                WebSphere Application Server APAR # PQ39360

   Defect # PQ39360
   
   WebSphere Release 3.0.2.1

   Includes the following fixes:


76516  Client credential delegation does not work with LTPA

72322  LTPA authentication should fail when the search for the user DN fails in the directory.  Previous behavior would allow authentication to succeed but subsequent authorization would fail.

77121  LTPA authentication could succeed if no password was supplied.  This error occured if the directory was configured to allow anonymous bind.

77636  LTPA Authentication should succeed even if group lookup for the user fails

77688  When authenticating using a DN, DNs should be normalized by removing extra spaces

77768  Single Sign On was not honoring the setting to only flow the cookie if SSL is enabled

75570  Performance: Security WebSphere resources should be handled by app server and should not make an extra hop to admin server

72394  If the RunAs mode is set to be SPECIFIED_IDENTITY, then the delegation will not take effect without this fix.

78387 getRemoteUser returns a value with a leading "/" and this behavior is fixed.

72436  Secondary BeanCache not cleared during sweep

78925  Performance:  Credential Cache not working properly

78774  Authorization failure for EJB when stress is immediately applied (BeanCache problem)

74981 After logging in using the userid and password during custom login process, user gets a page containing security exception trace.

78769 getWebAttributes method call executed under a non-privileged identity resulting in authorization exceptions

78776  OutOfMemoryError on long run with security enabled

80169  Exact DN certificate mapping mode authorization failures

82026  Performance enhancement - implementing authentication and validation caches

82026.1 Initializing validation cache in R3.02x

76446 + 81298  redirect user to the refererURL in the case of Custom login. 

83735  a full DN specified for the server ID might not be searchable but still be valid (e.g, "cn=root") should be acceptable by WebSphere.

Installation:

Directions for installation on Solaris (needs to be modifed slightly for other platforms).

This needs to be added to the front of the classpath in the following files:  (Assumes security0627a.jar has been copied to /opt/WebSphere/Appserver/lib)

startupServer.sh
==============
change:
CLASSPATH=$DB_CLASSPATH:$WAS_HOME/lib/ibmwebas.jar
to:
CLASSPATH=$WAS_HOME/lib/security0627a.jar:$DB_CLASSPATH:$WAS_HOME/lib/ibmwebas.jar

admin.config
===========
change:
com.ibm.ejs.sm.adminserver.classpath=/opt/WebSphere/AppServer/lib/ibmwebas.jar: .... <bunch more stuff here>
to:
com.ibm.ejs.sm.adminserver.classpath=/opt/WebSphere/AppServer/lib/security0627a.jar:/opt/WebSphere/AppServer/lib/ibmwebas.jar: .... <bunch more stuff here>

adminclient.sh
============
change:
WAS_CP=$WAS_HOME/lib/ibmwebas.jar
to:
WAS_CP=$WAS_HOME/lib/security0627a.jar:$WAS_HOME/lib/ibmwebas.jar

debug/adminserver.sh (optional, required if you are running adminserver.sh)
===================
change:
WAS_CP=$WAS_HOME/lib/ibmwebas.jar
to:
WAS_CP=$WAS_HOME/lib/security0627a.jar:$WAS_HOME/lib/ibmwebas.jar