IBM Support

PI65658: LIBERTY Z/OS UNAUTHENTICATED ID EXPERIENCES ICH408I CALLING HTTPSERVLETREQUEST.LOGIN WITH SYNCTOOSTHREAD ENABLED.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The z/OS server has UNIXPRIV class active for resource
    RESTRICTED.FILESYS.ACCESS
    
    An Application running in a Liberty z/OS server with
    syncToOSThread enabled calling HttpServletRequest.login
    surfaces error:
    
    MVS console:
    ICH408I USER(WSGUEST ) GROUP(WSCLGP ) NAME(WAS DFLT USER)
    /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_
    1.0.
    12.jar
    CL(DIRSRCH ) FID(0003E565001148D10000000000000000)
    INSUFFICIENT AUTHORITY TO STAT
    ACCESS INTENT(--X)  ACCESS ALLOWED(RESTRICTED ---)
    EFFECTIVE UID(0000002402)  EFFECTIVE GID(0000002502)
    
    E CWWKE0701E: FrameworkEvent ERROR
    Bundle:com.ibm.ws.security.registry.saf(id=100)
    java.io.IOException: Exception in opening zip file:
    /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_
    1.0
    .12.jar
    
    messages.log shows:
    
    /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_
    1.0.
    12.jar
    org.eclipse.osgi.framework.util.SecureAction.getZipFile
    org.eclipse.osgi.storage.bundlefile.ZipBundleFile.basicOpen
    org.eclipse.osgi.storage.bundlefile.ZipBundleFile.getZipFile
    org.eclipse.osgi.storage.bundlefile.ZipBundleFile.checkedOpe
    n
    org.eclipse.osgi.storage.bundlefile.ZipBundleFile.getEntry
    org.eclipse.osgi.storage.bundlefile.BundleFileWrapper.getEnt
    ry
    com.ibm.cds.CDSBundleFile.getEntry
    org.eclipse.osgi.storage.bundlefile.BundleFileWrapper.getEnt
    ry
    org.eclipse.osgi.internal.loader.classpath.ClasspathManager.
    find
    ClassImpl
    org.eclipse.osgi.internal.loader.classpath.ClasspathManager.
    find
    LocalClassImpl
    org.eclipse.osgi.internal.loader.classpath.ClasspathManager.
    find
    LocalClass
    org.eclipse.osgi.internal.loader.ModuleClassLoader.findLocal
    Clas
    org.eclipse.osgi.internal.loader.BundleLoader.findLocalClass
    org.eclipse.osgi.internal.loader.BundleLoader.findClassInter
    nal
    org.eclipse.osgi.internal.loader.BundleLoader.findClass
    org.eclipse.osgi.internal.loader.BundleLoader.findClass
    org.eclipse.osgi.internal.loader.ModuleClassLoader.loadClass
    java.lang.ClassLoader.loadClass
    java.util.ResourceBundle$Control.newBundle
    java.util.ResourceBundle.loadBundle
    java.util.ResourceBundle.findBundle
    java.util.ResourceBundle.findBundle
    java.util.ResourceBundle.findBundl
    java.util.ResourceBundle.findBundle
    java.util.ResourceBundle.getBundleImpl
    java.util.ResourceBundle.getBundl
    com.ibm.ws.logging.internal.TraceNLSResolver.getResourceBund
    le
    com.ibm.ws.logging.internal.TraceNLSResolver.getResourceBund
    le
    com.ibm.ws.logging.internal.WsLogRecord.getResourceBundle
    com.ibm.ws.logging.internal.impl.BaseTraceFormatter.formatMe
    ssag
    com.ibm.ws.logging.internal.impl.BaseTraceFormatter.formatMe
    ssag
    com.ibm.ws.logging.internal.impl.BaseTraceService.publishLog
    Reco
    com.ibm.ws.logging.internal.impl.BaseTraceService.info(
    com.ibm.websphere.ras.Tr.info
    com.ibm.ws.security.registry.saf.internal.SAFRegistry.issueA
    ctiv
    ationMessage
    com.ibm.ws.security.registry.saf.internal.SAFAuthorizedRegis
    try.
    checkPassword
    com.ibm.ws.security.authentication.jaas.modules.UsernameAndP
    assw
    ordLoginModule.login
    com.ibm.ws.kernel.boot.security.LoginModuleProxy.login
    sun.reflect.NativeMethodAccessorImpl.invoke0
    sun.reflect.NativeMethodAccessorImpl.invoke
    sun.reflect.DelegatingMethodAccessorImpl.invoke
    java.lang.reflect.Method.invoke
    javax.security.auth.login.LoginContext.invoke
    javax.security.auth.login.LoginContext.access$000(
    javax.security.auth.login.LoginContext$4.run
    javax.security.auth.login.LoginContext$4.run
    java.security.AccessController.doPrivileged
    javax.security.auth.login.LoginContext.invokePriv
    javax.security.auth.login.LoginContext.login
    com.ibm.ws.security.authentication.internal.jaas.JAASService
    Impl
    .doLoginContext
    com.ibm.ws.security.authentication.internal.jaas.JAASService
    Impl
    .performLogin
    com.ibm.ws.security.authentication.internal.jaas.JAASService
    Impl
    .performLogin
    com.ibm.ws.security.authentication.internal.AuthenticationSe
    rvic
    eImpl.performJAASLogin
    com.ibm.ws.security.authentication.internal.AuthenticationSe
    rvic
    eImpl.authenticate
    com.ibm.ws.webcontainer.security.internal.BasicAuthAuthentic
    ator
    .basicAuthenticate
    com.ibm.ws.webcontainer.security.AuthenticateApi.login
    com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorI
    mpl.
    login
    com.ibm.ws.webcontainer.srt.SRTServletRequest.login
    ...
    Caused by: java.io.FileNotFoundException:
    /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registr
    y.saf_1.0.12.jar (EDC5111I Permission denied.)
    java.util.zip.ZipFile.open
    java.util.zip.ZipFile.
    java.util.zip.ZipFile.
    java.util.zip.ZipFile.
    org.eclipse.osgi.framework.util.SecureAction.getZipFile
    ... 89 more
    

Local fix

  • 
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty for z/OS using the           *
    *                  syncToOSThread support is enabled           *
    ****************************************************************
    * PROBLEM DESCRIPTION: FileNotFoundException seen when         *
    *                      UNXIPRIV class and UNIXPRIV             *
    *                      RESTRICTED.FILESYS.ACCESS resource are  *
    *                      defined.                                *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When the  syncToOSThread support is enabled on the server, and
    UNXIPRIV class and UNIXPRIV RESTRICTED.FILESYS.ACCESS are
    defined, access to archive files may not be permitted as certain
    operations may run under the default user: WSGUEST.
    
    This is what is shown on the MVS console:
    
    ICH408I USER(WSGUEST ) GROUP(XXXXXX ) NAME(WAS DFLT USER)
    /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_1.0.
    12.jar
      CL(DIRSRCH ) FID(0003E565001148D10000000000000000)
    INSUFFICIENT AUTHORITY TO STAT
    ACCESS INTENT(--X)  ACCESS ALLOWED(RESTRICTED ---)
    EFFECTIVE UID(0000002402)  EFFECTIVE GID(0000002502)
    This is what is what appears in the messages log:
    
    /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_1.0.
    12.jar
    org.eclipse.osgi.framework.util.SecureAction.getZipFile
    org.eclipse.osgi.storage.bundlefile.ZipBundleFile.basicOpen
    org.eclipse.osgi.storage.bundlefile.ZipBundleFile.getZipFile
    org.eclipse.osgi.storage.bundlefile.ZipBundleFile.checkedOpen
    org.eclipse.osgi.storage.bundlefile.ZipBundleFile.getEntry
    org.eclipse.osgi.storage.bundlefile.BundleFileWrapper.getEntry
    com.ibm.cds.CDSBundleFile.getEntry
    org.eclipse.osgi.storage.bundlefile.BundleFileWrapper.getEntry
    org.eclipse.osgi.internal.loader.classpath.ClasspathManager.find
    ClassImpl
    ...
    javax.security.auth.login.LoginContext$4.run
    java.security.AccessController.doPrivileged
    javax.security.auth.login.LoginContext.invokePrivjavax.security.
    auth.login.LoginContext.login
    com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl
    .doLoginContext
    com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl
    .performLogin
    com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl
    .performLogin
    com.ibm.ws.security.authentication.internal.AuthenticationServic
    eImpl.performJAASLogin
    com.ibm.ws.security.authentication.internal.AuthenticationServic
    eImpl.authenticate
    com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator
    .basicAuthenticate
    com.ibm.ws.webcontainer.security.AuthenticateApi.login
    com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.
    login
    com.ibm.ws.webcontainer.srt.SRTServletRequest.login
    ...
    Caused by: java.io.FileNotFoundException:
    /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_1.0.
    12.jar (EDC5111I Permission denied.)
    java.util.zip.ZipFile.open
    java.util.zip.ZipFile.<init>
    java.util.zip.ZipFile.<init>
    java.util.zip.ZipFile.<init>
    org.eclipse.osgi.framework.util.SecureAction.getZipFile
    

Problem conclusion

Temporary fix

  • 
    

Comments

  • 
    

APAR Information

  • APAR number

    PI65658

  • Reported component name

    LIBERTY PROF -

  • Reported component ID

    5655W6514

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-07-11

  • Closed date

    2016-08-05

  • Last modified date

    2016-08-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROF -

  • Fixed component ID

    5655W6514

Applicable component levels

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"850"}]

Document Information

Modified date:
27 March 2021