IBM Support

PK64013; 6.1.0.19: provide way to turn off tai authentication

Download


Abstract

When unprotected URI is accessed, SPNEGO-TAI authentication is invoked.

Download Description

PK64013 resolves the following problem:

ERROR DESCRIPTION:
When following options are set in the adminconsole:
- Unprotected URI is accessed
- 'Use available authentication data when an unprotected URI is accessed'
Simple and Protected GSS-API Negotiation Mechanism (SPENGO) trust association interceptor (TAI) authentication is unnecessarily invoked for access to unprotected URI. This could cause "SRVE0209E: Writer already obtained" error in user application.

LOCAL FIX:
N/A

PROBLEM SUMMARY:

USERS AFFECTED:
All users of WebSphere Application Server who configured "Authenticate only when the URI is protected" and "Use available authentication data when an unprotected URI is accessed"

PROBLEM DESCRIPTION:
When unprotected URI is accessed, SPNEGO-TAI authentication is invoked.

RECOMMENDATION:
None

By design, when one of above properties is set, the security code always invokes Trust Association Interceptor (TAI) even target URL is not protected. And some of TAI code write some output to HTTP response for challenging for authentication. However since the target URL is not protected, the HTTP request is forwarded to a target servlet. Then, the target servlet also write some output to HTTP response which will fail due to "SRVE0209E: Writer already obtained" error. To avoid this issue, a new property, which provides an option to disable invoking TAI if a target URL is not protected, is introduced.


PROBLEM CONCLUSION:
With this fix, a custom property: com.ibm.websphere.security.performTAIForUnprotectedURI is introduced to turn off SPNEGO-TAI authentication to be called when the following options are set in the adminconsole:
- Unprotected URI is accessed
- 'Use available authentication data when an unprotected URI is accessed'

To set the custom property from adminconsole, please follow the link "Secure administration, applications, and infrastructure" > "Custom properties" and enter the custom property and its value.

To turn off SPNEGO-TAI authentication, set the value to "false". Default value is "true"

The fix for this APAR is currently targeted for inclusion in fixpack 6.1.0.21. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"8703","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK64013/readme.txt"}]
On
[{"DNLabel":"6.1.0.19-WS-WAS-IFPK64013","DNDate":"1/29/2009","DNLang":"US English","DNSize":"270159","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=+6.1.0.19-WS-WAS-IFPK64013&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch++","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK64013/6.1.0.19-WS-WAS-IFPK64013.zip","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK64013/6.1.0.19-WS-WAS-IFPK64013.zip"}]

Technical Support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.19","Edition":"Base;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24022079

Page Feedback