|
Problem |
Immediately after the Lightweight Third Party
Authentication (LTPA) Token expires, users who log into the application
might not be authenticated to access secured EJB™ resources on a remote
Application Server. In this case, users might continue to have access to
other servlets.
Here is a typical recreation scenario.
- Access the test servlet.
- Log in and authenticate.
- Perform no activity. Wait until about 30 seconds before the LTPA token
is set to expire, then click Refresh on the browser about every 5 seconds.
When the token finally expires, the login page to reauthenticate
displays.
- Log in and authenticate successfully.
- An Error message is issued in the Application Server standard error or
standard out file. CORBA errors are also seen in SAS traces.
The timing of this error is critical:
- If the CORBA error appears after the LTPA token expiration, but before
the user logs in again, this message is normal.
- If the CORBA error appears after the user has logged in, this is a
problem.
|
|
Cause |
Authorization to access a secured EJB is based on SAS
sessions, and sessions are mapped to credentials. The session ID did not
include credential expiration time, so an old session is used even after a
new credential is created. With the fix, new sessions are created with a
new credential token. |
|
Solution |
Apply the cumulative security fix dated 17 MAR 2003 or
later for versions 4.0.3, 4.0.4, and 4.0.5 |
|
|
|
|
|
|