PQ66004: MULTIPLE SECURITY LOG ENTRIES FOR ONE INVALID USERID/PASSWORD.

 A fix is available

4.0.5: WebSphere Application Server Version 4.0 Fix Pack 5 (Version 4.0.5)



APAR status
Closed as program error.

Error description
Upon entering a wrong password for a given userid, the following
log statements are written to appserver-out.log. Apart from the
fact, that times the same message seems unnecessary, it should
the application's decision whether to write or not to write such
message regarding invalid logins. Otherwise, a very simple
denial of service attack could logins. Otherwise, a very simple
denial of service attack could be convinced with bogus login
attempts keeping the machine busy logging these messages.
8/26/02 13:17:39:080 CEST] 37b2205d SystemOut     U    5>
[2002-08-26
13:17:39.08], [ServerID: 375334458],
[LoginHelperImpl.request_login_controlled]:
[8/26/02 13:17:39:090 CEST] 37b2205d SystemOut     U
JSAS0240E:
Login failed.  Verify the userid/password is correct.  Check the
properties file to ensure the login source is valid.  If this
error
occurs on the server, check the server properties to ensure the
principalName has a valid realm and userid.
[8/26/02 13:17:39:110 CEST] 37b2205d SystemOut     U    6>
[2002-08-26
13:17:39.11], [ServerID: 375334458],
[CredentialsImpl.get_mapped_credentials]:
[8/26/02 13:17:39:120 CEST] 37b2205d SystemOut     U
JSAS0240E:
Login failed.  Verify the userid/password is correct.  Check the
properties file to ensure the login source is valid.  If this
error
occurs on the server, check the server properties to ensure the
principalName has a valid realm and userid.
[8/26/02 13:17:39:451 CEST] 37b2205d SystemOut     U    8>
[2002-08-26
13:17:39.451], [ServerID: 375334458],
[CredentialsImpl.get_mapped_credentials]:
[8/26/02 13:17:39:481 CEST] 37b2205d SystemOut     U
JSAS0240E:
Login failed.  Verify the userid/password is correct.  Check the
properties file to ensure the login source is valid.  If this
error
occurs on the server, check the server properties to ensure the
principalName has a valid realm and userid.
Action Planned: Sending to entitlement, then to WAS for customer
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who have  *
*                 security enabled.                            *
****************************************************************
* PROBLEM DESCRIPTION: Multiple security log entries for one   *
*                      invalid login.                          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Upon entering a wrong password for a given userid, the
following  3 log statements are written to appserver-out.log.
It's unnecessary to have 3 login error messages.

8/26/02 13:17:39:080 CEST  37b2205d SystemOut     U    5>
 2002-08-26 13:17:39.08 ,  ServerID: 375334458 ,

 LoginHelperImpl.request_login_controlled :

 8/26/02 13:17:39:090 CEST  37b2205d SystemOut     U
JSAS0240E:   Login failed.  Verify the userid/password is
correct.
Check the properties file to ensure the login source is valid.
If this error occurs on the server, check the server properties
to ensure the principalName has a valid realm and userid.

 8/26/02 13:17:39:110 CEST  37b2205d SystemOut     U    6>
 2002-08-26 13:17:39.11 ,  ServerID: 375334458 ,


 CredentialsImpl.get_mapped_credentials :

 8/26/02 13:17:39:120 CEST  37b2205d SystemOut     U
JSAS0240E:
Login failed.  Verify the userid/password is correct.  Check
the properties file to ensure the login source is valid.
If this error occurs on the server, check the server properties
to ensure the principalName has a valid realm and userid.

 8/26/02 13:17:39:451 CEST  37b2205d SystemOut     U    8>
 2002-08-26 13:17:39.451 ,  ServerID: 375334458 ,

 CredentialsImpl.get_mapped_credentials :

 8/26/02 13:17:39:481 CEST  37b2205d SystemOut     U
JSAS0240E:   Login failed.  Verify the userid/password is
correct.
Check the properties file to ensure the login source is valid.
If this error occurs on the server, check the server properties
to ensure the principalName has a valid realm and userid.
Problem conclusion
2 unnecessary messages are removed.  Only one message will be
logged.
Temporary fix
PQ66004_eFix_test.jar
Comments
APAR information
APAR number PQ66004
Reported component name WEBSPHERE AE NT
Reported component ID 5630A2201
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-09-09
Closed date 2002-10-30
Last modified date 2002-10-30

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

SRLS

Fix information
Fixed component name WEBSPHERE AE NT
Fixed component ID 5630A2201

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ66004
IBM Group: Software Group
Modified date: Oct 30, 2002