PQ69036: APPLYING 11/19 CUMULATIVE SECURITY EFIX ON WAS 4.0.4 CAUSES SECJ0129A AUTHORIZATION FAILURE THAT DIDN'T OCCUR BEFORE EFIX

 Fixes are available

4.0.6: WebSphere Application Server Version 4.0 Fix Pack 6
Security; V4.0.2-V4.0.7: Cumulative fix for security component



APAR status
Closed as program error.

Error description
Environnment:
WebSphere Application Server (WAS) 4.0.4 AE
   LDAP server
.
Description:
   After applying the 11/19/2002 cumulative security eFix,
customer starts getting the following exception in the stdout
file that didn't occur before the cumulative security efix was
applied:
.
[12/5/02 10:29:02:301 CST] 6e93ebd8 WebCollaborat A SECJ0129A:
Authorization failed for <user> while invoking POST on
default_host:<url>, Authorization failed, Not
granted any of the required roles: <existing role>
--------------------------------------------
Note: Defect list for V4.0.5 fix pack incorrectly lists
  PQ69036 as corrected in V4.0.5.  PQ69036 is actually
  corrected in V4.0.6.  Also, there is the possibility of
  seeing this problem in V4.0.x even if 11/19/2002 cumulative
  fix was not applied.
Addnl keywords: SECJ0053E WSCP0024E ejscpExtension
Local fix
Remove the cumulative security eFix
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who have  *
*                 enabled security and use LDAP for the user   *
*                 registry.                                    *
****************************************************************
* PROBLEM DESCRIPTION: Authorization failure (403) received    *
*                      after security cache timeout is         *
*                      exceeded.                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
After the cache timeout is exceeded, authorization failures
(403) could occur.  The reason is while creating new
credentials, the group type was not properly appended to
the group name which cuased the authorization code to fail
in finding the proper group name in security roles.
Problem conclusion
The group type is now properly appended to the group name.

A fix for this APAR will be contained in any security
cumulative eFix dated after the closure date of this APAR.
Temporary fix
A test fix was provided.
Comments
APAR information
APAR number PQ69036
Reported component name WEBSPHERE AE NT
Reported component ID 5630A2201
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-12-10
Closed date 2002-12-26
Last modified date 2004-02-09

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

SRLS

Fix information
Fixed component name WEBSPHERE AE NT
Fixed component ID 5630A2201

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ69036
IBM Group: Software Group
Modified date: Feb 9, 2004