Document ID: TEC1314663
Last Modified Date: 8/10/2015
Authored By: Jose-Javier-Sanchez
- Products
- CA Application Performance Management
- Releases
- CA Application Performance Management:Release:CA APM 9.5
- CA Application Performance Management:Release:9.5.5
- Components
Description:Java agent 9.5.5 can break WAS 8.5.5.2 applications if the new WAS property "InvalidateOnUnauthorizedSessionRequestException" is set to true and the WAS security integration is enabled.Solution:The new Websphere property is named "InvalidateOnUnauthorizedSessionRequestException" and is set to False by default. Session management properties, like the session management configuration, can be configured at the server, application, or web module level. The following steps are for setting the custom properties for session management at server level:In the administrative console, click Servers > Server Types > WebSphere application servers > server_name > Session management.
- Under Additional Properties, select Custom Properties.
- On the Custom Properties page, click New.
- On the settings page, enter the property to configure in the Name field and the value to set in the Value field.
- Click Apply or OK.
- Click Save on the console task bar to save your configuration changes.
- Restart the server.
Use the custom properties page to define the following management properties:
InvalidateOnUnauthorizedSessionRequestException
Set this property to true if, in response to an unauthorized request, you want the session manager to invalidate a session instead of issuing an UnauthorizedSessionRequestException error message.
When a session is invalidated, the requester can create a new session, but does not have access to any of the previously saved session data. This invalidation allows a single user to continue processing requests after a logout while still protecting session data.
The default value for this property is false.
https://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.nd.doc/ae/rprs_custom_properties.html
When the property "InvalidateOnUnauthorizedSessionRequestException" is set to True and WAS Security integration is enabled, the application breaks and reports the following errors:
| INFO | CheckTimeOutFilter | WebContainer : 3 | c9451252bc1c381f3fc989c0b38ca645 | T111133 | Checking the session for the user 003
| INFO | SessionSrv | Agent Heartbeat | | | reset modelportfolio locks
| INFO | SessionSrv | Agent Heartbeat | | | The session for the user 501 has been closed
| WARN | VaadinApplication | WebContainer : 6 | c9451252bc1c381f3fc989c0b38ca645 | T111133 | Error in eventbus handler: public void com.expersoft.pm.lsps.LspsModuleAssembler.onDocumentOpen(com.expersoft.pm.lsps.LspsOpenDocumentEvent)
| ERROR | MainScreen | WebContainer : 6 | c9451252bc1c381f3fc989c0b38ca645 | T111133 | com.whitestein.lsps.common.LspsRuntimeException: Failed to execute closure {->if iterator.todo.allocatedTo != null then
The agent is not providing the user authentication for the session call so when trying to access Session to generate a Stall, the Session gets closed because the access is considered unauthorized.
Ref. IBM doc http://www-01.ibm.com/support/docview.wss?uid=swg1PM95756:
Set this property to true if, in response to an unauthorized request, you want the session manager to invalidate a session instead of issuing an UnauthorizedSessionRequestException error message.
When a session is invalidated, the requester can create a new session, but does not have access to any of the previously saved session data. This invalidation allows a single user to continue processing requests after a logout while still protecting session data.
WORKAROUNDS:
- When WAS security integration disabled then it works fine as it does not check session security
- When WAS security integration is enabled and InvalidateOnUnauthorizedSessionRequestException is set to false, then it works fine (as there is no need to authorize the requests).
Search the Entire CA APM Knowledge Base
