PQ45770: WASSECK SETTING LOW TOKENEXPIRATION VALUE CAUSES INCORRECT AUTHENTICATION FAILURES


APAR

APAR status
Closed as program error.

Error description
.
Problem: user is setting low TokenExpiration values (< 9
minutes) in Global Securiy settings to speed testing.  When
doing this, problem occurs:
.
When time elapses, the browser rechallenges the user, but the
original id entered is not accepted.  User has to enter a
different id or wait some period of time and try again.  Or
close browser and start again.
.
Furthere information: 3.5.2, no patches, Solaris, IHS 1.3.12,
Netscape browser.
Cust using custom login, I have reproduced with basic challenge.
.
At startup cust sees in tracefile:doing this, problem occurs:.When time elapses, the browser rechallenges the user, but theoriginal id entered is not accepted.  User has to enter adifferent id or wait some period of time and try again.  Orclose browser and start again..Furthere information: 3.5.2, no patches, Solaris, IHS 1.3.12,Netscape browser.Cust using custom login, I have reproduced with basic challenge..
****************************** CredentialsImpl run IBM WebSphere Security The expiration time for ltpa credentials is too short relative to the ORB request timeout and/or the security cache timeout; a method request could take longer than the period over which the credentials will remain valid, or the credentials could expire while in the server cache. . At runtime, when re-access fails, cust gets the following returned internally from login attempt:At startup cust sees in tracefile:******************************CredentialsImpl run IBM WebSphere Security The expiration timeforltpa credentials is too short relative to the ORB requesttimeout and/orthe security cache timeout; a method request could take longerthan theperiod over which the credentials will remain valid, or thecredentialscould expire while in the server cache..At runtime, when re-access fails, cust gets the following
***************************** UnanauthorizedSessionRequestException: SessionCentext: a user . authenticated . as anonymous has attempted to access a session owned by user:returned internally from login attempt:*****************************UnanauthorizedSessionRequestException: SessionCentext: a user.authenticated.
. hqapp1.siras.com:389/cn=David Koon, on=People, o=esiras.com, c=us . . javax.servlet.ServletException: Login Failed . org.omg.SecurityLevel2.LoginFailed . ie, David Koon was the original logon id. . when I reproduced, I got following stack in app server log at time of re-login:as anonymous has attempted to access a session owned by user:.hqapp1.siras.com:389/cn=David Koon, on=People, o=esiras.com,c=us..javax.servlet.ServletException: Login Failed.org.omg.SecurityLevel2.LoginFailed.ie, David Koon was the original logon id..when I reproduced, I got following stack in app server log at
****************************** CredentialsImpl get_attributes IBM WebSphere Security Credentials are invalid. [01.02.02 10:31:54:192 CST] ba66ef SecurityConte X java.lang.NullPointerException at com.ibm.ejs.security.SecurityContext.getInvokedAttribute(Securit yContext.java:130) at com.ibm.ejs.security.SecurityContext.getName(SecurityContext.jav a:94) at com.ibm.servlet.engine.srt.SRTServletRequest.getRemoteUser(SRTSe rvletRequest.java:386) at com.ibm.servlet.engine.webapp.HttpServletRequestProxy.getRemoteU ser(HttpServletRequestProxy.java:63) ******************************** . At same time in console, got Security Credentials are invalid warning, followed by SECJ0027W message.
time of re-login:******************************CredentialsImpl get_attributes IBM WebSphere SecurityCredentials are invalid.[01.02.02 10:31:54:192 CST], ba66ef SecurityConte Xjava.lang.NullPointerExceptionatcom.ibm.ejs.security.SecurityContext.getInvokedAttribute(SecurityContext.java:130)atcom.ibm.ejs.security.SecurityContext.getName(SecurityContext.java:94)atcom.ibm.servlet.engine.srt.SRTServletRequest.getRemoteUser(SRTServletRequest.java:386)atcom.ibm.servlet.engine.webapp.HttpServletRequestProxy.getRemoteUser(HttpServletRequestProxy.java:63)********************************.At same time in console, got Security Credentials are invalidwarning, followed by SECJ0027W message.
Local fix
.
set longed TokenExpiration value
Problem summary
The expiration time for ltpa credentials is too short relative
to the ORB request timeout and/or the security cache timeout;
a method request could take longer than the period over which
the credentials will remain valid, or the credentials could
expire while in the server cache.
Problem conclusion
A new property com.ibm.CORBA.securityCacheTimeout will be
added to sas.server.props.  This property will be used
in CredentialsImpl.java to compare with the min cache out.
if min > securityCacheTimeout then min=securityCacheTimeout
Code was changed in the following:
com/ibm/ISecurityLocalObjectBaseL13Impl/CredentialsImpl.java
com/ibm/ISecurityUtilityImpl/SecurityConfiguration.java
Code was changed in the following:com/ibm/ISecurityLocalObjectBaseL13Impl/CredentialsImpl.javacom/ibm/ISecurityUtilityImpl/SecurityConfiguration.java
Temporary fix
Comments
APAR information
APAR numberPQ45770
Reported component nameWAS ADVANCED SU
Reported component ID5648C8402
Reported release350
StatusCLOSED PER
PENoPE
HIPERNoHIPER
Submitted date2001-02-02
Closed date2001-06-07
Last modified date2001-06-07

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:APAR is sysr


Modules/Macros
SECURITY
outed TO one or more of the following:Modules/Macros

Fix information
Fixed component nameWAS ADVANCED SU
Fixed component ID5648C8402

Applicable component levels
R300 PSYUP
R350 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ45770
IBM Group: Software Group
Modified date: 2001-06-07