PH29156: JAX-WS CLIENT MAY NOT SEND REQUEST TO PROVIDER: EXPOSE SERIALIZESECURITYCONTEXT AT JVM LEVEL

APAR status

• Closed as new function.

Error description

• A JAX-WS web service client request may not be sent to the
  provider when base security is enabled and there are issues
  with the security context that prevent the security context
  from being serialized.
  
  A error like the following may be seen in the logs:
  ======================
  SECJ5010E: Could not create default AuthenticationToken during
  propagation login. The following exception occurred:
  com.ibm.websphere.security.auth.WSLoginFailedException:
  Validation of LTPA token failed due to invalid keys or token
  type.
  at
  com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(LTPAServ
  erObject.java:1187)
  ...
  at
  java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:3
  65)
  at
  com.ibm.ws.websvcs.utils.SecurityContextMigrator$5.run(SecurityC
  ontextMigrator.java:375)
  at
  java.security.AccessController.doPrivileged(AccessController.jav
  a:734)
  at
  com.ibm.ws.websvcs.utils.SecurityContextMigrator.migrateThreadTo
  Context(SecurityContextMigrator.java:372)
  at
  org.apache.axis2.util.ThreadContextMigratorUtil.performMigration
  ToContext(ThreadContextMigratorUtil.java:162)
  ...
  at
  org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.invoke(JAX
  WSProxyHandler.java:213)
  =============================================
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:  All users of IBM WebSphere Application      *
  *                  Server                                      *
  *                  and JAX-WS web services                     *
  ****************************************************************
  * PROBLEM DESCRIPTION: When base security is enabled, a JAX-WS *
  *                      client may not send a request to the    *
  *                      provider due to security context        *
  *                      serialization.                          *
  ****************************************************************
  * RECOMMENDATION:  Install a fix pack that contains this       *
  *                  APAR.                                       *
  ****************************************************************
  A JAX-WS web service client request may not be sent to the
  provider when base security is enabled and there are issues
  with the security context that prevent it from being
  serialized.
  

Problem conclusion

• On an application server, when a JAX-WS client makes a service
  call, if base security is enabled, the WebSphere security
  context is serialized to the web services message context.
  This is done because there are down stream handlers that may
  need to serialize the entire message context (WS-Reliable
  Messaging for example).
  
  This serialization may cause core security to return errors for
  various reasons, for example: non-serializable objects are in
  the security context, or an LTPA token cannot be verified.
  
  APAR PI07385 introduced a JAX-WS client property called
  com.ibm.websvcs.client.serializeSecurityContext.  This property
  is set on the BindingProvider and it is used to direct
  serialization of the security context in the
  com.ibm.ws.websvcs.utils.SecurityContextMigrator class.
  
  The com.ibm.websvcs.client.serializeSecurityContext JAX-WS
  client property is extended to be a JVM system property.  If
  you do not want the
  com.ibm.websvcs.client.serializeSecurityContext to serialize
  the security context, set this property to false.  The
  default is true.
  
  The value for this property in the JVM will be the default
  setting.  If this property is set on the BindingProvider, it
  will override the JVM setting.
  
  When com.ibm.websvcs.client.serializeSecurityContext is set to
  false, the Security context will not be serialized onto the
  MessageContext.  A reference to the active context will be used
  instead.  This will cause problems if you are making an asynch
  service call or using a Reliable Messaging policy.
  
  The WS-Reliable Messaging qualities of service managed
  persistent and managed non-persistent require that the
  request, including the SecurityContext, is serializable to
  persistent storage.  Therefore if WS-Reliable messaging is
  also configured on such a request with either managed
  persistent or managed non-persistent qualities of service the
  request will not be sent and you'll receive a message like:
  
  CWSKA0112E: There is a conflict between the
  WS-ReliableMessaging quality of service managedPersistent and
  the BindingProvider property
  com.ibm.websvcs.client.serializeSecurityContext having the
  value false.
  
  The fix for this APAR is targeted for inclusion in fix pack
  8.5.5.19 and 9.0.5.6. For more information, see 'Recommended
  Updates for WebSphere Application Server':
  https://www.ibm.com/support/pages/node/715553
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WEBS APP SERV N

• Fixed component ID

  5724H8800

Applicable component levels

• R850 PSY

     UP

• R900 PSY

     UP