APAR status
Closed as program error.
Error description
Using WebSphere Application Server 5.0.x, when global security
is enabled, the JMS Security service will attempt to authorize
the userid specified in the J2C Authentication Alias in the
Queue or Topic Connection Factory definition. This occurs for
all Embedded Messaging connection factories (defined under the
WebSphere JMS Provider).
.
In some instances, a blank userid is incorrectly passed to the
JMS Security service. This results in errors like the following
when trying to access the SYSTEM.DEAD.LETTER.QUEUE:
.
MSGS0509E: The JMS Server security service was unable to
authorize userid to access resource SYSTEM.DEAD.LETTER.QUEUE
with admin permission
.
The authorization fails because of the blank userid.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: This problem effects all customers using *
* Websphere Application Server v5.X with *
* embedded messaging. *
****************************************************************
* PROBLEM DESCRIPTION: Using WebSphere Application Server *
* 5.x with global security enabled *
* enabled, the JMS Security service *
* attempts to authorize the user ID *
* specified in the J2C authentication *
* in the Queue or Topic Connection *
* Connection Factory definition *
* This occurs for all embedded messaging *
* connection factories defined under the *
* WebSphere JMS Provider. *
* *
* In some instances, a blank user ID is *
* incorrectly passed to the *
* JMS Security service. This results *
* in errors like the following *
* when trying to access the *
* SYSTEM.DEAD.LETTER.QUEUE: *
* *
* *
* MSGS0509E: The JMS Server security *
* service was unable to *
* authorize userid to access resource *
* SYSTEM.DEAD.LETTER.QUEUE *
* with admin permission *
* *
* The authorization fails because of the *
* blank userid. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
When WebSphere Global Security is enabled, any attempts to
access an embedded messaging resource, such as a queue
manager or queue, causes the JMSServer to validate the
user who is making the access attempt. The JMSServer inspects
the UserID it has been passed; if the ID is not in the
expected format, the JMSServer converts it.
However, the conversion routine is flawed, and in certain
situations returns a blank user ID. The JMSServer checks
to see if the UserID has the authority to access the
required resource, but because the UserID is blank, the
authentication attempt fails.
Problem conclusion
The conversion routine has been changed to convert only the
SecurityID if it is not null.
Temporary fix Comments
APAR information |
APAR number |
PQ89413 |
Reported component name |
WAS BASE 5.0 |
Reported component ID |
5630A3600 |
Reported release |
00W |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2004-05-26 |
Closed date |
2004-05-28 |
Last modified date |
2005-04-26 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
Applicable component levels |
R003 PSY |
UP |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R103 PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|