Three Causes Of SECJ0129A Errors In WebSphere 4.0.x
 Technote (FAQ)
 
Problem
What are some possible reasons for SECJ0129A errors in the tracefile when using WebSphere security or WebSEAL with WebSphere?
 
Solution
There are three types of SECJ0129A errors that have been seen with WebSphere security. They each have different causes and resolutions:


1.WebCollaborat A SECJ0129A:
Authorization failed for ??? while invoking GET on default_host:<uri>, Authorization failed, Not granted any of the required roles: <existing role>

Customers may see this error in version 4.0.3 and not in 4.0.2. This is because of code changes made to implement the 2.3 servlet specification.

The 2.2 servlet specification did not fully define what was supposed to happen with forward() and challenging the user to login.

The 2.3 servlet specification states that security is not applied to forwarded URIs.

Therefore, customers may see this error when using a forward() or an implicit forward in their application (such as typing in http://hostname/examples/, instead of http://hostname/examples/index.html).

Either protecting the originally requested page or unprotecting both pages would resolve the problem. However, because customers have protected the page in the past, IBM didn't want to leave it unprotected. By producing this response, IBM is letting customers know they need to change their application to conform to the 2.3 servlet specification.

2. WebCollaborat A SECJ0129A:
Authorization failed for <user> while invoking POST on default_host:<uri>, Authorization failed, Not granted any of the required roles: <existing role>

This error is caused by a known defect occuring when cache timeout is exceeded. While creating new credentials, the group type was not properly appended to group name which caused the authorization code to fail in finding the proper group name in security roles.
This problem was fixed by APAR PQ69036.

APAR PQ69036 is available in the Cumulative Security Interim Fix for 4.0.3/4.0.4/4.0.5 dated January, 2003 or later.

3. Customers using Tivoli WebSEAL with WebSphere have seen this error:

WebCollaborat A SECJ0129A:
Authorization failed for <user> while invoking GET on default_host:<uri>, Authorization failed, Not granted any of the required roles: <existing role>

This problem has been seen when the "Enable Web Trust Association" box on the Authentication tab of the Security center is not checked.

This problem has also been seen when the junctions from WebSEAL SSL to the Web Server have been accidentally deleted.

Review the instructions on configuring WebSEAL with WebSphere in section 5.6.1 of the WebSphere version 4 InfoCenter.

 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): HP-UX
Software version: 4.0
Software edition:
Reference #: 1109317
IBM Group: Software Group
Modified date: Sep 6, 2004