|
Problem |
You are trying to access a secured web
resource. After successful authenticating, you receive authorization
failed exceptions even though you are defined in a role with proper
permissions to access. |
|
Cause |
Exceptions in the tracefile are
simular to the following:
[02.01.31 13:20:25:115 CST] bb8b52 WSAccessManag <
isGrantedAnyRole:No role or group role found for
accessId[user:EXCHANGE/S-1-5-21-9888937-1170499181-1202159320-40778], exit
value:true
[02.01.31 13:20:25:115 CST] bb8b52 WebCollaborat < checkAuthorization:
throw AccessException
[02.01.31 13:20:25:115 CST] bb8b52 WebCollaborat D checkAuthorization()
failed, here is the message in the exception: Authorization failed, Not
granted any of the required roles: VIP
[02.01.31 13:20:25:115 CST] bb8b52 WebCollaborat A SECJ0129A:
Authorization failed for wsUser while invoking GET on
default_host:/CommandWeb/secure.jsp, Authorization failed, Not granted any
of the required roles: VIP
The real problem may not have been with WebSphere but
rather with the WebSphere® Studio Application Development (WSAD).
WebSphere either entered the full value of
the accessId or left it our completely,
which is OK and will just cause the runtime to get the accessID.
The customer was not able to use WebSphere's
interface, they had to use WSAD's instead. This interface was producing
accessId's with nulls, this was the problem. (accessId="")
The access ID values can be seen under the deployed
ear files directory in the ibm-application-bnd.xmi file.
The xmi file is where the User to Roles are defined
but the accessId is not filled in. <users
xmi:id="User_2" name="wsuser" accessId=""/>
This should have been done automatially when
deploying the ear file or when making an update to the Application Roles
in the Admin console.
i.e.
<users xmi:id="User_1" name="wsuser"
accessId="user:PIGDOMAIN100/S-1-5-21-1177238915-113007714-214693
7053-1001"/> |
|
Solution |
Efix PQ57615 was created allowed for
the nulls, and will just use the runtime to get accessID's. |
|
|
|
|
|
|