APAR status
Closed as program error.
Error description
Under heavy load, performance can be impacted by connections
being discarded and created.
An algorithm for matching security information passed in on the
application's request for a connection against the security
information on connections existing in the pool was being too
restrictive. Existing connections are being discarded and new
ones created when existing connections should have been used.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who *
* configure security so as to have a *
* non-null and variable Principal in the *
* Subject passed on a getConnection call. *
****************************************************************
* PROBLEM DESCRIPTION: This problem may impact performance, *
* but only under a unique set of security *
* conditions. If a datasource is *
* configured with res-auth=Container *
* and a custom user registry is used *
* such that when JCA managed *
* connections are requested, the Subject *
* contains a non-null and variable *
* Principal, AND the pool is full such *
* that the requesting thread is put on *
* the waiter queue, THEN it is possible *
* for a connection to be replaced in *
* the pool when it could have been *
* re-used. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
In the case where a connection is released while another
thread is blocked on the waiter queue, there is a comparison
of the security info on the new request with the security info
on the just-released connection. If they do not match then a
new connection must be created to replace the non-matching
connection. The problem is that Subject.equals() is used,
when only part of the Subject should be compared. For most
customers the Principal is null, so Subject.equals() is OK.
But if security is configured so that the caller Principal
varies a lot, then this test will result in the connection
being replaced needlessly.
Problem conclusion
The code was fixed to compare only the Password Credentials in
the subject while ignoring the Principal. This fix provides
the same level of security.
This problem was reported in WAS 5.1.0.5. There are no more
service releases planned for 5.1.0.x, so this fix is available
as iFix PQ99347 for 5.1.0.x.
The fix for this APAR is currently targeted for inclusion
in fixpack 5.0.2.10 and 5.1.1.4. Please refer to the
Recommended Updates page for delivery dates:
http://www-1.ibm.com/support/docview.wss
?rs=180&context=SSEQTP&uid=swg27004980
Temporary fix Comments
APAR information |
APAR number |
PQ99347 |
Reported component name |
WAS NETWRK DEPL |
Reported component ID |
5630A3601 |
Reported release |
10A |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2005-01-11 |
Closed date |
2005-01-31 |
Last modified date |
2005-01-31 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
Applicable component levels |
R003 PSY |
UP |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R103 PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|