IBM Support

PH39883: THE USER "unauthenticated" (in lower case) ASSERTED BY TRUSTASSOCIATIONINTERCEPTOR IS NO LONGER AUTHENTICATED

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • In the distributed environment,  WebSphere has the reserved
username "UNAUTHENTICATED".  When this user name is passed in
from a custom Trust Association Interceptor (TAI) or a custom
LoginModule, the user is treated as an unauthenticated user.


After PH21890 (8.5.5.18 and 9.0.5.4), the user
"unauthenticated" is also treated as unauthenticated user as the
condition check inadvertently included "ignoreCase" operation.
In the prior fixpack, the user went through authentication
process.


In the zOS environment, WebSphere's reserved username for the
unauthenticated user is configurable.
(com.ibm.security.SAF.unauthenticated) .  Since the username is
all upper case, this APAR does not apply to the WebSphere on zOS
platform.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server who asserts a user named             *
*                  "unauthenticated" user in lower case from   *
*                  Trust Association Interceptor (TAI)         *
****************************************************************
* PROBLEM DESCRIPTION: The user "unauthenticated" from TAI was *
*                      no longer authenticated after PH21890.  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Due to a bug in PH21890, the user named
"unauthenticated" (all lowercase) returned from a custom TAI or
a custom login module was automatically treated as
unauthenticated user. Prior to the APAR, the user was
authenticated against the user registry.
Note 1: The username "UNAUTHENTICATED" in all uppercase is
reserved username. When this username is returned from a custom
TAI, or a custom LoginModule, the user is treated as an
unauthenticated user as designed.
Note 2: This APAR does not apply to WebSphere configured with
SAF user registry where the reserved unauthenticated user string
depends on the value of com.ibm.security.SAF.unauthenticated.
Note 3: Fixpacks affected by PH21890 are 9.0.5.4-9.0.5.10,
8.5.5.18-8.5.5.21

    



Problem conclusion


    

  • The bug has been fixed.

The fix for this APAR is targeted for inclusion in fix pack
8.5.5.22 and 9.0.5.11. For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH39883
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-08-16
    • 

  • Closed date
    2021-12-21
    • 

  • Last modified date
    2021-12-21
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            22 December 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback