PQ99268: TRUSTED SERVER VIA SHARED LTPA KEYS, CAN EXECUTE SERVLET WITH NULL CREDENTIALS ON DIFFERENT JVM | |||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||
APAR status Closed as Permanent restriction. Error description If a servlet has set the invocation credentials to NULL like: LoginHelper.setInvocationCredentials(null) Then if a call to an EJB in a different JVM is made it will have the access privileges of the admin user. Notes: - This can only happen if shared LPTA keys are used. - Operations are still limited to what that EJB can do.Local fix Problem summary **************************************************************** * USERS AFFECTED: All WebSphere Application Server users * * setting invocation credentials within * * Servlet or EJB code. * **************************************************************** * PROBLEM DESCRIPTION: If null is set as the invocation * * credential, the server credential is * * used for any subsequent EJB call * * within the servlet or EJB. * * * **************************************************************** * RECOMMENDATION: * **************************************************************** If null is set as the invocation credential, the server credential is used for any subsequent EJB call within the servlet or EJB. The reason for this is WebSphere has internal dependencies on threads which do not have credentials being server threads, not application threads. For this reason, prior to invoking any Servlet or EJB code, WebSphere puts a special UNAUTHENTICATED credential on the thread. If application code then resets this to null, the thread is treated as if it were a server thread.Problem conclusion Changes necessary to resolve this will take a significant redesign of code which cannot be adequately tested at this time. The application can easily avoid this by simply checking for a null credential before setting the invocation credential.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ99268
IBM Group: Software Group
Modified date: Mar 1, 2005
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.