APAR status
Closed as program error.
Error description
When a console user in the Monitor or Operator roles logs into
the admin console, they can see the password for a WebSphere MQ
JMS Provier Queue Destination in clear text. When logged into
the admin console as an administrative user, it shows correctly
as "*******". This occurs at WebSphere 5.0 and 5.0.1
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server *
* 5.0.1 and above using the Admin Console . *
****************************************************************
* PROBLEM DESCRIPTION: The password is visible for the *
* 'monitor' role in WebSphere MQ Queue *
* Destination created by the Admin *
* Console. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
When a user is loggged on as monitor and they view the WebSphere
MQ Queue Destination, if they select a defined queue and in the
queue detail they can see the userIDs and passwords, which are
not encrypted. If they do this same function but with the
administrator's user sign-on, the passwords are encrypted.
Problem conclusion
If the user is only in monitor role, the 'view for MQ Queue
Destination' is 'View only'. The user can not modify any info,
which is different from a user who has the 'Administrator' role.
Different paths are used in the code for these two roles. The
password needs to be blocked out in the case it is a 'view only'
situation.
The configGenGenericPropLayout.jsp was modified to add this
ability. An additional path was added for the password field
when it is a read-only view.
Temporary fix
a test fix is provided on
PQ99999
Comments
APAR information |
APAR number |
PQ75729 |
Reported component name |
WAS BASE 5.0 |
Reported component ID |
5630A3600 |
Reported release |
00W |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2003-06-26 |
Closed date |
2003-08-25 |
Last modified date |
2003-10-09 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
Applicable component levels |
R003 PSY |
UP |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
|