PK70824: REQUEST.ISUSERINROLE("ROLE_NAME") RETURNS FALSE ON SERVLET ERROR PAGE

Fixes are available

APAR status

Closed as program error.

Error description

Web application's global error page does not have access to the
security information.
The request.isUserInRole("ROLE_NAME") returns false.
Testing an error  situation. There is an error in the
Servlet.java code in order to force the ErrorPageServlet to get
control. But when the ErrorPageServlet get control it does not
have access to the security information.
  -
Running the scenario shows this which is expected:
 SystemOut     O from controller
 SystemOut     O remote user: USER1
 SystemOut     O user principal: USER1
 SystemOut     O is user in ROLE_NAME role: true
  -
 WebApp        E   [Servlet Error]-[triggering the error page]:
 java.lang.RuntimeException: triggering the error page
  -
 ServletWrappe I   SRVE0242I: [TestEar] [/TestWeb]
 [ErrorPageServlet]: Initialization successful.
 -
But this is the error:
 SystemOut     O from error page
 SystemOut     O remote user: null
 SystemOut     O user principal: null
 SystemOut     O is user in ROLE_NAME role: false
 -
It is expected that the value from the error page servlet is
the same as the value from main servlet.
 -
Customer accessing secure page after logging in. On that secure
page customer can use methods request.getRemoteUser(),
request.isUserInRole("ROLE_NAME"),  request.getUserPrincipal()
and return value is not null.
  -
Now when error occurs on this page, webcontainer picks define
error page. On this error page when customer does
request.getRemoteUser(), request.isUserInRole("ROLE_NAME"),
request.getUserPrincipal(),  they received null because the
user credentials are gone.
  -
Customer wants to catch user role in error page and show
appropriate content in error page.

Local fix

None
Search Keywords: webcontainer security jsp isuserinrole

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server Version    *
*                  6.1 and 7.0.0 customers with web            *
*                  application security enabled.               *
****************************************************************
* PROBLEM DESCRIPTION: If secure access to a resource, such as *
*                      a servlet, results in a error and a     *
*                      custom error page is called,            *
*                      request.isUserInRole("role") always     *
*                      returns false when called from the      *
*                      custom error page.                      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When secure access to a resource resulted in an error, the
resultant error page was being called outside of the security
context associated with the resource. As a result, information
associated with the security context is not available to the
error page. For example, request.isUserInRole("ROLE_NAME")
always returns false, request.getRemoteUser() always returns
null, and request.getUserPrincipal() always returns null.

Problem conclusion

The WebContainer has been updated to call error pages within
the security context of the request which caused the error.

The fix for this APAR is currently targeted for inclusion in
fixpack 6.1.0.23 and 7.0.0.3.  Please refer to the Recommended
Updatespage for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK70824
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
61W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2008-08-20
Closed date
2008-11-17
Last modified date
2009-03-30

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61W PSY
UP
R61Z PSY
UP
R700 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021

Tips

PK70824: REQUEST.ISUSERINROLE("ROLE_NAME") RETURNS FALSE ON SERVLET ERROR PAGE

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R61A PSY

R61H PSY

R61I PSY

R61P PSY

R61W PSY

R61Z PSY

R700 PSY

Document Information

Share your feedback

Need support?