Fixes are available
9.0.0.2: WebSphere Application Server traditional V9.0 Fix Pack 2
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
9.0.0.3: WebSphere Application Server traditional V9.0 Fix Pack 3
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
The following error stack might occur when using OAuth: [9/13/16 16:44:07:936 EDT] 000000dd ServletWrappe E com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0068E: An exception was thrown by one of the service methods of the servlet [OAuth20EndpointServlet] in application [WebSphereOauth20SP]. Exception created : [java.lang.NullPointerException at java.net.URLEncoder.encode(URLEncoder.java:225) at java.net.URLEncoder.encode(URLEncoder.java:189) at com.ibm.ws.security.oauth20.form.FormRenderer.renderForm(FormR enderer.java:97) at com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.renderCon sentForm(OAuth20EndpointServlet.java:718) at com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.process AuthorizationRequest(OAuth20EndpointServlet.java:233)
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OAuth * **************************************************************** * PROBLEM DESCRIPTION: If the OAuth provider receives * * a request that does not contain a * * state parameter, an NPE may occur. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** If the OAuth provider receives a request that does not contain a state parameter, a NullPointerException may occur. You might see an entry like the following in SystemOut.log: [9/30/16 9:40:02:411 EDT] 000001af ServletWrappe E com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0068E: An exception was thrown by one of the service methods of the servlet [OAuth20EndpointServlet] in application [WebSphereOauth20SP]. Exception created : [java.lang.NullPointerException at java.net.URLEncoder.encode(URLEncoder.java:197) at java.net.URLEncoder.encode(URLEncoder.java:161) at com.ibm.ws.security.oauth20.form.FormRenderer.renderForm(FormRen derer.java:97) at com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.renderCon sentForm(OAuth20EndpointServlet.java:718) at com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.processAu thorizationRequest(OAuth20EndpointServlet.java:233) at com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.doPost(OA uth20EndpointServlet.java:158) at com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.doGet(OAu th20EndpointServlet.java:129) at javax.servlet.http.HttpServlet.service(HttpServlet.java:575) at javax.servlet.http.HttpServlet.service(HttpServlet.java:668) ...
Problem conclusion
If there is no state parameter in the OAuth request, a null is passed to the URLEncoder.encode method. Depending on the JDK, that method may emit a NullPointerException when it receives a null parameter. The OAuth provider is updated to not attempt to encode the state parameter if it does not exist. When a fix pack containing this APAR is installed, the fix will not be active until the installed OAuth application, WebSphereOauth20SP.ear, is updated from the (WAS_HOME)/installableApps directory. The fix for this APAR is currently targeted for inclusion in fix packs 7.0.0.43, 8.0.0.13, 8.5.5.11 and 9.0.0.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI69325
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-09-16
Closed date
2016-10-05
Last modified date
2019-01-31
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
04 May 2022