PI28652: WITH MULTIPLE SECURITY DOMAINS CONFIGURED IN WEBSPHERE, THE WORKLIGHT APP DOES NOT USE THE DESIRED DOMAIN.

IBM Worklight Interim Fix README for 6.2.0.1

APAR status

• Closed as program error.

Error description

• Worklight has been installed to a WebSphere ND server and the
  "Option 2" authentication mechanism is being used.  The app
  server uses a custom security domain, yet when authentication
  is attempted within the app, the global security domain is used
  for validation, and as a result, a failure occurs.  An error
  such as the following occurs as the incorrect registry is used:
  
  [24/09/14 15.07.47:758 CEST] 000000a9 LdapRegistryI E
  SECJ0336E:
  Authentication failed for user appuser because of the following
  exception
  com.ibm.websphere.security.PasswordCheckFailedException: No
  user appuser found
  [24/09/14 15.07.47:758 CEST] 000000a9 LTPAServerObj E
  SECJ0369E:
  Authentication failed when using LTPA. The exception is
  com.ibm.websphere.security.PasswordCheckFailedException: No
  user appuser found.
  [24/09/14 15.07.47:758 CEST] 000000a9 WebSphereLogi W
  com.worklight.core.auth.ext.WebSphereLoginModule jaasLogin
  FWLSE0048E:
  Unhandled exception caught:
  com.ibm.websphere.security.auth.WSLoginFailedException: No user
  appuser found
  com.ibm.websphere.security.PasswordCheckFailedException: No
  user appuser found
  at
  com.ibm.ws.security.registry.ldap.LdapRegistryImpl.checkPassword
  (LdapRegistryImpl.java:354)
  

Local fix

• When using the option 2 authentication mechanism, the only work
  around is to configure only a single security domain within the
  server.  If the option 1 authentication mechanism is suitable
  for your needs, then that can be used as a work around as well
  with multiple domains.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * Worklight server administrators who use "multiple security   *
  * domains" support on Websphere Application Server with their  *
  * Worklight server runtime.                                    *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * When using LTPA based authentication with the Worklight      *
  * server, the LTPA login module uses Websphere Application     *
  * Server?s global security scope. This causes an unexpected    *
  * behavior when the Worklight server is configured for a       *
  * non-global security domain.                                  *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * -                                                            *
  ****************************************************************
  

Problem conclusion

• The Worklight server was updated to correctly handle multiple
  security domains on Websphere Application Server. The existing
  behavior remains the same for Websphere Application Server
  Liberty Profile and for Tomcat since neither support multiple
  security domains. If the Worklight server is always expected to
  use global security, the previous behavior can be achieved by
  setting the JVM property
  ?com.worklight.disableMultipleSecurityDomains? to ?true?.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WL/MFPF ENTERPR

• Fixed component ID

  5725I4300

Applicable component levels

• R620 PSY

     UP