PQ66162: SERVERSIDEAUTHENTICATOR DOESN'T THROW EXCEPTION

 A fix is available

4.0.5: WebSphere Application Server Version 4.0 Fix Pack 5 (Version 4.0.5)



APAR status
Closed as program error.

Error description
SSOAuthenticator - When used
1. Authenticates userid and password.
 2. Throws exception when authentication fails (works correctly)
 3. Set HttpRequest and HttpResponse LPTA cookie so that they
can be
passed by servlet.
 4. DOES NOT SET THE CONTEXT for SAS communication for ejb
layer.  So
the ejb thinks the user is UNAUTHENTICATED and fails.
ServerSideAuthenticator - When used
 1. Authenticates userid and password.
 2. DOES NOT Throws exception when authentication fails.
 3. DOES NOT Set HttpRequest and HttpResponse LPTA cookie so
that they
can be passed by servlet.
 4. Set context for for SAS communication for ejb layer.
So,  with this being the case,  i have to use 2 separate API to
authenticate correctly and set the desired information to enable
J2EE
security framework.  Right now I call ServerSideAuthenticator
first then
SSOAuthenticator.  Seems kind of expensive to me and confusing.
Customer requests a fix for ServerSideAuthenticator for
WebSphere Application Server 4.03 on AIX.
When
ServerSideAuthentication fails to authenticate,  it returns a
null credential.  Not basic credentials.  Second,  a client may
use ServerSideAuthenitcate for authentication purpose only.
They may never go to a secure resource (like ejb)  after that.
Or my ejb may not be secure....I know that the ejb container
will throw the error because the user is UNAUTHENTICATED.
This is not new to developers,  however,
the Application Server is relying on the Ejb Server
Container (security mechanism) to throw the error for simple
WebSphere Application Server
authentication...Not authorization...this is not correct.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who uses  *
*                 ServerSideAuthenticator to perform           *
*                 authentication.                              *
****************************************************************
* PROBLEM DESCRIPTION: ServerSideAuthenticator should throw    *
*                      LoginFailed when login fails.           *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
ServerSideAuthenticator should throw
org.omg.SecurityLevel2.LoginFailed exception when the
login fails and the force_authn flag is true instead of
returing a null credential.
Problem conclusion
ServerSideAuthenticator will now throw
org.omg.SecurityLevel2.LoginFailed exception when login fails.
Temporary fix
Available
Comments
APAR information
APAR number PQ66162
Reported component name WEBSPHERE AE AI
Reported component ID 5630A2200
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-09-12
Closed date 2002-10-30
Last modified date 2003-04-30

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

SRLS

Fix information
Fixed component name WEBSPHERE AE AI
Fixed component ID 5630A2200

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ66162
IBM Group: Software Group
Modified date: Apr 30, 2003