgrades to WebSphere
JAX-WS, the service provider will then return a different
faultcode and faultstring for the same security errors. This is
effectively a contract change, which should not happen with an
implementation upgrade, and the client code will no longer
operate as before.


WebSphere 6.1 (JAX-RPC) - FailedAuthentication
===============
...
<soapenv:Fault xmlns:soapenv="http://schemas.xmlsoap.org/soap/
envelope/">
<faultcode xmlns:p55="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-secext-1.0.xsd">p55:FailedAuthent
ication</faultcode>
<faultstring>com.ibm.wsspi.wssecurity.SoapSecurityException:
WSEC6521E: Login failed. The exception is : javax.security.auth
.login.LoginException: WSEC6690E: Failed to check username
[cn=websphee,ou=people,o=ibm,c=us] and password in the
UserRegsitry: UserRegistryProcessor.checkRegistry()=false
</faultstring>
...

WebSphere 6.1 (JAX-WS) - Server.securityException
=======
...
<soapenv:Fault xmlns:axis2ns2="http://schemas.xmlsoap.org/
soap/envelope/">
<faultcode>axis2ns2:Server.securityException</faultcode>
<faultstring>CWWSS6521E: The Login failed because of an
exception: javax.security.auth.login.LoginException:
CWWSS7062E: Failed to check username [cn=websphee,ou=people,
o=ibm,c=us] and password in the UserRegsitry:
WSSUserRegistryProcessor.checkRegistry()=false</faultstring>
...

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  WebSphere Application Server users of       *
*                  WS-Security enabled JAX-WS service providers*
****************************************************************
* PROBLEM DESCRIPTION: WS-Security for JAX-WS applications     *
*                      is returning non-standard fault codes   *
****************************************************************
* RECOMMENDATION:  Install a fixpack containing this APAR      *
****************************************************************
WS-Security for JAX-WS applications is returning fault codes
that don't conform to the Oasis Web Services Security (WSS)
specification.  This presents a problem when a service
provider was originally implemented in JAX-RPC, then migrated
to JAX-WS.  Client applications may be relying on the WSS
standard fault codes that were being returned by the
JAX-RPC WS-Security runtime, but they are not being
returned by the JAX-WS WS-Security runtime.

For instance, a
<faultcode>axis2ns2:Server.securityException</faultcode>
fault code may be returned instead of a
<faultcode>{http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-wssecurity-secext-1.0.xsd}FailedAuthentication</faultcode>
fault code.

Problem conclusion

The JAX-WS WS-Security runtime was updated to return Oasis Web
Services Security standard fault codes.

The WebSphere Application Server version 7 code was updated to
always return the standard WSS fault codes.

The WebSphere Application version 6.1 Feature Pack for Web
Services code was updated to only return WSS standard fault
codes when the following WS-Security custom property is set:

com.ibm.wsspi.wssecurity.login.useStandardFaultCodes=true

The property can be set to true or false.  The default value
is false.

In the WS-Security bindings, this property can be set on the
Custom Properties page.  You can find the Custom Properties
page in the custom bindings for an application or in the
WS-Security default binding as follows:

Services->Policy sets->Default policy set
bindings->WS-Security->Custom properties

This property can be set in the "Inbound Custom Properties"
or the "Inbound and Outbound Custom Properties".

The fix for this APAR is currently targeted for inclusion in
fixpack 6.1.0.23 and 7.0.0.1.  Please refer to the Recommended
Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK72440
Reported component name
WEBSERVIC FEATU
Reported component ID
5724J0850
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2008-09-18
Closed date
2008-11-17
Last modified date
2008-11-17

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSERVIC FEATU
Fixed component ID
5724J0850

Applicable component levels

R610 PSY
UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
23 October 2021

Tips

PK72440: WS-SECURITY FOR JAX-WS APPLICATIONS IS RETURNING NON-STANDARD FAULT CODES

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R610 PSY

Document Information

Share your feedback

Need support?