Troubleshooting
Problem
WebSphere Application Server does not appear to be protecting/unprotecting resources as specified in the web.xml file. As a result, you see users suddenly become null or unauthenticated when being redirected to a certain URL.
Symptom
You are not able to login successfully. The SystemOut.log file shows the following:
[1/29/11 17:51:08:657 CET] 00000020 SecurityColla 3 Authorization failed accessing EJB
com.ibm.ws.security.core.AccessException: Subject:
Principal: /UNAUTHENTICATED
Public Credential: com.ibm.ws.security.auth.WSCredentialImpl@7ffd7ffd
is not granted any of the required roles: X5 X6 X10 X13 X14 X15 X16
at com.ibm.ws.security.core.WSAccessManager.checkAccess(WSAccessManager.java:448)
at com.ibm.ws.security.core.SecurityCollaborator.ejbCheckAuthorization(SecurityCollaborator.java:1527)
at com.ibm.ws.security.core.SecurityCollaborator.performAuthorization(SecurityCollaborator.java:529)
In some cases, you might also see the following messages:
[1/29/11 17:51:08:673 CET] 00000020 WSCredentialI < getRealmSecurityName Exit /UNAUTHENTICATED
[1/29/11 17:51:08:673 CET] 00000020 SecurityColla A SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Bean)NAME_APP.EAR#NAME_CORE.jar#ListeDeValeursSession getListeDeValeursByNomListe:ae.tci.name.core.mapping.IInputData,ae.tci.name.core.audit.AuditData,ae.tci.name.core.mapping.OutputData:1 Subject:
Principal: /UNAUTHENTICATED
Public Credential: com.ibm.ws.security.auth.WSCredentialImpl@7ffd7ffd
is not granted any of the required roles: X5 X6 X10 X13 X14 X15 X16
Cause
The <url-pattern> tag only allows a very restricted subset of wildcards. From the Java Servlet Specification 2.4:
"SRV.11.2 Specification of Mappings: In the Web application deployment descriptor, the following syntax is used to define mappings:
|
Diagnosing The Problem
You can check if the URL is specified in web.xml file with <url-pattern> that includes wildcard.
Resolving The Problem
The servlet specification supports only a subset of wildcard expression, so it is suggested that you set the full URL in <url-pattern>.
For example:
<security-constraint> <display-name>00001</display-name> <web-resource-collection> <web-resource-name>00001</web-resource-name> <url-pattern>/j_security_check</url-pattern> non-working <url-pattern>fileName*.do</url-pattern> working <url-pattern>fileName.do</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> |
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21462329