IBM Support

PI56581:Signature in propagated SAML token may not be valid due to added namespace declarations

Download


Abstract

SAML token may fail signature validation after being propagated by WS-Security

Download Description

PI56581 resolves the following problem:

When a JAX-WS provider application receives a signed SAML token in an inbound SOAP request, then propagates the token to a downstream service, the token may fail signature validation.

This behavior happens after installing fix packs 7.0.0.39, 7.0.0.41, 8.0.0.11, 8.0.0.12, 8.5.5.7, 8.5.5.8 or 8.5.5.9. This problem does not occur on fixpacks 7.0.0.0 through 7.0.0.37, 8.0.0.0 through 8.0.0.10 or 8.5.0.0 through 8.5.5.6.

LOCAL FIX:
Use one of types of SAML tokens that are not affected:

  • Encrypted SAML tokens
  • Unsigned SAML tokens
PROBLEM SUMMARY

USERS AFFECTED:
IBM WebSphere Application Server administrators of WS-Security enabled JAX-WS applications and SAML.

RECOMMENDATION:
Install a fix pack or interim fix that contains this APAR.

PROBLEM DESCRIPTION:
After installing fix packs 7.0.0.39, 8.0.0.11 or 8.5.5.7, signed SAML tokens can no longer be propagated on downstream JAX-WS or trust client invocations. If your scenario meets all of the following conditions then you may experience this issue.

  1. The SAML token is obtained from the Security header of a JAX-WS web service request.
  2. The WS-Security constraints for the service contains a caller configuration for the SAML token.
  3. The SAML token contains a signature.
  4. The SAML token is not encrypted.
  5. The SAML token to be sent is retrieved from the auth cache or runAs subject.
  6. The receiver of the token will validate the signature.

A SAML token may fail signature validation after being propagated by WS-Security.

The XML in the token emitted will differ from the one received on each element where a namespace prefix is used. The emitted XML will be logically the same as the one received, but signature validation may fail. For example:

<saml2:Issuer>IS02</saml2:Issuer>

becomes

<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">IS02</saml2:Issuer>

The following SAML token types are not affected:

  • Unsigned SAML tokens

    • Although the XML is altered, since the token emitted is logically the same as the one that was received, the token will pass validation.
  • Encrypted SAML tokens

    • Since the signature in an encrypted SAML token is included in the encrypted token bytes, it cannot be modified. After the token is decrypted, the signature validation will pass.

PROBLEM CONCLUSION:
To fix a memory leak, APAR PI32262 used an alternative cloning mechanism to clone a SAML token before it is put on the runAs subject. This alternative cloning method produced an element that has XML that is logically the same as the original, but the XML text is different. The difference is that the namespace declaration is replicated on each element that uses a namespace prefix. In many cases that is ok, however, if the token was signed, the signature in the token will no longer be valid.

If the SAML token that has a signature is pulled from the runAs subject or auth cache and re-used in any way where the signature must be validated, the signature validation will fail. For instance, it cannot be propagated on a downstream web services invocation or used in a trust client token exchange.

A new cloning mechanism is added to ensure that all tokens are cloned in a way that their XML remains unchanged. Previously, only LTPA and SAML token token types were cloned before being added to the runAs subject. To reduce the risk of memory leaks for all token types, the implementation for this APAR will clone all tokens before they are added to the runAs subject.

When the following JVM System property is set to true, only LTPA tokens will be cloned before being put on the runAs Subject:

com.ibm.ws.wssecurity.useOldCloneCriteria=true


THE FOLLOWING FIXES ARE PROVIDED:

7.0.0.33-WS-WAS-IFPI56377.pak applies to fixpack 7.0.0.33 through 7.0.0.39
8.0.0.9-WS-WASProd-IFPI56377.zip applies to fixpacks 8.0.0.9 through 8.0.0.12
8.5.5.2-WS-WASProd-IFPI56377.zip applies to fixpacks 8.5.5.2 through 8.5.5.9

The fix for this APAR is currently targeted for inclusion in fix packs 7.0.0.43, 8.0.0.13 and 8.5.5.10. Please refer to the Recommended Updates page for delivery information:

http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS, SAMLWSSEC, INTERIMFIX

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"V85 Readme","INLang":"US English","INSize":"6361","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI56581/8.5.5.9/readme.txt"},{"INLabel":"V70 Readme","INLang":"US English","INSize":"9002","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI56581/7.0.0.41/readme.txt"},{"INLabel":"V80 Readme","INLang":"US English","INSize":"6303","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI56581/8.0.0.12/readme.txt"}]
On
[{"DNLabel":"7.0.0.33-WS-WAS-IFPI56581","DNDate":"08-09-2016","DNLang":"US English","DNSize":"40041","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WAS-IFPI56581&productid=WebSphere Application Server&brandid=5","DNURL_FTP":"","DDURL":null},{"DNLabel":"8.0.0.9-WS-WASProd-IFPI56581","DNDate":"08-09-2016","DNLang":"US English","DNSize":"285144","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.9-WS-WASProd-IFPI56581&productid=WebSphere Application Server&brandid=5","DNURL_FTP":"","DDURL":null},{"DNLabel":"8.5.5.2-WS-WASProd-IFPI56581","DNDate":"08-09-2016","DNLang":"US English","DNSize":"297760","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.2-WS-WASProd-IFPI56581&productid=WebSphere Application Server&brandid=5","DNURL_FTP":"","DDURL":null}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF013","label":"Inspur K-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0.0.33;7.0.0.35;7.0.0.37;7.0.0.39;7.0.0.41;8.0.0.10;8.0.0.11;8.0.0.12;8.0.0.9;8.5.5.2;8.5.5.3;8.5.5.4;8.5.5.5;8.5.5.6;8.5.5.7;8.5.5.8;8.5.5.9","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24042605

Page Feedback