CORBA errors occur when logging in after the LTPA token expires
 Technote (FAQ)
 
Problem
Immediately after the Lightweight Third Party Authentication (LTPA) Token expires, users who log into the application might not be authenticated to access secured EJB™ resources on a remote Application Server. In this case, users might continue to have access to other servlets.

Here is a typical recreation scenario.

  1. Access the test servlet.


  2. Log in and authenticate.


  3. Perform no activity. Wait until about 30 seconds before the LTPA token is set to expire, then click Refresh on the browser about every 5 seconds. When the token finally expires, the login page to reauthenticate displays.


  4. Log in and authenticate successfully.


  5. An Error message is issued in the Application Server standard error or standard out file. CORBA errors are also seen in SAS traces.



The timing of this error is critical:

  • If the CORBA error appears after the LTPA token expiration, but before the user logs in again, this message is normal.

  • If the CORBA error appears after the user has logged in, this is a problem.

 
Cause
Authorization to access a secured EJB is based on SAS sessions, and sessions are mapped to credentials. The session ID did not include credential expiration time, so an old session is used even after a new credential is created. With the fix, new sessions are created with a new credential token.
 
Solution
Apply the cumulative security fix dated 17 MAR 2003 or later for versions 4.0.3, 4.0.4, and 4.0.5
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): Windows
Software version: 4.0.5
Software edition:
Reference #: 1106426
IBM Group: Software Group
Modified date: Mar 27, 2006