IBM Support

PH04135: BEHAVIOR DIFFERENCE IN GETREMOTEUSER() AND GETUSERPRINCIPAL() IN WAS 8.5.5 VS WAS 9.0.0 WHEN JASPIC IS CONFIGURED

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • When configuring the property below on WAS 9.0.0, it will not
    be honored, when it has worked in the past:
    
    NAME: com.ibm.wsspi.security.web.webAuthReq
    VALUE: persisting
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server who use JASPI (Java Authentication   *
    *                  Service Provider Interface for containers)  *
    *                  authentication provider                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: Authenticated user's Subject is not     *
    *                      set on the thread when unprotected      *
    *                      URL is accessed                         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When a custom JASPI authentication provider is plugged in,
    authenticated user's Subject was not set on the thread when
    unprotected URL is accessed, even though "Use available
    authentication data when an unprotected URI is accessed"
    setting is enabled.  This causes some of APIs of
    HttpServletRequest,such as getRemoteUser() and
    getUserPrincipal(),return NULL instead of valid user
    Subject.
    In the same scenario above, jaspicSession Cookie
    was not set in the http response. Additionally,
    regardless of the requested URL, uniqueUserId
    from the plugin provider was not honored. This could cause
    authorization error.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PH04135

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-10-16

  • Closed date

    2019-04-17

  • Last modified date

    2019-04-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels



Document information

More support for: WebSphere Application Server
General

Software version: 900

Reference #: PH04135

Modified date: 17 April 2019