|
| Problem | Your security fails when configured with localOS for WebSphere® Application Server V3, V3.5 and V4. | | Cause | Security configured with localOS fails when using any of the following configurations:- Multiple WebSphere Application Server nodes sharing the same repository database
- Multiple application servers on the same WebSphere Application Server node
- Multiple Microsoft® Windows® domains
- Administrative server is run as non-root
| | Solution | The reason why this does not work is because delegation fails when localOS credentials are not forwardable. For example, a Servlet/Enterprise JavaBeans™ (EJB™) that tries to invoke a method on another EJB in another Application Server process. This means the SAS code does not use the identity of the caller when making the remote call; it uses an anonymous or unauthenticated identity. If the target object being called has an authorization constraint such that only an authenticated user is granted access, it fails. Examples of authorizations that might be constrained are AllAuthenticated special subject and an authenticated user.
LocalOS credentials are not forwardable because a remote call to another process on another machine has a different user registry than the machine that the call was initiated on. When the receiving server receives the remote call, it must validate the credentials of the caller; however, the receiving server is consulting its own local user registry, which is logically in a different security realm or protection domain.
This isn't supported, and it defeats security to allow this to occur. LocalOS is intended for single application server and single host only. | |
| |
| |
|
Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Security Operating system(s): Multi-Platform Software version: 3.0, 3.0.1, 3.0.2, 3.0.2.1, 3.0.2.2, 3.0.2.3, 3.0.2.4, 3.5, 4.0 Software edition: Edition Independent Reference #: 1142541 IBM Group: Software Group Modified date: 2004-09-28
(C) Copyright IBM Corporation 2000, 2004. All Rights Reserved.
|