PQ71310: getUserPrincipal() getname() returns wrong name rather than logged in username accessing from another domain

 Fixes are available

4.0.6: WebSphere Application Server Version 4.0 Fix Pack 6
Security; V4.0.2-V4.0.7: Cumulative fix for security component



APAR status
Closed as program error.

Error description
Customer logs in to the administration console using the
administration username and password
The Custom realm is called and accepts the administration
username and password.
Then logs to the Web Application using a web username and
password (username and password are different from
administration
username and password): The Custom realm is called and accepts
the authentication.
The Web Application (a servlet) calls
getUserPrincipal().getName()
from the HttpServletRequest.
The Web application receives the administration user identity.
Later calls to getUserPrincipal().getName() from the
HttpServletRequest return the correct logged user.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security users  *
*                 who have deployed servlets and EJBs in       *
*                 different realms.                            *
****************************************************************
* PROBLEM DESCRIPTION: getName() in getUserPrincipal()         *
*                      may not return the right security       *
*                      name during an EJB call.                *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
getName() in getUserPrincipal() may return wrong security
name after servlet accesses an EJB in a different security
domain.
Problem conclusion
When a servlet accesses EJB in a different realm, security will
try to map the invocation credential to the target realm. If
the credential mapping fails, the original credential is now
returned rather than returning the default credential.
Temporary fix
provided test fix
Comments
APAR information
APAR number PQ71310
Reported component name WEBSPHERE AES S
Reported component ID 5630A2302
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2003-02-24
Closed date 2003-03-13
Last modified date 2003-04-30

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
Security          

SRLS

Fix information

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ71310
IBM Group: Software Group
Modified date: Apr 30, 2003