IBM - PK00852: SSO tokens with custom cacheKey from TAI are not handled
correctly: "When using the security attribute propagation token framework or the
cacheKey property within a Hashtable login to affect the custom cache key of a
Subject, an SSO token containing this custom cache key will result in a cache
miss at a backup server. This will cause either a DynaCache hit (if configured)
or an MBean retrieval to get the Subject contents. In cases where the
originating server is down, the LTPA token will be used to login, but it's
unlikely the custom attributes will be preserved in that situation. To
accommodate the behavior of a new challenge whenever these custom attributes
cannot be retrieved, any SSO token containing the custom cache key that cannot
retrieve the originating attributes will, by default, result in a new
authentication challenge. However, there will be a property that can be used to
change to the old login using the token behavior."
Wednesday, January 04, 2006
Missing PDPrincipal with TAI+
We configured websphere trust association with Tivoli Access Manager. It works fine when we tested it with individual logins. But when we tried to load test the authentication and authorization using TAM and TAM's Authorization API , the PDPrincipal of the subject was lost in a significant number of cases. When we contacted IBM about this, they suggested that we apply PK00852 to websphere, which is available from websphere cumulative fix pack 5.1.1.4. Although the fix does not directly address the problem at hand, we could load test TAM authentication and authorization with Azn API successfully. Probably TAI+ creates a custom cache key and modifies the subject with information that cannot be retrieved from the user registry alone. For more on custom JAAS subjects and cache keys in websphere, refer to this article in the WebSphere technical Journal. This is what IBM has to say about the APAR fix mentioned above.
Subscribe to:
Post Comments (Atom)
Popular Posts
-
In a previous post, I described how to use Quartz scheduler for scheduling . In this post, I describe the configuration changes required for...
-
JUnit 4 introduces a completely different API to the older versions. JUnit 4 uses Java 5 annotations to describe tests instead of using in...
-
Last week, I described how to implement JMS, using a stand-alone client and a Message Driven Bean . In this post and the next, I will descr...
-
This post will describe how to create and deploy a Java Web Application war to Heroku using Heroku CLI. You will need a basic understanding ...
-
New posts with iText 5.5.12 Following are two new posts for PDF Merge with iText 5.5.12 Merge PDF files using iText 5 Merge and Paginate PDF...
-
The previous post described how to implement a JMS messaging client using Spring JMS . This post will describe how to implement the Message ...
-
This is an example code for a simple PDF merge using iText 5. We use three InputStream s in a List as input and merged file is written to th...
-
Update: A new post for validation in struts with annotation is available at: Struts 2 Validation: Annotations . Struts 2.0 relies on a val...
-
In this post we will see a way to merge multiple PDF files while adding page numbers at the bottom of each page in the format Page 1 of 10 ....
-
Displaytag is an opensource tag library that can be used to display tables on JSPs. Apart from being able to display tables, the displaytag...
Abhi...contact me if you still have this problem. I think I know you.
ReplyDeleteI don't know who you are though! How would I contact?
ReplyDeleteAbhi.....I am Rajeev...I saw ur blog a year ago and figured u r same Abhi..and put this comment..I was searching something today..and and saw ur picture this time..
ReplyDeleteGreat...I am proud of u..keep writing....
Hi,
ReplyDeleteWe have missing PDPrincipal problem in WAS 6.0.
Subject returns PDPrincipal initially and later at some point PDPrincipal is not found and throws PD exception.
Assuming fixes in 5.1.1.4 (PK00852) are handled in WAS 6.0.
Thanks
Do you have multiple servers involved here? If so, you have to enable subject attribute propagation here. Or is the PDPrincipal simply "lost" after a few calls?
ReplyDeleteAlso, check if your cache is being invalidated, check for any timeouts.
Hi,
ReplyDeleteWe don't have multiple servers involved it is single server.
We have Refference application which has web module and EJB module and other property files and url's mapped and deployed on WAS 6.0.
Initially subject gets populated with PDPrincipal and gets lost after 10 mnts.
we are looking into timeout on Webseal/TAM.
Thanks