Fix (APAR):  PI56377

Status:  Fix

Release:  8.5.5.8,8.5.5.7

Operating System:  AIX,HP-UX,IBM i,Inspur K-UX,Linux,Solaris,Windows,z/OS

Supersedes Fixes:  

CMVC Defect:  xxxxxx

Byte size of APAR:  264803

Date: 2016-02-10

Abstract:  signature in propagated samltoken sometimes invalid because websphere adds namespace prefixes

Description/symptom of problem:  
PI56377 resolves the following problem:

ERROR DESCRIPTION:                                              
When a JAX-WS provider application receives a signed SAML       
token in an inbound SOAP request, then propagates the token to  
a downstream service, the token fails signature validation.     
                                                                
This behavior happens after installing fix packs 7.0.0.39,      
8.0.0.11 or 8.5.5.7.                                            

LOCAL FIX:                                                      
n/a                                                             

PROBLEM SUMMARY

USERS AFFECTED:
 IBM WebSphere Application Server
administrators of WS-Security enabled
JAX-WS applications and SAML

PROBLEM DESCRIPTION:
SAML token may fail signature
validation after being propagated by
WS-Security

RECOMMENDATION:
 Install a fix pack or interim fix that
contains this APAR.

After installing fix packs 7.0.0.39, 8.0.0.11 or 8.5.5.7,
signed SAML tokens can no longer be propagated on downstream
JAX-WS or trust client invocations.  This problem only exists
when all the the following conditions are met:
* The SAML token is obtained from the Security header of a
JAX-WS web service request.
* The WS-Security constraints for the service contains a
caller configuration for the SAML token.
* The SAML token contains a signature.
* The SAML token is not encrypted.
* The SAML token to be sent is retrieved from the auth cache
or runAs subject.
* The receiver of the token will validate the signature.
The XML in the token emitted will differ from the one received
on each element where a namespace prefix is used.  The
emitted XML will be logically the same as the one received,
but signature validation may fail.
For example:
<saml2:Issuer>IS02</saml2:Issuer>
becomes
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">IS02</saml2:
Issuer>
The following SAML token types are not affected:
* Unsigned SAML tokens
Although the XML is altered, since the token emitted is
logically the same as the one that was received, the token
will pass validation.
* Encrypted SAML tokens
Since the signature in an encrypted SAML token is included
in the encrypted token bytes, it cannot be modified. After the
token is decrypted, the signature validation will pass.

PROBLEM CONCLUSION:                                             
To fix a memory leak, APAR PI32262 used an alternative          
cloning mechanism to clone a SAML token before it is put on     
the runAs subject.  This alternative cloning method produced    
an element that has XML that is logically the same, but the     
XML text is different.  The difference is that the namespace    
declaration is replicated on each element that uses a           
namespace prefix.  In many cases that is ok, however, if the    
token was signed, the signature in the token will no longer be  
valid.                                                          
                                                                
If the SAML token that has a signature is pulled from           
the runAs subject or auth cache and re-used in any way where    
the signature must be validated, the signature validation will  
fail.  For instance, it cannot be propagated on a downstream    
web services invocation or used in a trust client token         
exchange.                                                       
                                                                
The fix for this APAR removes the fix for PI32262.  This means  
that a memory leak may occur when both the following            
conditions are met:                                             
                                                                
* Authentication cache is enabled.                              
* A JAX-WS web service has a WS-Security binding with a caller  
configuration for a SAML token.                                 
                                                                
This problem will be fixed on future APAR PI56581.              
                                                                
The fix for this APAR is currently targeted for inclusion in    
fix packs 7.0.0.43, 8.0.0.13 and 8.5.5.10.  Please refer to     
the Recommended Updates page for delivery information:          
                                                                
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980   


Directions to apply fix:  Fix applies to Editions:
Release 8.5
_x_ Application Server (Express or BASE)
_x_ Network Deployment (ND)
__ Liberty Core
__ Edge Components
__ Developer

Install Fix to all WebSphere installations unless special instructions are included below.

Special Instructions: None

NOTE:
The user must:
* Logged in with the same authority level when unpacking a fix, fix pack or refresh pack.
* Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required.

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before applying the iFixes.  Restart WebSphere Application Server after applying the iFixes.

Directions to remove fix:  

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before removing the iFixes.  Restart WebSphere Application Server after removing the iFixes.

Directions to re-apply fix:  
1) Shutdown WebSphere Application Server.

2) Follow the Fix instructions to apply the fix.

3) Restart WebSphere Application Server.



Additional Information: