PQ76538: ADDITIONAL SUPPORT HAS BEEN ADDED TO ALLOW THE PROPGATION OF SECURITY ACROSS SERVLETS IN DIFFERENT EAR FILES VIA INCLUDE | |||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Customer has two ear files EAR1 and EAR2 which both contain war files with servlets and/or jsps. Security constraints are only specified on EAR1 and not on EAR2. The customer authenticates to the web application in EAR1, invokes servlet1 which passes the request to servlet2 in EAR2 using an include method. The security context is not passed to servlet2 unless security constraints have been setup in web.xml for WAR2 in EAR2.Local fix Setup the security constraints in all ear files.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * version 4.0.1 for z/OS and OS/390. * **************************************************************** * PROBLEM DESCRIPTION: Customer has two ear files EAR1 and * * EAR2 which both contain war files with * * servlets and/or jsps. Security * * constraints are only specified on EAR1 * * and not on EAR2. The customer * * authenticates to the web application * * in EAR1, invokes servlet1 which passes * * the request to servlet2 in EAR2 using * * an include method. The security context * * is not passed to servlet2 unless * * security constraints have been setup * * in web.xml for WAR2 in EAR2. * **************************************************************** * RECOMMENDATION: * **************************************************************** Customer has two J2EE Applications which both contain WebApplications with servlets and/or jsps. Security constraints are only specified for WebApplication in J2EE Application1 and not in J2EE Application2. The customer invokes the servlet in J2EE Application1 which includes a servlet in J2EE Application2. The security context is not passed to servlet2, unless security constraints have been setup in the Deployment Descriptor of WebApplication in J2EE Application2. When there are no security constraints for the WebApplication in J2EE Application2, a default security context was setup which marks the included servlet as unauthenticated and does not pass on the security context of the parent servlet.Problem conclusion The code was changed to pass the security context of the parent servlet when there are no security constraints setup for the included servlet. APAR PQ76538 is associated with SERVICE LEVEL W401511 of WebSphere Application Server version 4.0.1 for z/OS and OS/390.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ76538
IBM Group: Software Group
Modified date: Sep 5, 2003
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.