PQ76538: ADDITIONAL SUPPORT HAS BEEN ADDED TO ALLOW THE PROPGATION OF SECURITY ACROSS SERVLETS IN DIFFERENT EAR FILES VIA INCLUDE

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Customer has two ear files EAR1 and EAR2 which both contain
war files with servlets and/or jsps.  Security constraints are
only specified on EAR1 and not on EAR2.  The customer
authenticates to the web application in EAR1, invokes servlet1
which passes the request to servlet2 in EAR2 using an include
method.  The security context is not passed to
servlet2 unless security constraints have been setup in web.xml
for WAR2 in EAR2.
Local fix
Setup the security constraints in all ear files.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 version 4.0.1 for z/OS and OS/390.           *
****************************************************************
* PROBLEM DESCRIPTION: Customer has two ear files EAR1 and     *
*                      EAR2 which both contain war files with  *
*                      servlets and/or jsps.  Security         *
*                      constraints are only specified on EAR1  *
*                      and not on EAR2.  The customer          *
*                      authenticates to the web application    *
*                      in EAR1, invokes servlet1 which passes  *
*                      the request to servlet2 in EAR2 using   *
*                      an include method. The security context *
*                      is not passed to servlet2 unless        *
*                      security constraints have been setup    *
*                      in web.xml for WAR2 in EAR2.            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Customer has two J2EE Applications which both contain
WebApplications with servlets and/or jsps. Security constraints
are only specified for WebApplication in J2EE Application1 and
not in J2EE Application2. The customer invokes the servlet in
J2EE Application1 which  includes a servlet in J2EE
Application2.  The security context is not passed to servlet2,
unless security constraints have been setup in the Deployment
Descriptor of WebApplication in J2EE Application2.

When there are no security constraints for the WebApplication in
J2EE Application2, a default security context was setup
which marks the included servlet as unauthenticated and does not
pass on the security context of the parent servlet.
Problem conclusion
The code was changed to pass the security context of the parent
servlet when there are no security constraints setup for the
included servlet.


APAR PQ76538 is associated with SERVICE LEVEL W401511 of
WebSphere Application Server version 4.0.1 for z/OS and OS/390.
Temporary fix Comments
APAR information
APAR number PQ76538
Reported component name WEBSPHERE OS/39
Reported component ID 5655A9800
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2003-07-18
Closed date 2003-08-08
Last modified date 2003-09-05

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
EJSJWCWC          

Fix information
Fixed component name WEBSPHERE OS/39
Fixed component ID 5655A9800

Applicable component levels
R401 PSY UQ79317    UP03/08/14 P F308

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ76538
IBM Group: Software Group
Modified date: Sep 5, 2003