Fixes are available
8.5.5.2: WebSphere Application Server V8.5.5 Fix Pack 2
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
When a SAML token is expired, the validation of the token will fail. The information required to determine the cause of the failure is not provided in the returned error: com.ibm.websphere.wssecurity.wssapi.WSSException: CWSML6010E: Invalid SAML assertion.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * WS-Security enabled JAX-WS applications * * and SAML or SAML Web Single Sign On * **************************************************************** * PROBLEM DESCRIPTION: When a SAML token fails validation * * for schema or time-based issues, the * * information needed to fix the error * * is not returned. * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** When validation of a SAML token fails because of schema or time-based issues, there is not enough information in the returned exception to determine the cause of the error. Trace also shows to be inadequate in many cases. Most of the errors return: com.ibm.websphere.wssecurity.wssapi.WSSException: CWSML6010E: Invalid SAML assertion.
Problem conclusion
The SAML code is updated to return more user-friendly errors for schema and time-based errors. 27 new messages were added to accomodate the new error handling. The CWSML6010E will remain the same, but messages like the following examples will be appended to it: CWSML7001E: The NotOnOrAfter condition is out of range. The NotOnOrAfter setting in the assertion is [{0}]. The current time is [{1}]. The current clock skew setting is {2} minutes. CWSML7013E: The [AttributeStatement] element does not contain either [Subject] or [Attribute] sub-elements. This condition is not allowed. CWSML7016E: The SAML 1.1 assertion being processed contains no [ConfirmationMethod] elements. At least one [ConfirmationMethod] element must be present in the SAML assertion to be processed successfully. If using the com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory.newSA MLToken API, the new errors will appear on e.getCause().getMessage() . ============== Additionally, new validations are put in place to ensure that the SAML assertion is validated properly. Most of the updates are included because the original assertion validation is incorrect. One update in the SAML 1.1 processing is included because of WebSphere WS-Security requirements for proper operation. SAML 2.0 Updates: ================= If a SAML 2.0 assertion is missing the Version attribute, the following error will occur: //CWSML7003E: The Version attribute on the Assertion element is missing or empty. If a SAML 2.0 assertion has incorrect value for the Version attribute, an error will occur. An example of an error when an incorrect Version value is encountered is: //CWSML7019E: The value for the Version attribute is not supported. The Version attribute value in the assertion is [1.1]. The value for the Version attribute in a SAML 2.0 assertion must be [2.0]. For a SAML 2.0 assertion, the NotBefore and NotOnOrAfter attributes on the SubjectConfirmationData element are now being validated. Examples of the errors when the SubjectConfirmationData is out of range are: //CWSML7020E: The [NotBefore] condition on the [SubjectConfirmationData] element is out of range. The NotBefore setting in the SubjectConfirmationData is [2014-04-09T23:40:23.617Z]. The current time is [2014-04-09T23:30:23.617Z]. The current clock skew setting is 3 minutes //CWSML7021E: The [NotOnOrAfter] condition on the [SubjectConfirmationData] element is out of range. The NotOnOrAfter setting in the SubjectConfirmationData is [2014-04-09T23:44:23.617Z]. The current time is [2014-04-09T23:47:25.458Z]. The current clock skew setting is 3 minutes For a SAML 2.0 assertion, the Method attribute on the SubjectConfirmation element is now being validated instead of just making sure it exists. An example of an error when an incorrect value is encountered is: //CWSML7008E: The value [invalid:value] for the [Method] attribute on the [SubjectConfirmation] element in the SAML assertion is not valid. The valid values are [urn:oasis:names:tc:SAML:2.0:cm:bearer, urn:oasis:names:tc:SAML:2.0:cm:sender-vouches, urn:oasis:names:tc:SAML:2.0:cm:holder-of-key]. SAML 1.1 Updates: ================= In order for the WebSphere SAML token validator to operate properly with a SAML 1.1 assertion, a confirmation method is required. The confirmation method comes from the ConfirmationMethod sub-selement of the SubjectConfirmation element. According to the SAML 1.1 schema, the SubjectConfirmation element is not required. So, although the schema does not require a SubjectConfirmation element be present in a SAML 1.1 assertion, the runtime will require a ConfirmationMethod element, which in turn requires the SubjectConfirmation element. If a SAML 1.1 assertion does not contain at least one ComfirmationMethod, the following error will occur: //CWSML7016E: The SAML 1.1 assertion being processed contains no [ConfirmationMethod] elements. At least one [ConfirmationMethod] element must be present in the SAML assertion to be processed successfully. If a SAML 1.1 assertion does not contain an AuthenticationInstant attribute on the AuthenticationStatement, the following error will occur: //CWSML7006E: The [AuthenticationInstant] attribute on the [AuthenticationStatement] element is missing or empty. This condition is not allowed. For a SAML 1.1 assertion, the ConfirmationMethod element is now being validated. An example of an error when an incorrect value is encountered is: //CWSML7009E: The value [invalid:value] for the [ConfirmationMethod] sub-element of [SubjectConfirmation] in the SAML assertion is not valid. The valid values are [urn:oasis:names:tc:SAML:1.0:cm:bearer, urn:oasis:names:tc:SAML:1.0:cm:sender-vouches, urn:oasis:names:tc:SAML:1.0:cm:holder-of-key]. For a SAML 1.1 assertion, the NameID and Subject elements in the AuthenticationStatement are now being validated if they exist. The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.33, 8.0.0.9, and 8.5.5.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM99786
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-10-23
Closed date
2014-01-15
Last modified date
2014-04-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
28 April 2022