There are three types of SECJ0129A errors that have been
seen with WebSphere security. They each have different causes and
resolutions:
1.WebCollaborat A SECJ0129A:
Authorization failed for ??? while invoking GET on
default_host:<uri>, Authorization failed, Not granted any of the
required roles: <existing role>
Customers may see this error in version 4.0.3 and not in 4.0.2. This is
because of code changes made to implement the 2.3 servlet specification.
The 2.2 servlet specification did not fully define what was supposed to
happen with forward() and challenging the user to login.
The 2.3 servlet specification states that security is not applied to
forwarded URIs.
Therefore, customers may see this error when using a forward() or an
implicit forward in their application (such as typing in http://hostname/examples/, instead of
http://hostname/examples/index.html).
Either protecting the originally requested page or unprotecting both
pages would resolve the problem. However, because customers have protected
the page in the past, IBM didn't want to leave it unprotected. By
producing this response, IBM is letting customers know they need to change
their application to conform to the 2.3 servlet specification.
2. WebCollaborat A SECJ0129A:
Authorization failed for <user> while invoking POST on
default_host:<uri>, Authorization failed, Not granted any of the
required roles: <existing role>
This error is caused by a known defect occuring when cache timeout is
exceeded. While creating new credentials, the group type was not properly
appended to group name which caused the authorization code to fail in
finding the proper group name in security roles.
This problem was fixed by APAR PQ69036.
APAR PQ69036 is available in the Cumulative Security Interim Fix for
4.0.3/4.0.4/4.0.5 dated January, 2003 or later.
3. Customers using Tivoli WebSEAL with WebSphere have seen this
error:
WebCollaborat A SECJ0129A:
Authorization failed for <user> while invoking GET on
default_host:<uri>, Authorization failed, Not granted any of the
required roles: <existing role>
This problem has been seen when the "Enable Web Trust Association" box on
the Authentication tab of the Security center is not checked.
This problem has also been seen when the junctions from WebSEAL SSL to
the Web Server have been accidentally deleted.
Review the instructions on configuring WebSEAL with WebSphere in section
5.6.1 of the WebSphere version 4 InfoCenter.
|