Fixes are available
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
When a token is configured to be consumed using the GenericIssuedTokenConsumeLoginModule, there is no way to configure the consumer to not pass the token to an STS.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * WS-Security enabled JAX-WS applications * **************************************************************** * PROBLEM DESCRIPTION: GenericIssuedTokenConsumeLoginModule * * cannot consume a token without * * sending it to an STS for exchange or * * validation * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** When a token is configured to be consumed using the GenericIssuedTokenConsumeLoginModule in the WS-Security policy bindings, there is no way to configure the consumer to not pass the token to an STS for token validation or exchange. The GenericIssuedTokenConsumeLoginModule should be able to consume tokens without sending them to the STS.
Problem conclusion
The WS-Security GenericIssuedTokenConsumeLoginModule code is updated so that it can consume a token without sending it to the STS for validation or exchange. Two new custom properties are added that can be used with the GenericIssuedTokenConsumeLoginModule and can be specified using any callback handler class: passTroughToken alwaysGeneric ================ passThroughToken This key is valid for use by both GenericIssuedTokenConsumeLoginModule and GenericIssuedTokenGenerateLoginModule. It can be specified on any of the built-in callback handlers. When this key is used for the consumer, it is used to direct if the inbound token should be sent to the STS or not. The default behavior is to always send the inbound token to the STS for validation and/or exchange (depending on other config settings). When this property is set to true, the inbound token will not be sent to the STS at all, in effect, 'passing through' the consumer. Also, when this property is set to true and a built-in token type is used (UsernameToken, Kerberos Token, SAML token, etc), the token will be parsed and available on the WS-Security context for later processing by a caller configuration JAAS login module. When this key is used for the generator, it is used to direct if the outbound token should be obtained from the STS or not. The default behavior is to always obtain the token from the STS. When this property is set to true, the inbound token will be obtained in this order: 1) From the sharedState from a stacked JAAS login module 2) From the com.ibm.wsspi.wssecurity.token.tokenHolder list on the message context 3) From the inbound SecurityTokens Refer to the following constants in com.ibm.wsspi.wssecurity.core.Constants for more information: com.ibm.wsspi.wssecurity.token.tokenHolder com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext com.ibm.wsspi.wssecurity.token.enableCaptureTokenInboundMsg ============= alwaysGeneric This key is used by the GenericIssuedTokenConsumeLoginModule and can be set using any of the built-in callback handlers. When passThroughToken is set to true, if this property is also set to true, the login module will always create a GenericSecurityToken instead of a built-in token type that corresponds to the valueType that is configured for the token. The default value for this property is false. ========================================== com.ibm.wsspi.wssecurity.token.tokenHolder This key is used to place a token or an list of tokens on the message context for use by token generators and/or token consumers. It is important that, if using a list, that each token in the list have a different value type. If there is more than one token with the same value type, the token retrieved will be indeterminate. There is no default for this property. The value can be a SecurityToken object or an instance of a Map or List of SecurityToken objects. ======================================================== com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext This is the key used to specify that a token consumer and/or token generator that is enabled to do so should attempt to obtain its token from the tokenHolder on the message context. This property is false unless it is set to true and is set in the token generator/consumer callback handler custom properties =========================================================== com.ibm.wsspi.wssecurity.token.enableCaptureTokenInboundMsg This is the key used to specify that a token consumer and/or token generator that is enabled to do so should attempt to obtain its token from the set of SecurityTokens in the inbound message. If there is more than one token in the inbound message that matches the value type of the token generator, then the token selected will be indeterminate. This property is false unless it is set to true and is set in the token generator/consumer callback handler custom properties. The fix for this APAR is currently targeted for inclusion in fix packs 7.0.0.25, 8.0.0.5, 8.5.0.1. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM62535
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-04-16
Closed date
2012-07-10
Last modified date
2012-07-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
28 October 2021