Download
Downloadable File
File link | File size | File description |
---|---|---|
Abstract
PH21827: OIDC RP: NotSerializableException for JwtClaims error may occur.
Download Description
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
ERROR DESCRIPTION:
When using the Open ID Connect (OIDC) trust association interceptor (TAI) in WebSphere Application Server traditional, a java.io.NotSerializableException error for the org.jose4j.jwt.JwtClaims object can occur. When this problem happens, an entry like this will appear in the log:
DYNA0052E: The cached object cannot be replicated or saved to disk. CacheID=1618033989
ClassName=com.ibm.ws.security.oidc.client.SessionData
Type=cache-value Exception=java.io.NotSerializableException: org.jose4j.jwt.JwtClaims
The OIDC TAI is updated so that a java.io.NotSerializableException will not occur when saving its data in DynaCache.
- Detailed Conclusion
By default, the OIDC TAI stores data in a DynaCache object. When used in a cluster environment, if the cache that OIDC is configured to use is a shared with all the servers in the cluster, then all the objects in the cache must be serializable.
The SessionData object that OIDC stores in DynaCache includes an org.jose4j.jwt.JwtClaims object. This object is not serializable. When the DynaCache component attempts to replicate a cache that contains a JwtClaims object, a java.io.NotSerializableException error will occur.
The OIDC TAI is updated so that the org.jose4j.jwt.JwtClaims object is no longer included in the OIDC session data object.
As a result of this change, when using the OIDC TAI to perform JWT authentication:
- The SessionData associated with each request is no longer stored. Since the JWT is verified for each request when performing JWT authentication, the SessionData is not needed.
- An org.jose4j.jwt.JwtClaims object is no longer stored on the runAs Subject. However, the access token from the request is stored on the runAs Subject and is accessible with the com.ibm.websphere.security.oidc.util.OidcClientHelper.getJwtFromSubject() API. See the OIDCClientHelper Javadoc article in the IBM Knowledge Center for more information: Class OidcClientHelper
- Updates to the com.ibm.websphere.security.oidc.util.OidcClientHelper API
The following methods are added to the com.ibm.websphere.security.oidc.util.OidcClientHelper API:
- getJwtClaimsAsString(String)
- getJwtClaimsAsMap(String)
- json2map(String)
- getJwtFromSubject()
- getJwtFromSubject(Subject)
/** * Get the JWT claims from a JWT as a JSON String. * * For example: * {"sub":"1234567890","name":"John Doe", "admin": true, * "exp":1588806453} * * @return The JWT claims JSON String * @throws Exception if an error occurs decoding the JWT */ public static String getJwtClaimsAsString(String jwtString) throws Exception /** * Get the JWT claims from a JWT as a Map. * * The Map will have value types that correspond to the * values in the claims string. For instance, * the following claims string: * {"sub":"1234567890","name":"John Doe", "admin": true, * "exp":1588806453} * * will produce the map entries with the value types: * String, String, Boolean, Long * * @return The JWT claims JSON represented as a Map * @throws Exception if an error occurs decoding the JWT */ public static Map<String,Object> getJwtClaimsAsMap(String jwtString) throws Exception /** * Convert a JSON String to a Map. * * The Map will have value types that correspond to the * values in the JSON string. For instance, * the following JSON string: * {"sub":"1234567890","name":"John Doe", "admin": true, * "exp":1588806453} * * will produce the map entries with the value types: * String, String, Boolean, Long * * @return A Map created from the JSON String * @throws Exception if an error occurs creating the Map */ public static Map<String,Object> json2map(String jsonString) throws Exception /** * Retrieve the JWT Authentication token from the current * runAs Subject. * * @return The JWT Authentication token String or null if * there is no JWT Authentication token on the Subject * @throws Exception if an error occurs either while * obtaining the runAs Subject or accessing the private * credentials. */ public static String getJwtFromSubject() throws Exception /** * Retrieve the JWT Authentication token from the input * Subject. * * @return The JWT Authentication token String or null if * there is no JWT Authentication token on the Subject * @throws Exception if an error occurs when accessing the * private credentials in the Subject. */ public static String getJwtFromSubject(Subject subj) throws Exception
The fix for this APAR is targeted for inclusion in fix pack 8.5.5.18 and 9.0.5.5. Refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
Problems Solved
Technical Support
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
22 September 2020
UID
ibm16254403