PQ74774: Defer the securityCollaborator.postInvoke() call after all the necessary components has completed their postInvoke processing. | |||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description A MDB onMessage() is called with anunauthenicated subject on entry, on entry an EJB associate with an authenicated user/pwd. Upon return, the method's postInvoke() processing invoke the securityCollaborator's postInvoke() before tx.postInvoke() has a chance to finish. Since tx completion (commit/rollback) indirectly involves J2C to get a database connection (requires user/password), if the resource authorization is set to "Container" instead of "per Resource", security is being delegated to obtain these information. Since the security collaborator is called, its context is unautheniated which caused the J2C failed and hence the observed behavior.Local fix Problem summary **************************************************************** * USERS AFFECTED: WebSphere Application Server user who uses * * Message Driven Bean (MDB) and access JDBC * * connection via Connection Manager in the * * onMessage method and specifies resource * * authentication to "Container" may be * * affected. * **************************************************************** * PROBLEM DESCRIPTION: There are 2 problems: * * 1) ejbcontainer invokes the * * security collaborator in the method's * * postinvoke processing that caused the * * credential to be removed too early. * * This is corrected by this APAR. * * 2) On transaction completion in the * * postInvoke processing, the J2C * * component retrieved a partial * * credential from the security and * * based on this partial credential, J2C * * rejected the the request to complete * * the transaction. Consequently, the * * associated transaction is rolled * * back. * **************************************************************** * RECOMMENDATION: * **************************************************************** In a MDB onMessage() method call, a transaction rolled back condition is activated at the end of onMessage() if the following conditions are met: 1) onMessage() access jdbc connection, 2) the resource authentication of the application is set to "Container", 3) data is required to commit at the end of the onMessage() call.Problem conclusion 1) EJB container has re-arranged the order of call to the security collaborator to ensure the active credential is maintained until all postInvoke processing is completed. 2) J2C detects the partial credential condition as provided by the security and validate the user's credential based on the information provided instead of delegating the validation to the credential's equals() method.Temporary fix Will sent ejbcontainer cum fixpack to Ulrick for customer's verification. For a complete fix to work, PQ75055 from J2C component must be applied.Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 00W
Software edition:
Reference #: PQ74774
IBM Group: Software Group
Modified date: Jul 9, 2003
(C) Copyright IBM Corporation 2000, 2008. All Rights Reserved.