PQ94279: NO_PERMISSION INVOKING EJB DEPLOYED ON ZOS.

 Fixes are available

5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for AIX
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Windows
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for HP-UX
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Solaris
5.1.1.6: WebSphere Application Server Version 5.1.1 Cumulative Fix 6
5.1.1.7: WebSphere Application Server Version 5.1.1 Cumulative Fix 7
5.1.1.4: WebSphere Application Server Version 5.1.1 Cumulative Fix 4
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Linux



APAR status
Closed as program error.

Error description
When invoking a resource on zOS from other WebSphere platforms
(excluding iSeries) and the invocation Subject is
the special subject "UNAUTHENTICATED", the request will fail
with a NO_PERMISSION even if the resource is unprotected.

One scenario where this will be seen is an unprotected servlet
making an EJB call to a bean deployed on a zOS server. The
special Subject UNAUTHENTICATED is automatically associated
with the request in this scenario.

Internal defect 212176.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users who   *
*                 have enabled security and are making         *
*                 calls to an EJB on z/OS from another         *
*                 platform.                                    *
****************************************************************
* PROBLEM DESCRIPTION: A NO_PERMISSION exception is returned.  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
A NO_PERMISSION exception is returned when an EJB call from an
unprotected servlet is made to a z/OS platform server.  The
exception occurred due to the special Subject UNAUTHENTICATED
which designates a user which the system has not authenticated.
z/OS does not recognize this special Subject, however.
Problem conclusion
A CSIv2 context is not sent when the invocation Subject is
UNAUTHENTICATED.  Without a CSIv2 context, the target server
is free to handle the request as appropriate.
Temporary fix
Ok
Comments
APAR information
APAR number PQ94279
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 00A
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-09-15
Closed date 2004-10-25
Last modified date 2004-10-25

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Publications Referenced

Fix information

Applicable component levels
R003 PSY    UP
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP
R103 PSY    UP
R10A PSY    UP
R10H PSY    UP
R10I PSY    UP
R10P PSY    UP
R10S PSY    UP
R10W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00A
Software edition:
Reference #: PQ94279
IBM Group: Software Group
Modified date: Oct 25, 2004