IBM Support

PI72135: An AccessControlException is issued when restoring the security context using the ContextService APIs

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • For a WebSphere Application Server Liberty profile, there
    are AccessControlException exceptions issued when attempting
    to restore the security context on the thread.  The
    AccessControlException instances were for the following
    permissions,
    
    ("javax.security.auth.PrivateCredentialPermission"
    "com.ibm.ws.security.token.internal.SingleSignonTokenImpl"
    "read")
    ("javax.security.auth.AuthPermission"
    "modifyPublicCredentials")
    ("javax.security.auth.AuthPermission"
    "createLoginContext.system.DESERIALIZE_CONTEXT")
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty - Security                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: An AccessControlException is issued     *
    *                      when restoring the security context     *
    *                      using the ContextService APIs           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    For WebSphere Application Server Liberty, there are
    AccessControlException exceptions issued when attempting to
    restore the security context on the thread.  The
    AccessControlException instances were for the following
    permissions,
    
    ("javax.security.auth.PrivateCredentialPermission"
    "com.ibm.ws.security.token.internal.SingleSignonTokenImpl"
    "read")
    ("javax.security.auth.AuthPermission"
    "modifyPublicCredentials")
    ("javax.security.auth.AuthPermission"
    "createLoginContext.system.DESERIALIZE_CONTEXT")
    

Problem conclusion

  • The code was modified to restore the security context under its
    own granted permissions by performing the restoration under a
    doPrivileged block.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 17.0.0.1.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI72135

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-11-10

  • Closed date

    2016-11-16

  • Last modified date

    2016-11-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROFILE

  • Fixed component ID

    5724J0814

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
17 June 2020