IBM PK44264: Unexpected user switch by accidental credential cache hit with SSO enabled configuration.

APAR status

Closed as program error.

Error description

Session cross over under heavy load.

Using SSO with TAI++, it is possible that iv-creds request
header sent by TAM includes blank cache key.
If the cachekey sent by TAM is blank, Auththentication cache
in WebSphere Application Server may store them and it will
cause incorrect cache hit for another request.
When propagation is enabled, this incorrect cache hit will
generate another users LTPA token and WSAS do set-cookie with
it.
As a result, client got other user's authentication page
rather than initial login user to TAM.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED: IBM WebSphere Application Server version     *
*                 6.0.2.x and 6.1.x users who are using        *
*                 Trust Association Interceptor.               *
*                                                              *
*                                                              *
****************************************************************
* PROBLEM DESCRIPTION: When a proxy server which is connected  *
*                      via Trust Association Interceptor,      *
*                      API returns a blank string as a value   *
*                      of custom cache key, Authentication     *
*                      Cache in WebSphere Application Server   *
*                      may attach improper user identity to    *
*                      a context.                              *
****************************************************************
* RECOMMENDATION:                                              *
*                                                              *
*                                                              *
****************************************************************
Authentication Cache code in WebSphere Application Server
assumes that the value of a custom cache key in Subject is
always unique in the objects in the cache data. However,
there is a situation that a reverse proxy generates a
custom cache key which no value is associated with.
When WebSphere Application Server receives this object
via Trust Association Interceptor API, it inserts a
Subject, which is generated by received object, into the
cache by using a blank cache key.
This cached object may be extracted by another context which
also doesn't have a proper cache key, and then the cached
object is attached to the context. For example, assuming that
there are two Subjects (A and B) which have a blank cache
key. First when A logs in, Subject A is cached, then when
B logs in, before authenticating B, the security code
looks up cache data by using the blank cache key, and A will
be hit since A also has the blank cache key. Then A is used
as a user credential although B should be used.

Problem conclusion

With this fix, Authentication Cache code no longer inserts a
cache object which doesn't have a proper cache key.

Note that this condition only happens if a reverse proxy
returns more than one different Subject which have the
blank cache key. This condition should not happen.
When this condition happens, it should be resolved by the
reverse proxy.
The purpose of this APAR fix is to protect unexpected
behavior when the value of a custom cache key is invalid.

The fix for this APAR is currently targeted for inclusion in
fixpack 6.0.2.21 and 6.1.0.11. Please refer to the
Recommended Updates page for delivery information:
http://www-1.ibm.com/support/docview.wss?uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK44264
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
60A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-04-30
Closed date
2007-05-10
Last modified date
2007-06-26

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Modules/Macros

```
SECURITY
```

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP

Fixes are available

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R60A PSY

R60H PSY

R60I PSY

R60P PSY

R60S PSY

R60W PSY

R60Z PSY

R61A PSY

R61H PSY

R61I PSY

R61P PSY

R61S PSY

R61W PSY

R61Z PSY

Copyright and trademark information

Rate this page

Document information

Translate my page

Rate this page

Content navigation

Related software

Related hardware

Related services