PQ61574: FORM BASED LOGIN - THE RACF / SECURITY REQUIREMENTS NEEDED ARE NOT DOCUMENTED IN THE WAS4.0 MANUALS

APAR status
Closed as documentation error.

Error description
Customer intended to run an app that uses Form-Based Login
but the app would loop on the challenge even though a valid
userid and password were entered.  Found that the form-based
login required racf definitions that are not documented
in the WAS 4.0 manuals
Local fix
HBC
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V4.0.1 for z/OS and OS/390.                  *
*                                                              *
****************************************************************
* PROBLEM DESCRIPTION: The documentation of form based login   *
*                      (Custom login) is incomplete.           *
*                                                              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Login Tokens do not contain sensitive authentication data such
as passwords. The Tokens are encrypted using private keys that
are maintained in a Server Key ring that can be configured by
the administrator to only be accessible by specific WebSphere
Application Server instances. In addition, the administrator has
the ability to specify that Login Tokens are only to be
communicated via a secure transport.

When this option is requested, the Web container will ensure
that the response is being sent over a secure communication
channel such as SSL, before including the cookie containing the
Login Token in the output stream. In addition, the Web container
will set the secure bit in the cookie which indicates to the
browser to only send the cookie on subsequent requests that are
made over an SSL connection. Cookies containing Login Tokens
are created in a manner that instructs the browsers only to
maintain them in its session cache and to not save them on disk.

For example, in a normal situtation, when the LoginTokenEncrypt
environment variable is set to true, the following series of
events would occur:

1. The client issues an HTTP request for which Form-based
authentication is required.
2. The Web container saves the original request in an original
request cookie (jwwwrequest cookie), gets the Form-based Login
page, and serves the Form-based Login page to the requesting
client.
3. The Form-based Login page is displayed on the clients
browser.
4. The client enters a user ID and password.
5. If the user ID and password are valid, the Web container
creates a Login Token cookie ((jwwwcontent cookie)
It then retrieves the original request and sends the original
request and the Login Token cookie to the J2EE server
for processing.
6. The J2EE server uses the Login Token cookie to do a login
for the user with the identity of the address space, and serves
the original requested page.
7. The Login Token cookie is attached to any subsequent request
from the same client, thereby eliminating the need for the
client to re-enter his user ID and password.

Note: If you are using an IBM HTTP Server, along with the Local
Redirector Plug-in to handle HTTP requests, (i.e., the
WEB_SECURITY_VERSION property in the jvm.properties file is set
to 1 or the property is absent), some of the actions noted
above as being performed by the Web container, are performed by
the Local Redirector Plug-in.
Problem conclusion
The topic "Custom Form" in the section
"Authenticating Web Clients" in Chapter 4 of
WebSphere Application Server for z/OS and OS/390 V4.0.1:
Assembling J2EE Applications, SA22-7836,  has been updated.

The most current version of this publication is available on the
product library page at URL


http://www-3.ibm.com/software/webservers/appserv/zos_os390/
library.html

The following COMPID is affected by these changes:
5655A9800 R401 on z/OS and OS/390.
Temporary fix Comments
APAR information
APAR number PQ61574
Reported component name WEBSPHERE OS/39
Reported component ID 5655A9800
Reported release 401
Status CLOSED DOC
PE NoPE
HIPER NoHIPER
Submitted date 2002-05-24
Closed date 2002-09-30
Last modified date 2002-09-30

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Applicable component levels


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ61574
IBM Group: Software Group
Modified date: Sep 30, 2002