IBM Support

PH15820: OAuth provider may create a principal with realm name prepended to user

Download


Downloadable File

Abstract

OAuth provider may create a principal with realm name prepended to user name

Download Description

PH15820 resolves the following problem:
ERROR DESCRIPTION:
When useDomainQualifiedUserNames="true", the OAuth provider may create a WebSphere subject with a principal name that has the realm name prepended to the user name. For instance: defaultWIMFileBasedRealm/user1 This problem seems to only happen when using authorization flow. Password flow is not affected.
LOCAL FIX:
As a workaround, will you please have the customer set useDomainQualifiedUserNames="false"
PROBLEM SUMMARY:
USERS AFFECTED:
IBM WebSphere Application Server users of OAuth
PROBLEM DESCRIPTION:
The OAuth provider may create a principal that includes the realm name
RECOMMENDATION:
Install a fix pack or interim fix that includes this APAR. The OAuth provider may create a Subject that has a principal with the realm name prepended to the user name.
PROBLEM CONCLUSION:
You will get this behavior only when the useDomainQualifiedUserNames security property is set to true. You can see the setting for this property in the admin console:
Security > Global security, then under Authentication, check Use realm-qualified user names
The OAuth provider populates the principal with the result from HttpServletRequest.getUserPrincipal().getName(). When useDomainQualifiedUserNames is set to true, the result from this invocation will have the realm name prepended to the user name.
The OAuth provider is updated so that, when useDomainQualifiedUserNames is set to true, the realm name is removed from the result of the HttpServletRequest.getUserPrincipal().getName() invocation when creating the principal name for the Subject. This fix is an update to the OAuth ear file, WebSphereOauth20SP.ear. This fix replaces the old EAR file in the (WAS_HOME)/installableApps directory with the updated one from the fix. For any cell that is running the ear, the fix will not be active in that cell the until the installed WebSphereOauth20SP.ear is updated from the new ear in the installableApps directory.
You can tell if the OAuth ear file is installed in a cell by checking for a directory called WebSphereOauth20SP.ear in the (CELL_ROOT)/applications directory.
If WebSphereOauth20SP.ear is installed in your cell, do the following after applying the fix:
  1. Update WebSphereOauth20SP.ear, from the (WAS_HOME)/installableApps directory on your stand-alone application server or deployment manager.   
  2. If you are using network deployment, ensure that all of the nodes are synchronized.
The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.17 and 9.0.5.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

None

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL SIZE(Bytes)
V85 Readme 7168
V90 Readme 5821

Download Package

DOWNLOAD RELEASE DATE SIZE(Bytes)

DOWNLOAD Options

What is Fix Central(FC)?

8.5.5.6-WS-WASProd-IFPH15820 11-01-2019 353763 FC
9.0.0.0-WS-WASProd-IFPH15820 11-01-2019 357776 FC

Problems Solved

PH15820

On

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the support web site, or contact 1-800-IBM-SERV (U.S. only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z/OS"}],"Version":"8.5.5.10;8.5.5.11;8.5.5.12;8.5.5.13;8.5.5.14;8.5.5.15;8.5.5.16;8.5.5.6;8.5.5.7;8.5.5.8;8.5.5.9;9.0.0.0;9.0.0.1;9.0.0.10;9.0.0.11;9.0.0.2;9.0.0.3;9.0.0.4;9.0.0.5;9.0.0.6;9.0.0.7;9.0.0.8;9.0.0.9;9.0.5.0;9.0.5.1","Edition":"Network Deployment,Single Server,Base"}]

Document Information

Modified date:
04 November 2019

UID

ibm11102551