PQ66162: SERVERSIDEAUTHENTICATOR DOESN'T THROW EXCEPTION | |||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description SSOAuthenticator - When used 1. Authenticates userid and password. 2. Throws exception when authentication fails (works correctly) 3. Set HttpRequest and HttpResponse LPTA cookie so that they can be passed by servlet. 4. DOES NOT SET THE CONTEXT for SAS communication for ejb layer. So the ejb thinks the user is UNAUTHENTICATED and fails. ServerSideAuthenticator - When used 1. Authenticates userid and password. 2. DOES NOT Throws exception when authentication fails. 3. DOES NOT Set HttpRequest and HttpResponse LPTA cookie so that they can be passed by servlet. 4. Set context for for SAS communication for ejb layer. So, with this being the case, i have to use 2 separate API to authenticate correctly and set the desired information to enable J2EE security framework. Right now I call ServerSideAuthenticator first then SSOAuthenticator. Seems kind of expensive to me and confusing. Customer requests a fix for ServerSideAuthenticator for WebSphere Application Server 4.03 on AIX. When ServerSideAuthentication fails to authenticate, it returns a null credential. Not basic credentials. Second, a client may use ServerSideAuthenitcate for authentication purpose only. They may never go to a secure resource (like ejb) after that. Or my ejb may not be secure....I know that the ejb container will throw the error because the user is UNAUTHENTICATED. This is not new to developers, however, the Application Server is relying on the Ejb Server Container (security mechanism) to throw the error for simple WebSphere Application Server authentication...Not authorization...this is not correct.Local fix Problem summary **************************************************************** * USERS AFFECTED: WebSphere Application Server users who uses * * ServerSideAuthenticator to perform * * authentication. * **************************************************************** * PROBLEM DESCRIPTION: ServerSideAuthenticator should throw * * LoginFailed when login fails. * **************************************************************** * RECOMMENDATION: * **************************************************************** ServerSideAuthenticator should throw org.omg.SecurityLevel2.LoginFailed exception when the login fails and the force_authn flag is true instead of returing a null credential.Problem conclusion ServerSideAuthenticator will now throw org.omg.SecurityLevel2.LoginFailed exception when login fails.Temporary fix AvailableComments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
SRLS
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ66162
IBM Group: Software Group
Modified date: Apr 30, 2003
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.