IBM Support

PH29099: OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap

Download


Downloadable File

Abstract

PH29099: OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap

Download Description

THIS FIX IS SUPERSEDED BY THE A LATER INTERIM FIX
This fix is superseded by a fix for another APAR. To see how to obtain the most recent OpenID Connect runtime that includes this APAR, go to the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.


PH29099 resolves the following problem:

ERROR DESCRIPTION:

In a cluster environment, the OpenID Connect (OIDC) TAI may redirect back to the OpenID provider (OP) after successful login.

You can see this error in SystemOut.log:

CWTAI2009I: The OpenID Connect relying party (RP) did not find an entry for session cookie OIDCSESSIONID_client1

In an OIDC trace, you will see:

[9/1/20 10:04:25:153 UTC] 000000ce DynaCacheUtil 3 getCache() returns [not null]
[9/1/20 10:04:25:156 UTC] 000000ce SystemErr R
java.lang.ClassNotFoundException:
org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap

 
PROBLEM CONCLUSION:

The OIDC TAI is updated to ensure that the SessionData object that is stored in DynaCache does not include any org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap objects; they are converted to java.util.LinkHashMap objects.

  • Detailed Conclusion

    The OIDC TAI stores the data for a user login in a SessionData object in DynaCache. This SessionData object contains a Map of the claims in the idToken that was returned from the OP after login.

    The Map that is stored in the SessionData object is obtained from a jose4j JwtClaims object. If the Map contains embedded Maps, the jos4j code creates them as org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap objects.

    The DynaCache component can serialize the DupeKeyDisallowingLinkedHashMap object, but since the OIDC runtime does not expose the jose4j classes, the DynaCache component cannot deserialize the DupeKeyDisallowingLinkedHashMap object.

    The DynaCache component only attempts to serialize or deserialize entries in the cache when it is running in a cluster and more than one cluster member is active.


The fix for this APAR is targeted for inclusion in fix pack 8.5.5.19 and 9.0.5.6. Refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980


THIS FIX IS SUPERSEDED BY THE A LATER INTERIM FIX
This fix is superseded by a fix for another APAR. To see how to obtain the most recent OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.

Installation Instructions

Download Package

Problems Solved

PH29099

Off

Document Location

Worldwide

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdESAA0","label":"Security-\u003ESSO-\u003EOpenId Connect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.5;9.0.0;9.0.5"}]

Document Information

Modified date:
09 November 2021

UID

ibm16334819