IBM Support

PH04135: BEHAVIOR DIFFERENCE IN GETREMOTEUSER() AND GETUSERPRINCIPAL() IN WAS 8.5.5 VS WAS 9.0.0 WHEN JASPIC IS CONFIGURED

Fixes are available

9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When configuring the property below on WAS 9.0.0, it will not
be honored, when it has worked in the past:

NAME: com.ibm.wsspi.security.web.webAuthReq
VALUE: persisting

Local fix

  • N/A

Problem summary

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server who use JASPI (Java Authentication   *
*                  Service Provider Interface for containers)  *
*                  authentication provider                     *
****************************************************************
* PROBLEM DESCRIPTION: Authenticated user's Subject is not     *
*                      set on the thread when unprotected      *
*                      URL is accessed                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When a custom JASPI authentication provider is plugged in,
authenticated user's Subject was not set on the thread when
unprotected URL is accessed, even though "Use available
authentication data when an unprotected URI is accessed"
setting is enabled.  This causes some of APIs of
HttpServletRequest,such as getRemoteUser() and
getUserPrincipal(),return NULL instead of valid user
Subject.
In the same scenario above, jaspicSession Cookie
was not set in the http response. Additionally,
regardless of the requested URL, uniqueUserId
from the plugin provider was not honored. This could cause
authorization error.

Problem conclusion

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH04135
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-10-16
    • 

  • Closed date
    2019-04-17
    • 

  • Last modified date
    2019-04-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    

  • R900  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 November 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback