APAR status
Closed as program error.
Error description
When the required SubjectConfirmation element in the SAML Assertion in a SAMLResponse, an java.lang.NullPointerException might occur in the com.ibm.ws.wssecurity.saml.profile.saml20.ss o.web.HTTPPOSTRequestConsumer class. You might see an entry like the following in a SAML trace: 2/10/24 2:13:18:144 EST] 00000076 WebAuthentica E SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: java.lang.NullPointerException at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor .createTAIErrorResult(ACSTrustAssociationInterceptor.java:848) And the following in an FFDC file: [2/10/24 2:13:18:132 EST] FFDC Exception:com.ibm.websphere. security.WebTrustAssociationFailedExceptionSourceId:com.ibm.ws.s eptor.invokeTAIbeforeSSOProbeId:648 com.ibm.websphere.security.WebTrustAssociationFailedException: java.lang.NullPointerException at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor .processSAMLResponseContext(ACSTrustAssociationInterceptor.java :1036) at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor .invokeTAIbeforeSSO(ACSTrustAssociationInterceptor.java:629) at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor .negotiateValidateandEstablishTrust(ACSTrustAssociationIntercep tor.java:426) (snip) Caused by: javax.servlet.ServletException: java.lang.NullPointerException at com.ibm.ws.security.web.saml.SAMLResponseProcessor.consumeS AMLResponse(SAMLResponseProcessor.java:102) at com.ibm.ws.security.web.saml.SAMLResponseProcessor.processS AMLResponse(SAMLResponseProcessor.java:83) at com.ibm.ws.security.web.saml.SAMLResponseProcessor.process( SAMLResponseProcessor.java:51) at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor .processSAMLResponseContext(ACSTrustAssociationInterceptor.java :1034) ... 33 more Caused by: java.lang.NullPointerException at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR equestConsumer.validateSubjectConfirmation(HTTPPOSTRequestConsu mer.java:1096) at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR equestConsumer.validateSubject(HTTPPOSTRequestConsumer.java:107 9) at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR equestConsumer.validateAssertion20(HTTPPOSTRequestConsumer.java :975) at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR equestConsumer.validateSAMLAssertion(HTTPPOSTRequestConsumer.ja va:240) at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR equestConsumer.validate(HTTPPOSTRequestConsumer.java:192) at com.ibm.ws.wssecurity.saml.profile.saml20.sso.web.HTTPPOSTR equestConsumer.consumeSAMLResponse(HTTPPOSTRequestConsumer.java :115) at com.ibm.ws.security.web.saml.SAMLResponseProcessor.consumeS AMLResponse(SAMLResponseProcessor.java:100)
Local fix
Make sure that the SAML Assertion in the SAMLResponse includes a SubjectConfirmation element.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * **************************************************************** * PROBLEM DESCRIPTION: A NullPointerException error occurs * * when a SubjectConfirmation element is * * not present in a SAML Assertion in a * * SAMLResponse. * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** When the required SubjectConfirmation element in the SAML Assertion in a SAMLResponse, an java.lang.NullPointerException might occur in the com.ibm.ws.wssecurity.saml.profile.saml20.ss o.web.HTTPPOSTRequestConsumer class.
Problem conclusion
When the required SubjectConfirmation element is not present in the SAML Assertion in a SAMLResponse, the following message should be emitted: CWWSS8023E: The SAML Assertion MUST contain a SubjectConfirmation Method of urn:oasis:names:tc:SAML:2.0:cm:bearer. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.26 and 9.0.5.20. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH59784
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-02-13
Closed date
2024-06-06
Last modified date
2024-06-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Document Information
Modified date:
06 June 2024