PQ71397: Admin server is trying to use expired tokens from cache - invalid tokens.

 Fixes are available

4.0.6: WebSphere Application Server Version 4.0 Fix Pack 6
Security; V4.0.2-V4.0.7: Cumulative fix for security component



APAR status
Closed as program error.

Error description
After going to a secured resource and authenticating, the ltpa
token is allowed to expire. Trying to access the secured
resource causes user to reauthenticate, as expected. After
attempting to reauthenticate the browser shows an "invalid
credential" message.
Local fix
Increase token timeout
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application server security        *
*                 users with multiple secured application      *
*                 servers.                                     *
****************************************************************
* PROBLEM DESCRIPTION: After LTPA Token has expired,           *
*                      re-authenticated users may not be able  *
*                      to access EJBs on a different server.   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Immediately after LTPA Token expired, re-authenticated users
may not be authenticated to access secured EJBs on a remote
application server even they can access servlets successfully.
Problem conclusion
Authorization to access secured EJB is based on SAS sessions,
and sessions are mapped to credentials. The session id did
not include crdential expiration time, so an old session was
used even after a new credential was created if session is not
expired.  With the fix, new session will be created with
new credential token.
Temporary fix
provided test fix
Comments
APAR information
APAR number PQ71397
Reported component name WAS ADVANCED NT
Reported component ID 5630A2202
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2003-02-25
Closed date 2003-03-13
Last modified date 2003-04-30

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PQ72041 PQ74826

Modules/Macros
security          

SRLS

Fix information

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ71397
IBM Group: Software Group
Modified date: Apr 30, 2003