IBM - PK00852: SSO tokens with custom cacheKey from TAI are not handled
correctly: "When using the security attribute propagation token framework or the
cacheKey property within a Hashtable login to affect the custom cache key of a
Subject, an SSO token containing this custom cache key will result in a cache
miss at a backup server. This will cause either a DynaCache hit (if configured)
or an MBean retrieval to get the Subject contents. In cases where the
originating server is down, the LTPA token will be used to login, but it's
unlikely the custom attributes will be preserved in that situation. To
accommodate the behavior of a new challenge whenever these custom attributes
cannot be retrieved, any SSO token containing the custom cache key that cannot
retrieve the originating attributes will, by default, result in a new
authentication challenge. However, there will be a property that can be used to
change to the old login using the token behavior."
Wednesday, January 04, 2006
Missing PDPrincipal with TAI+
We configured websphere trust association with Tivoli Access Manager. It works fine when we tested it with individual logins. But when we tried to load test the authentication and authorization using TAM and TAM's Authorization API , the PDPrincipal of the subject was lost in a significant number of cases. When we contacted IBM about this, they suggested that we apply PK00852 to websphere, which is available from websphere cumulative fix pack 5.1.1.4. Although the fix does not directly address the problem at hand, we could load test TAM authentication and authorization with Azn API successfully. Probably TAI+ creates a custom cache key and modifies the subject with information that cannot be retrieved from the user registry alone. For more on custom JAAS subjects and cache keys in websphere, refer to this article in the WebSphere technical Journal. This is what IBM has to say about the APAR fix mentioned above.
Subscribe to:
Post Comments (Atom)
Popular Posts
-
This post will describe how to create and deploy a Java Web Application war to Heroku using Heroku CLI. You will need a basic understanding ...
-
JUnit 4 introduces a completely different API to the older versions. JUnit 4 uses Java 5 annotations to describe tests instead of using in...
-
In a previous post, I described how to use Quartz scheduler for scheduling . In this post, I describe the configuration changes required for...
-
New posts with iText 5.5.12 Following are two new posts for PDF Merge with iText 5.5.12 Merge PDF files using iText 5 Merge and Paginate PDF...
-
In this post we will see how to do an offline install Jenkins and required plugins on a Red Hat Enterprise Linux Server release 7.3. This is...
-
The previous post described how to implement a JMS messaging client using Spring JMS . This post will describe how to implement the Message ...
-
Recently I was attempting to deploy to weblogic from a Jenkins installed on a Red Hat Enterprise Linux Server release 7.3 , to a remote Webl...
-
I put up a new google co-op search box on top of the blog. I am trying to build a Java search service using Google co-op. I left the custom ...
-
The previous post described the Command pattern in brief. I listed out where and why the command pattern may be used. This post describes h...
-
One of the more common aspects of enterprise application development involves environment specific properties files. Some examples include D...
Abhi...contact me if you still have this problem. I think I know you.
ReplyDeleteI don't know who you are though! How would I contact?
ReplyDeleteAbhi.....I am Rajeev...I saw ur blog a year ago and figured u r same Abhi..and put this comment..I was searching something today..and and saw ur picture this time..
ReplyDeleteGreat...I am proud of u..keep writing....
Hi,
ReplyDeleteWe have missing PDPrincipal problem in WAS 6.0.
Subject returns PDPrincipal initially and later at some point PDPrincipal is not found and throws PD exception.
Assuming fixes in 5.1.1.4 (PK00852) are handled in WAS 6.0.
Thanks
Do you have multiple servers involved here? If so, you have to enable subject attribute propagation here. Or is the PDPrincipal simply "lost" after a few calls?
ReplyDeleteAlso, check if your cache is being invalidated, check for any timeouts.
Hi,
ReplyDeleteWe don't have multiple servers involved it is single server.
We have Refference application which has web module and EJB module and other property files and url's mapped and deployed on WAS 6.0.
Initially subject gets populated with PDPrincipal and gets lost after 10 mnts.
we are looking into timeout on Webseal/TAM.
Thanks