PQ61574: FORM BASED LOGIN - THE RACF / SECURITY REQUIREMENTS NEEDED ARE NOT DOCUMENTED IN THE WAS4.0 MANUALS | |||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||
APAR status Closed as documentation error. Error description Customer intended to run an app that uses Form-Based Login but the app would loop on the challenge even though a valid userid and password were entered. Found that the form-based login required racf definitions that are not documented in the WAS 4.0 manualsLocal fix HBCProblem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V4.0.1 for z/OS and OS/390. * * * **************************************************************** * PROBLEM DESCRIPTION: The documentation of form based login * * (Custom login) is incomplete. * * * **************************************************************** * RECOMMENDATION: * **************************************************************** Login Tokens do not contain sensitive authentication data such as passwords. The Tokens are encrypted using private keys that are maintained in a Server Key ring that can be configured by the administrator to only be accessible by specific WebSphere Application Server instances. In addition, the administrator has the ability to specify that Login Tokens are only to be communicated via a secure transport. When this option is requested, the Web container will ensure that the response is being sent over a secure communication channel such as SSL, before including the cookie containing the Login Token in the output stream. In addition, the Web container will set the secure bit in the cookie which indicates to the browser to only send the cookie on subsequent requests that are made over an SSL connection. Cookies containing Login Tokens are created in a manner that instructs the browsers only to maintain them in its session cache and to not save them on disk. For example, in a normal situtation, when the LoginTokenEncrypt environment variable is set to true, the following series of events would occur: 1. The client issues an HTTP request for which Form-based authentication is required. 2. The Web container saves the original request in an original request cookie (jwwwrequest cookie), gets the Form-based Login page, and serves the Form-based Login page to the requesting client. 3. The Form-based Login page is displayed on the clients browser. 4. The client enters a user ID and password. 5. If the user ID and password are valid, the Web container creates a Login Token cookie ((jwwwcontent cookie) It then retrieves the original request and sends the original request and the Login Token cookie to the J2EE server for processing. 6. The J2EE server uses the Login Token cookie to do a login for the user with the identity of the address space, and serves the original requested page. 7. The Login Token cookie is attached to any subsequent request from the same client, thereby eliminating the need for the client to re-enter his user ID and password. Note: If you are using an IBM HTTP Server, along with the Local Redirector Plug-in to handle HTTP requests, (i.e., the WEB_SECURITY_VERSION property in the jvm.properties file is set to 1 or the property is absent), some of the actions noted above as being performed by the Web container, are performed by the Local Redirector Plug-in.Problem conclusion The topic "Custom Form" in the section "Authenticating Web Clients" in Chapter 4 of WebSphere Application Server for z/OS and OS/390 V4.0.1: Assembling J2EE Applications, SA22-7836, has been updated. The most current version of this publication is available on the product library page at URL http://www-3.ibm.com/software/webservers/appserv/zos_os390/ library.html The following COMPID is affected by these changes: 5655A9800 R401 on z/OS and OS/390.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ61574
IBM Group: Software Group
Modified date: Sep 30, 2002
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.