APAR status |
Closed as program error.
| Error description
.
Problem: user is setting low TokenExpiration values (< 9
minutes) in Global Securiy settings to speed testing. When
doing this, problem occurs:
.
When time elapses, the browser rechallenges the user, but the
original id entered is not accepted. User has to enter a
different id or wait some period of time and try again. Or
close browser and start again.
.
Furthere information: 3.5.2, no patches, Solaris, IHS 1.3.12,
Netscape browser.
Cust using custom login, I have reproduced with basic challenge.
.
At startup cust sees in tracefile:doing this, problem occurs:.When time elapses, the browser rechallenges the user, but theoriginal id entered is not accepted. User has to enter adifferent id or wait some period of time and try again. Orclose browser and start again..Furthere information: 3.5.2, no patches, Solaris, IHS 1.3.12,Netscape browser.Cust using custom login, I have reproduced with basic challenge..
******************************
CredentialsImpl run IBM WebSphere Security The expiration time
for
ltpa credentials is too short relative to the ORB request
timeout and/or
the security cache timeout; a method request could take longer
than the
period over which the credentials will remain valid, or the
credentials
could expire while in the server cache.
.
At runtime, when re-access fails, cust gets the following
returned internally from login attempt:At startup cust sees in tracefile:******************************CredentialsImpl run IBM WebSphere Security The expiration timeforltpa credentials is too short relative to the ORB requesttimeout and/orthe security cache timeout; a method request could take longerthan theperiod over which the credentials will remain valid, or thecredentialscould expire while in the server cache..At runtime, when re-access fails, cust gets the following
*****************************
UnanauthorizedSessionRequestException: SessionCentext: a user
.
authenticated
.
as anonymous has attempted to access a session owned by user:returned internally from login attempt:*****************************UnanauthorizedSessionRequestException: SessionCentext: a user.authenticated.
.
hqapp1.siras.com:389/cn=David Koon, on=People, o=esiras.com,
c=us
.
.
javax.servlet.ServletException: Login Failed
.
org.omg.SecurityLevel2.LoginFailed
.
ie, David Koon was the original logon id.
.
when I reproduced, I got following stack in app server log at
time of re-login:as anonymous has attempted to access a session owned by user:.hqapp1.siras.com:389/cn=David Koon, on=People, o=esiras.com,c=us..javax.servlet.ServletException: Login Failed.org.omg.SecurityLevel2.LoginFailed.ie, David Koon was the original logon id..when I reproduced, I got following stack in app server log at
******************************
CredentialsImpl get_attributes IBM WebSphere Security
Credentials are invalid.
[01.02.02 10:31:54:192 CST] ba66ef SecurityConte X
java.lang.NullPointerException
at
com.ibm.ejs.security.SecurityContext.getInvokedAttribute(Securit
yContext.java:130)
at
com.ibm.ejs.security.SecurityContext.getName(SecurityContext.jav
a:94)
at
com.ibm.servlet.engine.srt.SRTServletRequest.getRemoteUser(SRTSe
rvletRequest.java:386)
at
com.ibm.servlet.engine.webapp.HttpServletRequestProxy.getRemoteU
ser(HttpServletRequestProxy.java:63)
********************************
.
At same time in console, got Security Credentials are invalid
warning, followed by SECJ0027W message. time of re-login:******************************CredentialsImpl get_attributes IBM WebSphere SecurityCredentials are invalid.[01.02.02 10:31:54:192 CST], ba66ef SecurityConte Xjava.lang.NullPointerExceptionatcom.ibm.ejs.security.SecurityContext.getInvokedAttribute(SecurityContext.java:130)atcom.ibm.ejs.security.SecurityContext.getName(SecurityContext.java:94)atcom.ibm.servlet.engine.srt.SRTServletRequest.getRemoteUser(SRTServletRequest.java:386)atcom.ibm.servlet.engine.webapp.HttpServletRequestProxy.getRemoteUser(HttpServletRequestProxy.java:63)********************************.At same time in console, got Security Credentials are invalidwarning, followed by SECJ0027W message. Local fix
.
set longed TokenExpiration value Problem summary
The expiration time for ltpa credentials is too short relative
to the ORB request timeout and/or the security cache timeout;
a method request could take longer than the period over which
the credentials will remain valid, or the credentials could
expire while in the server cache. Problem conclusion
A new property com.ibm.CORBA.securityCacheTimeout will be
added to sas.server.props. This property will be used
in CredentialsImpl.java to compare with the min cache out.
if min > securityCacheTimeout then min=securityCacheTimeout
Code was changed in the following:
com/ibm/ISecurityLocalObjectBaseL13Impl/CredentialsImpl.java
com/ibm/ISecurityUtilityImpl/SecurityConfiguration.java Code was changed in the following:com/ibm/ISecurityLocalObjectBaseL13Impl/CredentialsImpl.javacom/ibm/ISecurityUtilityImpl/SecurityConfiguration.java Temporary fixComments
APAR information | APAR number | PQ45770 | Reported component name | WAS ADVANCED SU | Reported component ID | 5648C8402 | Reported release | 350 | Status | CLOSED PER | PE | NoPE | HIPER | NoHIPER | Submitted date | 2001-02-02 | Closed date | 2001-06-07 | Last modified date | 2001-06-07 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:APAR is sysr
Modules/Macros outed TO one or more of the following:Modules/Macros
|
Fix information |
Fixed component name | WAS ADVANCED SU | Fixed component ID | 5648C8402 |
Applicable component levels | R300 PSY | UP | R350 PSY | UP |
|