APAR status
Closed as program error.
Error description
Rolename authorizations fails if rolename placed after "DenyAllR
ole"
The cause of the problem is that the design mismatch between the
role name resolution code in WCCM and security initialization
code in the security code. The role name resolution should be
happened while initializing the application, but if the role is
placed after "DenyAllRole", this initialization won't happen,
therefore the security runtime code fails to get the proper
role name for authorization.
Local fix
Remove "DenyAllRole" from Deployment Descriptor or
place Roles in front of (before) "DenyAllRole".
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who are *
* using role based authorization. *
****************************************************************
* PROBLEM DESCRIPTION: Role based authorization always fails *
* if granted role name locates after *
* DenyAllRole. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
WebSphere Application Server stops constructing a role based
authorization table if it finds "DenyAllRole" group name in
the application deployment descriptor.
Therefore, authorization for users or groups, which map to the
role names after DenyAllRole in application deployment
descriptor always fails.
Problem conclusion
With this fix, DenyAllRole can be placed other than the bottom
of the role list.
The fix for this APAR is currently targeted for inclusion in
fixpack 5.1.1.13, 6.0.2.17 and 6.1.0.5. Please refer to the
Recommended Updates page for delivery information:
http://www-1.ibm.com/support/docview.wss?uid=swg27004980
Temporary fix Comments
APAR information |
APAR number |
PK30174 |
Reported component name |
WEBSPHERE BASE |
Reported component ID |
5630A3600 |
Reported release |
10W |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2006-08-22 |
Closed date |
2006-09-18 |
Last modified date |
2007-01-02 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
|
Fix information |
Fixed component name |
WEBSPHERE BASE |
Fixed component ID |
5630A3600 |
Applicable component levels |
R00P PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|