-username with an @ symbol fails authentication. -Web authn options are ignored when unprotected URI is accessed.
PK71826 resolves the following problem:
Multiple Security issues will be addressed in this APAR:
1. Web authentication options "Authenticate when any URI is accessed" or "Use available authentication data when an unprotected URI is accessed" are ignored. Servlets with no security constraints will not be authenticated, TAI's will not be invoked.
2. When a valid username that includes an @ symbol (e.g. an email address) is used for login to an application, the authentication and authorization steps fail.
All users of IBM® WebSphere® Application Server version 7.0
-username with an @ symbol fails authentication.
-Web authn options are ignored when unprotected URI is accessed.
MULTIPLE SECURITY ISSUES: WEB AUTHENTICATION OPTIONS IGNORED, and USER NAMES WITH @ SYMBOL (e.g. use of email address) FAILS AUTHENTICATION.
The fix for this APAR is currently targeted for inclusion in fixpack 184.108.40.206.
Please refer to the Recommended Updates page for delivery information:
Please download the UpdateInstaller below to install this fix.
Please review the readme.txt for detailed installation instructions.
Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).
15 June 2018