IBM Support

PH37410: GETTING SECJ0053E, CNTR0020JAVAX.EJB.ACCESSLOCALEXCEPTION, COM.IBM.WEBSPHERE.CSI.CSIACCESSEXCEPTION WHEN ACCESSING AN EJB METHOD

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Getting below exception while an application is trying to
    access the EJB method. But the method doit defined in MyBean is
    expecting only 'user' role.
    
    SecurityColla A   SECJ0053E: Authorization failed for
    abc.xyz.at:123/def  while invoking
    (Home)MyBeanM#bean.jar#EEName::4
    
    CNTR0020E: EJB threw an unexpected (non-declared) exception
    during invocation of method "doit" on bean "BeanId(,null)".
    Exception data: javax.ejb.AccessLocalException:  ;
    nested exception is: com.ibm.websphere.csi.CSIAccessException:
    SECJ0053E: Authorization failed for abc.xyz.at:123/def while
    invoking (Home)MyBeanM#bean.jar#EEName::4  is not granted any
    of the r Admin
    
    at com.ibm.ws.security.core.SecurityCollaborator.
    performAuthorization(SecurityCollaborator.java:642)
    at com.ibm.ws.security.core.EJSSecurityCollaborat
    or.preInvoke(EJSSecurityCollaborator.java:268)
    at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCol
    laboratorAdapter.preInvoke(EJBSecurityCollaboratorAdapter.java:
    66)
    at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCol
    laboratorAdapter.preInvoke(EJBSecurityCollaboratorAdapter.java:
    40)
    at com.ibm.ejs.container.EJSContainer.notifySecur
    ityCollaboratorPreInvoke(EJSContainer.java:3405)
    at com.ibm.ejs.container.EJSContainer.preInvokeAf
    terActivate(EJSContainer.java:3338)
    at com.ibm.ejs.container.EJSContainer.preInvoke(E
    JSContainer.java:2502)
    at
    com.ABC.interfaces.c.EJSLocalHome_678.doit(Unknown
    Source)
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  with EJB applications                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: SECJ0053E occurs accessing EJB method   *
    *                      from EJB with run-as-mode               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The EJB Container intermittently fails to read the "run-as-mode"
    (XML) or "runAsSettings" (XMI) elements in the ibm-ejb-jar-
    ext.xml/xmi file resulting in EJB methods running without the
    configured role. The initial failure is a NullPointerException,
    followed by the error SECJ0053E: Authorization failed.
    The error occurs because the EJB Container caches a reference to
    the in-memory copy of the configuration, which becomes stale
    after 3 minutes and is no longer accessible. The error appears
    intermittent since the configuration may be processed properly
    if an EJB method is called before the data becomes stale.
    When the error occurs, the EJB Container will log the following
    error:
    CNTR0020E: EJB threw an unexpected (non-declared) exception
    during invocation of method "methodxxxx" on bean
    "BeanId(<application>#<module>.jar#<bean>,null)". Exception
    data: javax.ejb.AccessLocalException:  ;
    nested exception is: com.ibm.websphere.csi.CSIAccessException:
    SECJ0053E: Authorization failed for ...
    at
    com.ibm.ws.security.core.SecurityCollaborator.performAuthorizati
    on(SecurityCollaborator.java:642)
    at
    com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke(EJSSe
    curityCollaborator.java:268)
    at
    com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapter.p
    reInvoke(EJBSecurityCollaboratorAdapter.java:66)
    at
    com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapter.p
    reInvoke(EJBSecurityCollaboratorAdapter.java:40)
    at
    com.ibm.ejs.container.EJSContainer.notifySecurityCollaboratorPre
    Invoke(EJSContainer.java:3405)
    at
    com.ibm.ejs.container.EJSContainer.preInvokeAfterActivate(EJSCon
    tainer.java:3338)
    at
    com.ibm.ejs.container.EJSContainer.preInvoke(EJSContainer.java:2
    502)
    

Problem conclusion

  • The EJB Container has been updated to consistently read the "run
    as-mode" (XML) or "runAsSettings" (XMI) elements in the ibm-ejb-
    jar-ext.xml/xmi file. The SECJ0053E error will no longer occur.
    
    The fix for this APAR is targeted for inclusion in fix pack
    9.0.5.9. For more information, see 'Recommended Updates for
    WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH37410

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-05-20

  • Closed date

    2021-07-21

  • Last modified date

    2021-07-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
22 July 2021