Fixes are available
APAR status
Closed as program error.
Error description
When using the Open ID Connect (OIDC) trust association interceptor in WebSphere Application Server traditional, an error may be reported by the DynaCache component that the JwtClaims object is not serializable: DYNA0052E: The cached object can not be replicated or saved to disk. CacheID=1618033989 ClassName=com.ibm.ws.security.oidc.client.SessionData Type=cache-value Exception=java.io.NotSerializableException: org.jose4j.jwt.JwtClaims
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and OIDC * **************************************************************** * PROBLEM DESCRIPTION: java.io.NotSerializableException may * * occur when using the OIDC TAI * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** When using the OpenID Connect (OIDC) trust association interceptor (TAI), a java.io.NotSerializableException error for the org.jose4j.jwt.JwtClaims object may occur. When this problem happens, an entry like this will appear in the log: DYNA0052E: The cached object can not be replicated or saved to disk. CacheID=1618033989 ClassName=com.ibm.ws.security.oidc.client.SessionData Type=cache-value Exception=java.io.NotSerializableException: org.jose4j.jwt.JwtClaims
Problem conclusion
By default, the OIDC TAI stores data in a DynaCache object. When used in a cluster envioronment, if the cache that OIDC is configured to use is a shared with all the servers in the cluster, then all the objects in the cache must be serializable. The SessionData object that OIDC stores in DynaCache includes a org.jose4j.jwt.JwtClaims object. This object is not serializable. When the DynaCache component attempts to replicate a cache that contains a JwtClaims object, a java.io.NotSerializableException error will occur. The OIDC TAI is updated so that the org.jose4j.jwt.JwtClaims object is no longer included in the OIDC session data. As a result of this change, when using the OIDC TAI to perform JWT authentication: * The SessionData associated with each request is no longer stored. Since the JWT is verified for each request when performing JWT authentication, the SessionData is not needed. * An org.jose4j.jwt.JwtClaims object is no longer stored on the runAs Subject. However, the access token from the request is stored on the runAs Subject and is accessible via the com.ibm.websphere.security.oidc.util.OidcClientHelper.getJwtFrom Subject() API. See the OIDCClientHelper Javadoc article in the Knowledge Center for additional information: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.5 /com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/se curity/oidc/util/OidcClientHelper.html The following methods are added to the com.ibm.websphere.security.oidc.util.OidcClientHelper API: getJwtClaimsAsString(String) getJwtClaimsAsMap(String) json2map(String) getJwtFromSubject() getJwtFromSubject(Subject) /** * Get the JWT claims from a JWT as a JSON String. * * For example: * {"sub":"1234567890","name":"John Doe", "admin": true, * "exp":1588806453} * * @return The JWT claims JSON String * @throws Exception if an error occurs decoding the JWT */ public static String getJwtClaimsAsString(String jwtString) throws Exception /** * Get the JWT claims from a JWT as a Map. * * The Map will have value types that correspond to the * values in the claims string. For instance, * the following claims string: * {"sub":"1234567890","name":"John Doe", "admin": true, * "exp":1588806453} * * will produce the map entries with the value types: * String, String, Boolean, Long * * @return The JWT claims JSON represented as a Map * @throws Exception if an error occurs decoding the JWT */ public static Map<String,Object> getJwtClaimsAsMap(String jwtString) throws Exception /** * Convert a JSON String to a Map. * * The Map will have value types that correspond to the * values in the JSON string. For instance, * the following JSON string: * {"sub":"1234567890","name":"John Doe", "admin": true, * "exp":1588806453} * * will produce the map entries with the value types: * String, String, Boolean, Long * * @return A Map created from the JSON String * @throws Exception if an error occurs creating the Map */ public static Map<String,Object> json2map(String jsonString) throws Exception /** * Retrieve the JWT Authentication token from the current * runAs Subject. * * @return The JWT Authentication token String or null if * there is no JWT Authentication token on the Subject * @throws Exception if an error occurs either while * obtaining the runAs Subject or accessing the private * credentials. */ public static String getJwtFromSubject() throws Exception /** * Retrieve the JWT Authentication token from the input * Subject. * * @return The JWT Authentication token String or null if * there is no JWT Authentication token on the Subject * @throws Exception if an error occurs when accessing the * private credentials in the Subject. */ public static String getJwtFromSubject(Subject subj) throws Exception The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.5. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss? rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH21827
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-02-05
Closed date
2020-06-29
Last modified date
2020-09-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021