IBM Support

PI47823: In Liberty profile ignoreCase=true is not honored for administra tor-role entries

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In Liberty profile ignoreCase=true is not honored for
    administrator-role entries
    
    
    When you define a group in Liberty profile server.xml with
    case
    senstivity you will Unable to login into into  adminCenter
    for
    administrative functionality
    
    Example
    
    LDAP has group name CN=IBMgroup,CN=Users,DC=IBMldap,DC=local
    
    In Liberty profile server.xml the administrator-role was set
    with
    group role is defined with group name in lowercase.. as
    follows
    
    cn=IBMgroup,cn=Users,dc=IBMldap,dc=local
    
    ignoreCase=true will help for authorization for group but it
    is
    not working in Liberty profile.
    

Local fix

  • Defined correct group name in server.xml to match with ldap
    group.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty Profile - Security           *
    ****************************************************************
    * PROBLEM DESCRIPTION: In Liberty profile ignoreCase=true is   *
    *                      not honored for administrator-role      *
    *                      entries                                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The authorization decision of the administrative role mapping
    table and the application role mapping  was not consisitent,
    because the administrative role mapping table did not take into
    account of the setting of ignoreCase of the active user
    registry. As a result, there was a possibility that the
    administrative role mapping table rejected the authorization
    request even if it should be granted.
    

Problem conclusion

  • With this fix, all of the authorization tables uses the same
    algorithm for authorization decision.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 8.5.5.8.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI47823

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-08-28

  • Closed date

    2015-10-12

  • Last modified date

    2015-10-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROFILE

  • Fixed component ID

    5724J0814

Applicable component levels

  • R855 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855"}]

Document Information

Modified date:
06 September 2021