IBM Support

PH29156: JAX-WS CLIENT MAY NOT SEND REQUEST TO PROVIDER: EXPOSE SERIALIZESECURITYCONTEXT AT JVM LEVEL

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as new function.

Error description

  • A JAX-WS web service client request may not be sent to the
    provider when base security is enabled and there are issues
    with the security context that prevent the security context
    from being serialized.
    
    A error like the following may be seen in the logs:
    ======================
    SECJ5010E: Could not create default AuthenticationToken during
    propagation login. The following exception occurred:
    com.ibm.websphere.security.auth.WSLoginFailedException:
    Validation of LTPA token failed due to invalid keys or token
    type.
    at
    com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(LTPAServ
    erObject.java:1187)
    ...
    at
    java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:3
    65)
    at
    com.ibm.ws.websvcs.utils.SecurityContextMigrator$5.run(SecurityC
    ontextMigrator.java:375)
    at
    java.security.AccessController.doPrivileged(AccessController.jav
    a:734)
    at
    com.ibm.ws.websvcs.utils.SecurityContextMigrator.migrateThreadTo
    Context(SecurityContextMigrator.java:372)
    at
    org.apache.axis2.util.ThreadContextMigratorUtil.performMigration
    ToContext(ThreadContextMigratorUtil.java:162)
    ...
    at
    org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.invoke(JAX
    WSProxyHandler.java:213)
    =============================================
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  and JAX-WS web services                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: When base security is enabled, a JAX-WS *
    *                      client may not send a request to the    *
    *                      provider due to security context        *
    *                      serialization.                          *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    A JAX-WS web service client request may not be sent to the
    provider when base security is enabled and there are issues
    with the security context that prevent it from being
    serialized.
    

Problem conclusion

  • On an application server, when a JAX-WS client makes a service
    call, if base security is enabled, the WebSphere security
    context is serialized to the web services message context.
    This is done because there are down stream handlers that may
    need to serialize the entire message context (WS-Reliable
    Messaging for example).
    
    This serialization may cause core security to return errors for
    various reasons, for example: non-serializable objects are in
    the security context, or an LTPA token cannot be verified.
    
    APAR PI07385 introduced a JAX-WS client property called
    com.ibm.websvcs.client.serializeSecurityContext.  This property
    is set on the BindingProvider and it is used to direct
    serialization of the security context in the
    com.ibm.ws.websvcs.utils.SecurityContextMigrator class.
    
    The com.ibm.websvcs.client.serializeSecurityContext JAX-WS
    client property is extended to be a JVM system property.  If
    you do not want the
    com.ibm.websvcs.client.serializeSecurityContext to serialize
    the security context, set this property to false.  The
    default is true.
    
    The value for this property in the JVM will be the default
    setting.  If this property is set on the BindingProvider, it
    will override the JVM setting.
    
    When com.ibm.websvcs.client.serializeSecurityContext is set to
    false, the Security context will not be serialized onto the
    MessageContext.  A reference to the active context will be used
    instead.  This will cause problems if you are making an asynch
    service call or using a Reliable Messaging policy.
    
    The WS-Reliable Messaging qualities of service managed
    persistent and managed non-persistent require that the
    request, including the SecurityContext, is serializable to
    persistent storage.  Therefore if WS-Reliable messaging is
    also configured on such a request with either managed
    persistent or managed non-persistent qualities of service the
    request will not be sent and you'll receive a message like:
    
    CWSKA0112E: There is a conflict between the
    WS-ReliableMessaging quality of service managedPersistent and
    the BindingProvider property
    com.ibm.websvcs.client.serializeSecurityContext having the
    value false.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.19 and 9.0.5.6. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH29156

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-09-03

  • Closed date

    2020-09-18

  • Last modified date

    2020-09-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
19 September 2020