PQ94304: WSSUBJECT.DOAS() OR WSSUBJECT.SETRUNASSUBJECT() DO NOT ALLOW ACCESS TO ADMINISTRATION OF NAMING RESOURCES.

 Fixes are available

5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for AIX
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Windows
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for HP-UX
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Solaris
5.1.1.6: WebSphere Application Server Version 5.1.1 Cumulative Fix 6
5.1.1.7: WebSphere Application Server Version 5.1.1 Cumulative Fix 7
5.1.1.4: WebSphere Application Server Version 5.1.1 Cumulative Fix 4
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Linux



APAR status
Closed as program error.

Error description
The authorization to an administration or naming resource fails
even though a user with proper access has been set on the
thread of execution via WSSubject.doAs() or even
WSSubject.setRunAsSubject().

The following error may be received.
SECJ0305I: Role based authorization check failed for security
name <some_name>, accessId <some_access_ID> while invoking
method <some_method_name> on resource <some_resource> and
module <some_module>.

Internal defect 225243.
Local fix
Make sure the caller has the proper permissions for invoking
the resource.
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users       *
*                 using WSSubject.doAs() function to set a     *
*                 Subject with more privilege than that of     *
*                 the caller to access an Administration       *
*                 or Naming resource.                          *
****************************************************************
* PROBLEM DESCRIPTION: The caller Subject is used for          *
*                      authorization purposes before the       *
*                      one set with WSSubject.doAs().          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The caller Subject is used for authorization purposes before
one set with WSSubject.doAs() or WSSubject.setRunAsSubject().
This may cause authorization to incorrectly fail.
Problem conclusion
The invocation Subject (the one set with doAs() and
setRunAsSubject()) is now used instead of the caller subject
if it is set.
Temporary fix Comments
APAR information
APAR number PQ94304
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 00A
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-09-15
Closed date 2004-10-11
Last modified date 2004-10-11

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Publications Referenced

Fix information

Applicable component levels
R003 PSY    UP
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP
R103 PSY    UP
R10A PSY    UP
R10H PSY    UP
R10I PSY    UP
R10P PSY    UP
R10S PSY    UP
R10W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00A
Software edition:
Reference #: PQ94304
IBM Group: Software Group
Modified date: Oct 11, 2004