APAR status
Closed as program error.
Error description
The IdentityAssertion Security name is not extracted from the
Identity Token correctly when the authenticated userid contains
an ampersand (@).
The application scenario is the following:
1- The user requests a protected web resources (i.e. servlet)
on the upstream server
2- If the user passes the authentication and authorization
process, then the servlet calls an EJB running on the
downstream server
3- Since the identity assertion has been activated, the
downstream server performs the following actions:
- validated the identity of upstream server against the
trusted servers list
- verifies that the userid does exist within its user
registry and is authorized to the execution of EJB.
In affirmative case, the EJB method is executed and a response
is sent back to the servlet and then to the user
When the userid provided by the user doesn't contain @ everythin
works ok.
When the userid provided by the user does contain @ an error is
raised on the downstream server.
-
Specifically, the following behavior has been observed:
1- The userid is authenticated by the upstream server - OK
2- The userid is authorized to the execution of the servlet - OK
3- The servlet calls the EJB by using CSIv2 and identity
assertion - OK
4- The downstream server validates the upstream server - OK
5- The downstream server tries to validate the userid against
its user registry - No GOOD
6. The EJB call fails
The userid used when reproducing the problem are:
- upstream server id: was1@ibm
- downstream server id: was2@ibm
- authenticated userid: fred@ibm
-
From the trace it appears that the downstream server doesn't
correctly extract the userid from Identity token. In particular,
the Identity token contains the userid: fred@ibm@customRealm,
as reported in the following line:
[11/22/04 11:55:13:165 CET] 4f11600c SASRas d
[CSIServerRI.receive_request], [ServerID: server1]
ITTPrincipal in the Identity Token is: fred@ibm@customRealm
but when the security name is extracted from the token, the part
@ibm is erroneously removed, as shown below:
[11/22/04 11:55:16:211 CET] 4f18200c SASRas d
[SecurityContextImpl.csi_initialize], [ServerID: server1]
IdentityAssertion Security name == fred
-
It seems the root cause is a bug inside the parser/tokenizer
routine which performs userid extraction from Identity Assertion
security token.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users wh have *
* enabled security and are utilizing identity *
* assertion. *
****************************************************************
* PROBLEM DESCRIPTION: In identity assertion, if user name *
* contains @ character, user name after *
* @ is truncated in down stream call. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
In identity assertion, if user name contains '@' character, the
portion of the user name after the '@' was incorrectly
truncated.
Problem conclusion
Corrected user name parsing code to parse off of the final
'@' character.
The fix would be included in service package 5.1.1.3 and
5.0.2.10.
Temporary fix
provided test Fix
Comments
APAR information |
APAR number |
PQ97493 |
Reported component name |
WAS BASE 5.0 |
Reported component ID |
5630A3600 |
Reported release |
10W |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2004-11-22 |
Closed date |
2004-12-02 |
Last modified date |
2004-12-02 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
Applicable component levels |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|