IBM Support

PH59784: SAML NPE IN HTTPPOSTREQUESTCONSUMER WHEN NO SUBJECTCONFIRMATION ELEMENT IN ASSERTION

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When the required SubjectConfirmation element in the SAML
    Assertion in a SAMLResponse, an java.lang.NullPointerException
    might occur in the com.ibm.ws.wssecurity.saml.profile.saml20.ss
    o.web.HTTPPOSTRequestConsumer class.
    
    
    You might see an entry like the following in a SAML trace:
    
    2/10/24 2:13:18:144 EST] 00000076 WebAuthentica E   SECJ0126E:
    Trust Association failed during validation. The exception is
    com.ibm.websphere.security.WebTrustAssociationFailedException:
    java.lang.NullPointerException
    	at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
    .createTAIErrorResult(ACSTrustAssociationInterceptor.java:848)
    
    And the following in an FFDC file:
    
    [2/10/24 2:13:18:132 EST]     FFDC Exception:com.ibm.websphere.
    security.WebTrustAssociationFailedExceptionSourceId:com.ibm.ws.s
    
    
    eptor.invokeTAIbeforeSSOProbeId:648
    com.ibm.websphere.security.WebTrustAssociationFailedException:
    java.lang.NullPointerException
    	at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
    .processSAMLResponseContext(ACSTrustAssociationInterceptor.java
    :1036)
    	at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
    .invokeTAIbeforeSSO(ACSTrustAssociationInterceptor.java:629)
    	at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
    .negotiateValidateandEstablishTrust(ACSTrustAssociationIntercep
    tor.java:426)
    (snip)
    Caused by: javax.servlet.ServletException:
    java.lang.NullPointerException
    	at com.ibm.ws.security.web.saml.SAMLResponseProcessor.consumeS
    AMLResponse(SAMLResponseProcessor.java:102)
    	at com.ibm.ws.security.web.saml.SAMLResponseProcessor.processS
    AMLResponse(SAMLResponseProcessor.java:83)
    	at com.ibm.ws.security.web.saml.SAMLResponseProcessor.process(
    SAMLResponseProcessor.java:51)
    	at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
    .processSAMLResponseContext(ACSTrustAssociationInterceptor.java
    :1034)
    	... 33 more
    Caused by: java.lang.NullPointerException
    	at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR
    equestConsumer.validateSubjectConfirmation(HTTPPOSTRequestConsu
    mer.java:1096)
    	at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR
    equestConsumer.validateSubject(HTTPPOSTRequestConsumer.java:107
    9)
    	at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR
    equestConsumer.validateAssertion20(HTTPPOSTRequestConsumer.java
    :975)
    	at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR
    equestConsumer.validateSAMLAssertion(HTTPPOSTRequestConsumer.ja
    va:240)
    	at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR
    equestConsumer.validate(HTTPPOSTRequestConsumer.java:192)
    	at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR
    equestConsumer.consumeSAMLResponse(HTTPPOSTRequestConsumer.java
    :115)
    	at com.ibm.ws.security.web.saml.SAMLResponseProcessor.consumeS
    AMLResponse(SAMLResponseProcessor.java:100)
    

Local fix

  • Make sure that the SAML Assertion in the SAMLResponse includes a
    
    
    SubjectConfirmation element.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: A NullPointerException error occurs     *
    *                      when a SubjectConfirmation element is   *
    *                      not present in a SAML Assertion in a    *
    *                      SAMLResponse.                           *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When the required SubjectConfirmation element in the SAML
    Assertion in a SAMLResponse, an java.lang.NullPointerException
    might occur in the com.ibm.ws.wssecurity.saml.profile.saml20.ss
    o.web.HTTPPOSTRequestConsumer class.
    

Problem conclusion

  • When the required SubjectConfirmation element is not present in
    the SAML Assertion in a SAMLResponse, the following message
    should be emitted:
    
    CWWSS8023E: The SAML Assertion MUST contain a
    SubjectConfirmation Method of
    urn:oasis:names:tc:SAML:2.0:cm:bearer.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.26 and 9.0.5.20. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH59784

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2024-02-13

  • Closed date

    2024-06-06

  • Last modified date

    2024-06-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]

Document Information

Modified date:
06 June 2024