PQ74774: Defer the securityCollaborator.postInvoke() call after all the necessary components has completed their postInvoke processing.

 A fix is available

5.0.2: WebSphere Application Server Version 5.0 Fix Pack 2 (Version 5.0.2)



APAR status
Closed as program error.

Error description
A MDB onMessage() is called with anunauthenicated subject on
entry, on entry an EJB associate with an authenicated user/pwd.
Upon return, the method's postInvoke() processing invoke the
securityCollaborator's postInvoke() before tx.postInvoke() has
a chance to finish. Since tx completion (commit/rollback)
indirectly involves J2C to get a database connection (requires
user/password), if the resource authorization is set to
"Container" instead of "per Resource", security is being
delegated to obtain these information. Since the security
collaborator is called, its context is unautheniated which
caused the J2C failed and hence the observed behavior.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server user who uses   *
*                 Message Driven Bean (MDB) and access JDBC    *
*                 connection via Connection Manager in the     *
*                 onMessage method and specifies resource      *
*                 authentication to "Container" may be         *
*                 affected.                                    *
****************************************************************
* PROBLEM DESCRIPTION: There are 2 problems:                   *
*                      1) ejbcontainer invokes the             *
*                      security collaborator in the method's   *
*                      postinvoke processing that caused the   *
*                      credential to be removed too early.     *
*                      This is corrected by this APAR.         *
*                      2) On transaction completion in the     *
*                      postInvoke processing, the J2C          *
*                      component retrieved a partial           *
*                      credential from the security and        *
*                      based on this partial credential, J2C   *
*                      rejected the the request to complete    *
*                      the transaction. Consequently, the      *
*                      associated transaction is rolled        *
*                      back.                                   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
In a MDB onMessage() method call, a transaction rolled back
condition is activated at the end of onMessage() if the
following conditions are met:
1) onMessage() access jdbc connection,
2) the resource authentication of the application is set to
   "Container",
3) data is required to commit at the end of the onMessage()
   call.
Problem conclusion
1) EJB container has re-arranged the order of call to the
   security collaborator to ensure the active credential is
   maintained until all postInvoke processing is completed.

2) J2C detects the partial credential condition as provided
   by the security and validate the user's credential based
   on the information provided instead of delegating the
   validation to the credential's equals() method.
Temporary fix
Will sent ejbcontainer cum fixpack to Ulrick for customer's
verification. For a complete fix to work, 
PQ75055 from J2C
component must be applied.
Comments
APAR information
APAR number PQ74774
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 00W
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-06-02
Closed date 2003-07-09
Last modified date 2003-07-09

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
EJBCONTR          

Publications Referenced

Fix information

Applicable component levels
R003 PSY    UP
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00W
Software edition:
Reference #: PQ74774
IBM Group: Software Group
Modified date: Jul 9, 2003