IBM Support

PH15820: OAUTH PROVIDER MAY CREATE A PRINCIPAL WITH REALM NAME PREPENDED TO USER NAME

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When useDomainQualifiedUserNames="true", the OAuth provider
    may create a WebSphere subject with a principal name that has
    the realm name prepended to the user name.  For instance:
    defaultWIMFileBasedRealm/user1
    
    This problem seems to only happen when using authorization
    flow.  Password flow is not affected.
    

Local fix

  • As a workaround, will you please have the customer set
    useDomainQualifiedUserNames="false"
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OAuth                                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OAuth provider may create a         *
    *                      principal that includes the realm name  *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  includes this APAR.                         *
    ****************************************************************
    The OAuth provider may create a Subject that has a principal
    with the realm name prepended to the user name.
    

Problem conclusion

  • You will get this behavior only when the
    useDomainQualifiedUserNames security property is set to true.
    You can see the setting for this property in the admin console:
    
    Security > Global security, then under Authentication, check
    Use realm-qualified user names
    
    The OAuth provider populates the principal with the result from
    HttpServletRequest.getUserPrincipal().getName().  When
    useDomainQualifiedUserNames is set to true, the result from
    this invocation will have the realm name prepended to the user
    name.
    
    The OAuth provider is updated so that, when
    useDomainQualifiedUserNames is set to true, the realm name is
    removed from the result of the
    HttpServletRequest.getUserPrincipal().getName() invocation
    when creating the principal name for the Subject.
    
    This fix is an update to the OAuth ear file,
    WebSphereOauth20SP.ear. This fix replaces the old EAR file in
    the (WAS_HOME)/installableApps directory with the updated one
    from the fix. For any cell that is running the ear, the fix
    will not be active in that cell the until the installed
    WebSphereOauth20SP.ear is updated from the new ear in the
    installableApps directory.
    
    You can tell if the OAuth ear file is installed in a cell by
    checking for a directory called WebSphereOauth20SP.ear in the
    (CELL_ROOT)/applications directory.
    
    If WebSphereOauth20SP.ear is installed in your cell, do the
    following after applying the fix:
    1. Update WebSphereOauth20SP.ear, from the
    (WAS_HOME)/installableApps directory on your stand-alone
    application server or deployment manager.
    2. If you are using network deployment, ensure that all of the
    nodes are synchronized.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.17 and 9.0.5.2.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH15820

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-08-19

  • Closed date

    2019-10-22

  • Last modified date

    2019-10-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 October 2021