PQ90464: Unexpected failures during EJBROLE checks that generate messages BBOS0103E and SECJ0129E | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Customer application uses RunAs rolename and has authenticated with a user id which is permitted to EJBROLE X. The server intermittently fails the EJBROLE check even though the user id is permitted to the EJBROLE. The following messages appear in the SYSPRINT: BBOS0103E MSG_BBOSENUS_SEC_EJBROLES_CHECK_FAILED: The requested EJBROLESAUTHCHECK(RACROUTE) function User not permitted to method CI via Allowed roles (CIRL,.) SECJ0129E: Authorization failed for USER while invoking GET on default_host: /webapp/apps/path/webname/view.do, Authorization failed, Not granted any of the required roles: CIRLLocal fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Customer application uses RunAs * * rolename and has authenticated with a * * user id which is permitted to an * * EJBROLE. The server intermittently * * fails the EJBROLE check even though * * the user id is permitted to the * * EJBROLE. The following messages * * appear in the SYSPRINT: BBOS0103E * * MSG_ * * BBOSENUS_SEC_EJBROLES_CHECK_FAILED: * * The requested * * EJBROLESAUTHCHECK(RACROUTE) function * * User not permitted to method YY via * * Allowed roles (XXXX,.) SECJ0129E: * * Authorization failed for USERID while * * invoking GET on default_host: * * /application_path/methodid.do, * * Authorization failed, Not granted any * * of the required roles: XXXX * **************************************************************** * RECOMMENDATION: * **************************************************************** The problem is a missing OPI for the user. This is due to a problem with the reference count for this OPI - it has gone to zero either because it was decremented too often, or because it wrapped to zero. Once it became zero, the OPI was deleted because it appeared it was no longer being used.Problem conclusion First, ContextManagerImpl.java was changed to mark the server credential in initializeSystemContext(). Second, the reference counter limit was increased from 255 to 64K. Third, getNSCFromSSAIS was fixed to properly manage the reference counts. The following publication was revised as a result of APAR PQ90464: ________________________________________________________________ WebSphere Application Server V5 for z/OS Messages and Codes GA22-7915-01 _______________________________________________________________ NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: www.ibm.com/software/webservers/appserv/zos_os390/library.html ________________________________________________________________ Chapter 04, pg. 213 (new message) Abend code DC3 reason 020D0001 Explanation: IBM Internal Use Only User Response: Contact the IBM Support Center ________________________________________________________________ APAR PQ90464 is associated with SERVICE LEVEL W502014 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: PQ91415 PQ91553 PQ91556 Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ90464.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ90464
IBM Group: Software Group
Modified date: Sep 3, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.