IBM Support

PH29099: OIDC RP: CLASSNOTFOUNDEXCEPTION FOR JSONUTIL$DUPEKEYDISALLOWINGLINKEDHASHMAP

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • In a cluster environment, the OpenID Connect (OIDC) TAI may
    redirect back to the OpenID provider (OP) after successful
    login.
    
    You can see this error in SystemOut.log:
    CWTAI2009I: The OpenID Connect relying party (RP) did not find
    an entry for session cookie OIDCSESSIONID_client1
    
    In an OIDC trace, you will see:
    [9/1/20 10:04:25:153 UTC] 000000ce DynaCacheUtil 3   getCache()
    returns [not null]
    [9/1/20 10:04:25:156 UTC] 000000ce SystemErr     R
    java.lang.ClassNotFoundException:
    org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  and OpenID Connect                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC TAI may redirect back to the   *
    *                      OP                                      *
    *                      after successful login in a cluster     *
    *                      environment                             *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains                                    *
    *                  this APAR.                                  *
    ****************************************************************
    When the OpenID Connect (OIDC) relying party (RP) Trust
    Association Interceptor (TAI) is used in a cluster environment
    and more than one cluster member is active, after a user logs in
    to an OpenID provider (OP), they may be redirected back to the
    OP
    to login again.  The following entry can be found in an OIDC
    trace when you have this issue:
    [9/1/20 10:04:25:156 UTC] 000000ce SystemErr     R
    java.lang.ClassNotFoundException:
    org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap
    

Problem conclusion

  • The OIDC TAI stores the data for a user login in a SessionData
    object in DynaCache.  This SessionData object contains a Map of
    the claims in the idToken that was returned from the OP after
    login.
    
    The Map that is stored in the SessionData object is obtained fro
    a jose4j JwtClaims object.  If the Map contains embedded Maps,
    the jos4j code creates them as
    org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap objects
    
    The DynaCache component can serialize the
    DupeKeyDisallowingLinkedHashMap object, but since the OIDC
    runtime does not expose the jose4j classes, the DynaCache
    component cannot deserialize the DupeKeyDisallowingLinkedHashMap
    object.
    
    The DynaCache component will only attempt to
    serialize/deserialize entries in the cache when running in a
    cluster and more than one cluster member is active.
    
    The OIDC TAI is updated to ensure that the SessionData object
    that is stored in DynaCache does not include any
    org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap objects
    they are converted to java.util.LinkHashMap objects.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.19 and 9.0.5.6.  For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH29099

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-09-02

  • Closed date

    2020-09-18

  • Last modified date

    2020-09-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
22 September 2020