IBM Support

PI75095: OIDC ClassCastException java.util.ArrayList

Fixes are available

9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The WebSphere Application Server OpenId Connect Relying Party
    expects multi-valued group attributes, but in certain cases
    the OP can send a single-valued group attribute.
    

Local fix

  • Configure the OP to send a multi-valued group attribute
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenID Connect (OIDC)                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: OIDC ClassCastException                 *
    *                      java.util.ArrayList                     *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    The OpenID Connect Trust Association Interceptor may return a
    403 to a client request, leaving the following FFDC:
    [1/25/17 15:47:36:764 MST] 000000de FfdcProvider  W
    com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC
    Incident emitted on
    /usr/WebSphere/AppServer/profiles/AppSrvr/logs/ffdc/server1_4cb7
    d750_17.01.25_15.47.36.7608905319016880026677.txt
    com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation
    590
    [1/25/17 15:47:36:765 MST] 000000de WebAuthentica ESECJ0128E:
    An unexpected exception occurred during Trust Association. The
    exception is java.lang.ClassCastException: java.lang.String
    incompatible with java.util.ArrayList
    at
    com.ibm.ws.security.oidc.client.SessionData.getGroupIds(SessionD
    ata.java:407)
    at
    com.ibm.ws.security.oidc.client.SessionData.getJaasSubject(Sessi
    onData.java:565)
    at
    com.ibm.ws.security.oidc.client.RelyingParty.AuthenticateUsingSe
    ssionCookie(RelyingParty.java:612)
    at
    ...
    

Problem conclusion

  • If a JSON Web Token (JWT) has a group with only one member,
    the group query will return a String instead of an ArrayList.
    The OIDC code is expecting an ArrayList, thus the
    ClassCastException.
    
    The OIDC runtime is updated to allow a String or ArrayList
    return from the group query of a JWT.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.0.0.14, 8.5.5.12 and 9.0.0.4.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI75095

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-01-17

  • Closed date

    2017-03-07

  • Last modified date

    2017-03-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
29 June 2020