IBM Support

PH21827: OIDC TAI: NOTSERIALIZABLEEXCEPTION FOR JWTCLAIMS ERROR MAY OCCUR

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When using the Open ID Connect (OIDC) trust association
    interceptor in WebSphere Application Server traditional, an
    error may be reported by the DynaCache component that the
    JwtClaims object is not serializable:
    
    DYNA0052E: The cached object can not be
    replicated or saved to disk. CacheID=1618033989
    ClassName=com.ibm.ws.security.oidc.client.SessionData
    Type=cache-value Exception=java.io.NotSerializableException:
    org.jose4j.jwt.JwtClaims
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OIDC                             *
    ****************************************************************
    * PROBLEM DESCRIPTION: java.io.NotSerializableException may    *
    *                      occur when using the OIDC TAI           *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    When using the OpenID Connect (OIDC) trust association
    interceptor (TAI), a java.io.NotSerializableException error
    for the org.jose4j.jwt.JwtClaims object may occur.  When
    this
    problem happens, an entry like this will appear in the log:
    DYNA0052E: The cached object can not be replicated or saved
    to
    disk. CacheID=1618033989
    ClassName=com.ibm.ws.security.oidc.client.SessionData
    Type=cache-value
    Exception=java.io.NotSerializableException:
    org.jose4j.jwt.JwtClaims
    

Problem conclusion

  • By default, the OIDC TAI stores data in a DynaCache object.
    When used in a cluster envioronment, if the cache that OIDC
    is configured to use is a shared with all the servers in the
    cluster, then all the objects in the cache must be
    serializable.
    
    The SessionData object that OIDC stores in DynaCache includes
    a org.jose4j.jwt.JwtClaims object.  This object is not
    serializable.  When the DynaCache component attempts to
    replicate a cache that contains a JwtClaims object, a
    java.io.NotSerializableException error will occur.
    
    The OIDC TAI is updated so that the org.jose4j.jwt.JwtClaims
    object is no longer included in the OIDC session data.
    
    As a result of this change, when using the OIDC TAI to
    perform JWT authentication:
    * The SessionData associated with each request is no longer
    stored.  Since the JWT is verified for each request when
    performing JWT authentication, the SessionData is not
    needed.
    
    * An org.jose4j.jwt.JwtClaims object is no longer stored on
    the runAs Subject.  However, the access token from the request
    is stored on the runAs Subject and is accessible via the
    com.ibm.websphere.security.oidc.util.OidcClientHelper.getJwtFrom
    Subject() API.  See the OIDCClientHelper Javadoc article in
    the Knowledge Center for additional information:
    https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.5
    /com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/se
    curity/oidc/util/OidcClientHelper.html
    
    The following methods are added to the
    com.ibm.websphere.security.oidc.util.OidcClientHelper API:
    
    getJwtClaimsAsString(String)
    getJwtClaimsAsMap(String)
    json2map(String)
    getJwtFromSubject()
    getJwtFromSubject(Subject)
    
    /**
     * Get the JWT claims from a JWT as a JSON String.
     *
     * For example:
     * {"sub":"1234567890","name":"John Doe", "admin": true,
     * "exp":1588806453}
     *
     * @return The JWT claims JSON String
     * @throws Exception if an error occurs decoding the JWT
     */
    public static String getJwtClaimsAsString(String jwtString)
    throws Exception
    
    /**
     * Get the JWT claims from a JWT as a Map.
     *
     * The Map will have value types that correspond to the
     * values in the claims string.  For instance,
     * the following claims string:
     * {"sub":"1234567890","name":"John Doe", "admin": true,
     * "exp":1588806453}
     *
     * will produce the map entries with the value types:
     * String, String, Boolean, Long
     *
     * @return The JWT claims JSON represented as a Map
     * @throws Exception if an error occurs decoding the JWT
     */
    public static Map<String,Object> getJwtClaimsAsMap(String
    jwtString) throws Exception
    
    /**
     * Convert a JSON String to a Map.
     *
     * The Map will have value types that correspond to the
     * values in the JSON string.  For instance,
     * the following JSON string:
     * {"sub":"1234567890","name":"John Doe", "admin": true,
     * "exp":1588806453}
     *
     * will produce the map entries with the value types:
     * String, String, Boolean, Long
     *
     * @return A Map created from the JSON String
     * @throws Exception if an error occurs creating the Map
     */
    public static Map<String,Object> json2map(String jsonString)
    throws Exception
    
    /**
     * Retrieve the JWT Authentication token from the current
     * runAs Subject.
     *
     * @return The JWT Authentication token String or null if
     * there is no JWT Authentication token on the Subject
     * @throws Exception if an error occurs either while
     * obtaining the runAs Subject or accessing the private
     * credentials.
     */
    public static String getJwtFromSubject() throws Exception
    
    /**
     * Retrieve the JWT Authentication token from the input
     * Subject.
     *
     * @return The JWT Authentication token String or null if
     * there is no JWT Authentication token on the Subject
     * @throws Exception if an error occurs when accessing the
     * private credentials in the Subject.
     */
    public static String getJwtFromSubject(Subject subj) throws
    Exception
    
    
    The fix for this APAR is targeted for inclusion in fix
    packs
    8.5.5.18 and 9.0.5.5.  For more information, see
    'Recommended
    Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?
    rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH21827

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-02-05

  • Closed date

    2020-06-29

  • Last modified date

    2020-06-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
30 June 2020