PK41002: WHEN A WEB SERVICE PROTECTED BY WS-SECURITY IS INVOKED USING A USERNAMETOKEN, AUTHENTICATION TO THE REGISTRY OCCURS TWICE

Fixes are available

APAR status

Closed as program error.

Error description

When a web service protected by WS-Security is invoked,
authentication to the registry occurs twice.
The first time occurs the JAAS login configuration WSSecurity.
UsernameToken is invoked and succeeded. The Web Services trace
indicates that because the subject is not in the AuthCache, the
authentication occurs again using the default JAAS configuration
.
Excerpt of the trace:
  [27/10/06 14:37:11:291 EST] 0000004a LoginProcesso 3   Subject
  not found in AuthCache.
  [27/10/06 14:37:11:291 EST] 0000004a LoginProcesso 3
  authMech is system.DEFAULT
.
The problem only occurs with Username/Password only.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED: IBM WebSphere Application Server version 6   *
*                 administrators of web services applications  *
*                 utilizing ws-security with UsernameTokens    *
****************************************************************
* PROBLEM DESCRIPTION: Authentication to the registry occurs   *
*                      twice when using UsernameTokens with    *
*                      ws-security enabled web services        *
*                      applications.                           *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Authentication to the registry occurs twice when using
UsernameTokens with ws-security enabled web services
applications.  This may not be a problem when access to the
registry is fast, but can cause problems when access to the
registry is slow.

Problem conclusion

The ws-security code was updated so that it would only
authenticate to the registry once when using UsernameTokens.

Previously, the username/password was checked with the
registry very early in the process, then again if WebSphere
credentials were required.  This way, if the username/password
combination weren't valid, all that would be returned was
"Login failed" instead of a SoapSecurityException.  With this
new implementation, if the UsernameToken will be used to
obtain WebSphere credentials, the username/password won't be
checked against the registry until later in the process; if
the username/password combination is not valid, instead of
just returning "Login failed", a SoapSecurityException will be
thrown:

WebServicesFault faultCode: {http://docs.oasis-open.org/wss/
2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}
FailedAuthentication faultString: com.ibm.wsspi.wssecurity.
SoapSecurityException: WSEC6510E: Failed to login:
com.ibm.websphere.security.auth.WSLoginFailedException:
No user invaliduname found faultActor: null faultDetail:
com.ibm.wsspi.wssecurity.SoapSecurityException:
WSEC6510E: Failed to login:
com.ibm.websphere.security.auth.WSLoginFailedException:
No user invalid uname found at
com.ibm.ws.webservices.engine.WebServicesFault.makeUserFault
(WebServicesFault.java:221) at
...

If the UsernameToken will not be used to obtain WebSphere
credentials and the username/password is not vaild, then a
"Login failed" message will be returned as before.

Customer applications that will be using UsernameTokens to
acquire WebSphere credentials that are programmatically
expecting to receive a single "Login failed" message returned
from the server upon a failed login will need to be updated
accordingly.  Ordinarily this is not the case.

This fix is currently targeted forfixpacks 6.0.2.25 and
6.1.0.15.
Please refer to the recommended updates page for delivery
information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

```
ZE Fix Error, see PK75992. 2008/12/15
```

Comments

APAR Information

APAR number
PK41002
Reported component name
WEBSPH APP SERV
Reported component ID
5724J0800
Reported release
60W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-03-12
Closed date
2007-04-19
Last modified date
2008-12-15

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Modules/Macros

```
SECURITY SERVICES WEB
```

Fix information

Fixed component name
WEBSPH APP SERV
Fixed component ID
5724J0800

Applicable component levels

R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021

Tips

PK41002: WHEN A WEB SERVICE PROTECTED BY WS-SECURITY IS INVOKED USING A USERNAMETOKEN, AUTHENTICATION TO THE REGISTRY OCCURS TWICE

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R60A PSY

R60H PSY

R60I PSY

R60P PSY

R60S PSY

R60W PSY

R60Z PSY

R61A PSY

R61H PSY

R61I PSY

R61P PSY

R61S PSY

R61W PSY

R61Z PSY

Document Information

Share your feedback

Need support?