Fixes are available
APAR status
Closed as program error.
Error description
When useDomainQualifiedUserNames="true", the OAuth provider may create a WebSphere subject with a principal name that has the realm name prepended to the user name. For instance: defaultWIMFileBasedRealm/user1 This problem seems to only happen when using authorization flow. Password flow is not affected.
Local fix
As a workaround, will you please have the customer set useDomainQualifiedUserNames="false"
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OAuth * **************************************************************** * PROBLEM DESCRIPTION: The OAuth provider may create a * * principal that includes the realm name * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * includes this APAR. * **************************************************************** The OAuth provider may create a Subject that has a principal with the realm name prepended to the user name.
Problem conclusion
You will get this behavior only when the useDomainQualifiedUserNames security property is set to true. You can see the setting for this property in the admin console: Security > Global security, then under Authentication, check Use realm-qualified user names The OAuth provider populates the principal with the result from HttpServletRequest.getUserPrincipal().getName(). When useDomainQualifiedUserNames is set to true, the result from this invocation will have the realm name prepended to the user name. The OAuth provider is updated so that, when useDomainQualifiedUserNames is set to true, the realm name is removed from the result of the HttpServletRequest.getUserPrincipal().getName() invocation when creating the principal name for the Subject. This fix is an update to the OAuth ear file, WebSphereOauth20SP.ear. This fix replaces the old EAR file in the (WAS_HOME)/installableApps directory with the updated one from the fix. For any cell that is running the ear, the fix will not be active in that cell the until the installed WebSphereOauth20SP.ear is updated from the new ear in the installableApps directory. You can tell if the OAuth ear file is installed in a cell by checking for a directory called WebSphereOauth20SP.ear in the (CELL_ROOT)/applications directory. If WebSphereOauth20SP.ear is installed in your cell, do the following after applying the fix: 1. Update WebSphereOauth20SP.ear, from the (WAS_HOME)/installableApps directory on your stand-alone application server or deployment manager. 2. If you are using network deployment, ensure that all of the nodes are synchronized. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.17 and 9.0.5.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH15820
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-08-19
Closed date
2019-10-22
Last modified date
2019-10-28
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 November 2021