PQ99268: TRUSTED SERVER VIA SHARED LTPA KEYS, CAN EXECUTE SERVLET WITH NULL CREDENTIALS ON DIFFERENT JVM

APAR status
Closed as Permanent restriction.

Error description
If a servlet has set the invocation credentials to NULL like:
LoginHelper.setInvocationCredentials(null)
Then if a call to an EJB in a different JVM is made it will have
the access privileges of the admin user.
Notes:
- This can only happen if shared LPTA keys are used.
- Operations are still limited to what that EJB can do.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users       *
*                 setting invocation credentials within        *
*                 Servlet or EJB code.                         *
****************************************************************
* PROBLEM DESCRIPTION: If null is set as the invocation        *
*                      credential, the server credential is    *
*                      used for any subsequent EJB call        *
*                      within the servlet or EJB.              *
*                                                              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
If null is set as the invocation credential, the server
credential is used for any subsequent EJB call within the
servlet or EJB.  The reason for this is WebSphere has internal
dependencies on threads which do not have credentials being
server threads, not application threads.  For this reason,
prior to invoking any Servlet or EJB code, WebSphere puts a
special UNAUTHENTICATED credential on the thread.  If
application code then resets this to null, the thread is
treated as if it were a server thread.
Problem conclusion
Changes necessary to resolve this will take a significant
redesign of code which cannot be adequately tested at this
time.  The application can easily avoid this by simply
checking for a null credential before setting the invocation
credential.
Temporary fix Comments
APAR information
APAR number PQ99268
Reported component name WEBSPHERE AE AI
Reported component ID 5630A2200
Reported release 400
Status CLOSED PRS
PE NoPE
HIPER NoHIPER
Submitted date 2005-01-10
Closed date 2005-03-01
Last modified date 2005-03-01

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Applicable component levels


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ99268
IBM Group: Software Group
Modified date: Mar 1, 2005