CWWKS3005E message is displayed when external registry is used

[jpfloresibm]

Describe the bug When using an external registry such as IAM the following wlp message is logged:

[ERROR   ] CWWKS3005E: A configuration exception has occurred. No UserRegistry implementation service is available.  Ensure that you have a user registry configured

A simple use case is using a custom TAI for authenticating users against an external registry such as IAM on cloud.

Steps to Reproduce Configure a custom TAI for authenticating users and do not configure an internal registry.

Expected behavior If custom authentication is configured then the CWWKS3005E error message should not be displayed.

Diagnostic information:

• OpenLiberty Version: [e.g. 20.0.0.8]
• Java Version: [1.8.0_275\njava.runtime = OpenJDK Runtime Environment (1.8.0_275-b01)\nos = Linux (4.4.0-194-generic; amd64) (en_US)\nprocess = 1]

• server.xml configuration (WITHOUT sensitive information like passwords)

  <server description="server">
  
  <!-- WLP Settings -->
  <httpEndpoint accessLoggingRef="NONE" host="*" httpPort="-1" httpsPort="9443" id="defaultHttpEndpoint">
  <tcpOptions soReuseAddr="true"/>
  <httpOptions maxKeepAliveRequests="-1" readTimeout="1m" writeTimeout="1m"/>
  <httpAccessLogging filePath="/var/log/${product.name}/access.log" id="model-access" logFormat=" %h %i %u %t %q &quot;%r&quot; %s %b %D"/>
  </httpEndpoint>
  <featureManager>
  <feature>jsp-2.3</feature>
  <feature>servlet-4.0</feature>
  <feature>ssl-1.0</feature>
  <feature>cdi-2.0</feature>
  <feature>ejbLite-3.2</feature>
  <feature>jaxrs-2.1</feature>
  <feature>openapi-3.1</feature>
  <feature>appSecurity-3.0</feature>
  <feature>concurrent-1.0</feature>
  <feature>jsonb-1.0</feature>
  </featureManager>
  
  <!-- Ensure WLP does not report successful start until web applications have completed loading or 2 mins have passed -->
  <applicationManager startTimeout="2m"/>
  
  <!-- Disable welcome page -->
  <httpDispatcher enableWelcomePage="false"/>
  
  <webContainer deferServletLoad="false"/>
  <!-- Logging Settings -->
  <logging consoleLogLevel="INFO" copySystemStreams="false" maxFileSize="5" maxFiles="4" suppressSensitiveTrace="true" traceFormat="ADVANCED" traceSpecification="{{.Values.wlp.logging.traceSpecification}}"/>
  <!-- Job Service Settings -->
  <!-- Required to set the thread pool up for async job launches. -->
  <managedExecutorService jndiName="concurrent/execSvc1">
  <contextService>
    <classloaderContext/>
    <securityContext/>
    <jeeMetadataContext/>
  </contextService>
  </managedExecutorService>
  
  <transaction totalTranLifetimeTimeout="1m"/>
  <!-- Variables -->
  <variable name="model.reader.role" value="ModelReader"/>
  <variable name="model.writer.role" value="ModelWriter"/>
  <variable name="model.manager.role" value="ModelManager"/>
  <variable name="ibm.cloud.pdp.url" value="{{ .Values.iam.url.pdp }}"/>
  <variable name="ibm.cloud.issuer.url" value="{{ .Values.iam.url.issuer }}"/>
  <variable name="ibm.cloud.jwks.url" value="{{ .Values.iam.url.jwks }}"/>
  <variable name="ibm.cloud.token.url" value="{{ .Values.iam.url.token }}"/>
  <variable name="ibm.cloud.pepclient.cache" value="true"/>
  <variable name="ibm.cloud.resource.controller.url" value="{{ .Values.resourceController.url }}"/>
  <variable name="ibm.cloud.service.action.properties" value="${product.home}/conf/security/service-action.properties"/>
  <variable name="ibm.cloud.service.credential.configuration" value="${product.home}/conf/security/whitelisted-service-credentials.json"/>
  <variable name="ibm.cloud.service.name" value="oc"/>
  <variable name="ibm.cloud.client.id" value="${env.OC_CLOUD_CLIENT_ID}"/>
  <variable name="ibm.cloud.client.secret" value="${env.OC_CLOUD_CLIENT_SECRET}"/>
  <variable name="ibm.cloud.api.key" value="${env.OC_CLOUD_API_KEY}"/>
  
  <!-- Environment Settings -->
  <classloading useJarUrls="true"/>
  
  <!-- Security Settings -->
  <webAppSecurity singleSignonEnabled="false" allowFailOverToBasicAuth="false"/>
  <httpSession cookieHttpOnly="true" cookieSecure="true" invalidationTimeout="1800" securityIntegrationEnabled="false" useContextRootAsCookiePath="false"/>
  <sslDefault sslRef="defaultSSLSettings"/>
  <ssl clientAuthenticationSupported="false" id="defaultSSLSettings" keyStoreRef="defaultKeyStore" trustDefaultCerts="true" sslProtocol="TLSv1.2" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"/>
  
  <trustAssociation id="pepClientTai" invokeForUnprotectedURI="false" failOverToAppAuthType="false">
  <interceptors id="pepClientTai" enabled="true" className="com.ibm.entity.analytics.security.IAMTrustAssociationInterceptor" invokeBeforeSSO="true" invokeAfterSSO="false" libraryRef="pepClientTaiLibrary">
    <properties ibm.cloud.pdp.url="${ibm.cloud.pdp.url}" ibm.cloud.jwks.url="${ibm.cloud.jwks.url}" ibm.cloud.issuer.url="${ibm.cloud.issuer.url}" ibm.cloud.pepclient.cache="${ibm.cloud.pepclient.cache}" ibm.cloud.service.action.properties="${ibm.cloud.service.action.properties}" ibm.cloud.token.url="${ibm.cloud.token.url}" ibm.cloud.client.id="${ibm.cloud.client.id}" ibm.cloud.client.secret="${ibm.cloud.client.secret}" ibm.cloud.api.key="${ibm.cloud.api.key}" ibm.cloud.resource.controller.url="${ibm.cloud.resource.controller.url}" ibm.cloud.service.name="${ibm.cloud.service.name}" ibm.cloud.service.credential.configuration="${ibm.cloud.service.credential.configuration}"/>
  </interceptors>
  </trustAssociation>
  
  <!-- SSL Config -->
  <keyStore id="defaultKeyStore" password="${env.WLP_KEYSTORE_PASS}"/>
  <ltpa keysPassword="${env.WLP_LTPA_PASS}"/>
  
  <!-- Library Config -->
  <library id="pepClientTaiLibrary">
  <fileset dir="${product.home}/lib/security" includes="wlp-pep-client-tai-*.jar"/>
  </library>
  
  <library id="library">
  <folder dir="${product.home}/conf/rabbitmq"/>
  <folder dir="${product.home}/conf/featuretoggle"/>
  <folder dir="/staging/lib"/>
  <fileset dir="${product.home}/janus/lib" includes="janusgraph-core-*.jar, janusgraph-es-*.jar, janusgraph-foundationdb-*.jar, fdb-java-*.jar, janusgraph-cql-*.jar, cassandra-driver-core-*.jar, gremlin-core-*.jar, gremlin-groovy-*.jar, groovy-*.jar, caffeine-*.jar, jbcrypt-*.jar, gremlin-shaded-*.jar, protobuf-java-*.jar, zookeeper-*.jar, htrace-core-*.jar, netty-all-*.jar, log4j-*.jar, metrics-core-*.jar, commons-codec-*.jar, reflections-*.jar, httpasyncclient-*.jar, httpclient-*.jar, httpcore-*.jar, httpmime-*.jar, noggit-*.jar, hppc-*.jar, high-scale-lib-*.jar, commons-cli-*.jar, commons-io-*.jar, lucene-core-*.jar, guava-*.jar, spark-gremlin-*.jar, javatuples-*.jar, vavr-*.jar, commons-configuration-*.jar, commons-logging-*.jar, commons-collections-*.jar, commons-lang3-*.jar, hadoop-hdfs-*.jar, hadoop-common-*.jar, hadoop-auth-*.jar, elasticsearch-rest-client-*.jar"/>
  <fileset dir="${product.home}/lib" includes="*.jar"/>
  </library>
  
  <webApplication id="model-api-rest" location="model-api-rest.war" name="model-api-rest">
  <classloader privateLibraryRef="library, pepClientTaiLibrary"/>
  <application-bnd>
    <security-role name="Everyone">
      <special-subject type="EVERYONE"/>
    </security-role>
    <security-role name="ModelReader">
      <group name="ReaderGroup" access-id="group:${ibm.cloud.issuer.url}${model.reader.role}"/>
      <group name="WriterGroup" access-id="group:${ibm.cloud.issuer.url}${model.writer.role}"/>
      <group name="ManagerGroup" access-id="group:${ibm.cloud.issuer.url}${model.manager.role}"/>
    </security-role>
    <security-role name="ModelWriter">
      <group name="WriterGroup" access-id="group:${ibm.cloud.issuer.url}${model.writer.role}"/>
      <group name="ManagerGroup" access-id="group:${ibm.cloud.issuer.url}${model.manager.role}"/>
    </security-role>
    <security-role name="ModelManager">
      <group name="ManagerGroup" access-id="group:${ibm.cloud.issuer.url}${model.manager.role}"/>
    </security-role>
  </application-bnd>
  </webApplication>
  </server>

[nadiramra]

I am running 23.0.0.3. The problem persists. The essence of the problem is that Liberty should not be logging or issuing any messages or cutting FFDC logs unless it actually requires a registry in order to perform authentication.

In my case, I have an unprotected application that does its own authentication. A request comes in with Authorization header of Basic. The message is issued and FFDC is cut. Every request the comes in results in a message CWWKS3005E. This is not desirable and is very frustrating.

As a side note, if one adds <logging hideMessage=CWWKS3005E" />, the message is no longer logged to messages.log, instead, it gets logged to trace.log even though tracing is not active!

The class that needs to be updated is (at least that seems to be only class that issues the message): dev/com.ibm.ws.security.registry/src/com/ibm/ws/security/registry/internal/UserRegistryServiceImpl.java

and my guess is the users of this method:

public UserRegistry getUserRegistry() throws RegistryException {
    return determineActiveUserRegistry(true);
}

This method tells determineActiveUserRegistry to issue an exception. I think callers of this method should call isUserRegistryConfigured() and then do what is appropriate or change this method to have an input parameter of boolean and pass that to determineActiveUserRegistry(). Or add a method that does that.

And the ffdc stack trace is as follows:

com.ibm.ws.security.registry.RegistryException: CWWKS3005E: A configuration exception has occurred. No UserRegistry implementation service is available. Ensure that you have a user registry configured. at com.ibm.ws.security.registry.internal.UserRegistryServiceImpl.autoDetectUserRegistry(UserRegistryServiceImpl.java:414) at com.ibm.ws.security.registry.internal.UserRegistryServiceImpl.determineActiveUserRegistry(UserRegistryServiceImpl.java:368) at com.ibm.ws.security.registry.internal.UserRegistryServiceImpl.getUserRegistry(UserRegistryServiceImpl.java:387) at com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl.getUserRegistry(JAASServiceImpl.java:127) at com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule.getUserRegistry(ServerCommonLoginModule.java:73) at com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule.login(UsernameAndPasswordLoginModule.java:77) at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:53) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl.doLoginContext(JAASServiceImpl.java:369) at com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl.performLogin(JAASServiceImpl.java:355) at com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl.performLogin(JAASServiceImpl.java:340) at com.ibm.ws.security.authentication.internal.AuthenticationServiceImpl.performJAASLogin(AuthenticationServiceImpl.java:558) at com.ibm.ws.security.authentication.internal.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:223) at com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator.basicAuthenticate(BasicAuthAuthenticator.java:130) at com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator.handleBasicAuth(BasicAuthAuthenticator.java:121) at com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator.authenticate(BasicAuthAuthenticator.java:74) at com.ibm.ws.webcontainer.security.WebAuthenticatorProxy.authenticate(WebAuthenticatorProxy.java:89) at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.authenticateRequest(WebAppSecurityCollaboratorImpl.java:1243) at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.setAuthenticatedSubjectIfNeeded(WebAppSecurityCollaboratorImpl.java:875) at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.optionallyAuthenticateUnprotectedResource(WebAppSecurityCollaboratorImpl.java:832) at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.determineWebReply(WebAppSecurityCollaboratorImpl.java:992) at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.performSecurityChecks(WebAppSecurityCollaboratorImpl.java:698) at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.preInvoke(WebAppSecurityCollaboratorImpl.java:619) at com.ibm.wsspi.webcontainer.collaborator.CollaboratorHelper.preInvokeCollaborators(CollaboratorHelper.java:472) at com.ibm.ws.webcontainer.osgi.collaborator.CollaboratorHelperImpl.preInvokeCollaborators(CollaboratorHelperImpl.java:272) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1220) at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:5080) at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:318) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1038) at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:283) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1248) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:470) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:429) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:569) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:503) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:363) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:330) at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:169) at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:77) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:516) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:586) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:970) at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1059) at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:247) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

[vsmid]

Describe the bug When not using user registry or with custom identity store implementation the following wlp message is logged:

[ERROR ] CWWKS3005E: A configuration exception has occurred. No UserRegistry implementation service is available. Ensure that you have a user registry configured

Steps to Reproduce For me it is happening on 24.0.0.2 version and for EAR deployment. I have a Servlet WEB module (with custom auth. implemented - not using container auth) and a Jakarta REST WEB module (with @BasicAuthenticationMechanismDefinition and a custom IdentityStore). The error happens for Servlet module only. The error persisted when I tried to add @BasicAuthenticationMechanismDefinition and a custom IdentityStore to the Servlet module.

Expected behavior If custom authentication is configured (or none at all) then the CWWKS3005E error message should not be displayed

Diagnostic information:

(Open Liberty 24.0.0.2/wlp-1.0.86.cl240220240212-1928) on Eclipse OpenJ9 VM, version 21.0.2+13-LTS (en_US)

server.xml

<?xml version="1.0" encoding="UTF-8"?>
<server description="Server">

    <featureManager>
        <feature>servlet-6.0</feature>
        <feature>restfulWS-3.1</feature>
        <feature>jsonb-3.0</feature>
        <feature>beanValidation-3.0</feature>
        <feature>mpConfig-3.1</feature>
        <feature>mpOpenAPI-3.1</feature>
        <feature>appSecurity-5.0</feature>
        <feature>appAuthentication-3.0</feature>
    </featureManager>

    <variable name="mp.openapi.extensions.liberty.merged.include" value="all"/>

    <httpEndpoint id="defaultHttpEndpoint" host="*"/>
    <applicationManager autoExpand="true"/>

    <enterpriseApplication id="server" location="app.ear" name="app">
        <classloader apiTypeVisibility="+third-party" commonLibraryRef="global"/>
    </enterpriseApplication>

    <library apiTypeVisibility="+third-party" id="global">
        <fileset dir="${shared.resource.dir}/lib/global" includes="*.jar"/>
    </library>

    <ssl id="defaultSSLConfig" trustDefaultCerts="true"/>
    <keyStore id="defaultKeyStore" password="******"/>
    <logging  consoleLogLevel="INFO" consoleFormat="SIMPLE"/>

</server>

-----Start of DE processing------ = [3/24/24, 8:24:58:962 UTC ]
Exception = com.ibm.ws.security.registry.RegistryException
Source = com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule
probeid = 116
Stack Dump = com.ibm.ws.security.registry.RegistryException: CWWKS3005E: A configuration exception has occurred. No UserRegistry implementation service is available.  Ensure that you have a user registry configured.
        at com.ibm.ws.security.registry.internal.UserRegistryServiceImpl.autoDetectUserRegistry(UserRegistryServiceImpl.java:414)
        at com.ibm.ws.security.registry.internal.UserRegistryServiceImpl.determineActiveUserRegistry(UserRegistryServiceImpl.java:368)
        at com.ibm.ws.security.registry.internal.UserRegistryServiceImpl.getUserRegistry(UserRegistryServiceImpl.java:387)
        at com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl.getUserRegistry(JAASServiceImpl.java:127)
        at com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule.getUserRegistry(ServerCommonLoginModule.java:73)
        at com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule.login(UsernameAndPasswordLoginModule.java:77)
        at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:53)
        at java.base/javax.security.auth.login.LoginContext.invoke(Unknown Source)
        at java.base/javax.security.auth.login.LoginContext$4.run(Unknown Source)
        at java.base/javax.security.auth.login.LoginContext$4.run(Unknown Source)
        at java.base/java.security.AccessController.doPrivileged(Unknown Source)
        at java.base/javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
        at java.base/javax.security.auth.login.LoginContext.login(Unknown Source)
        at com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl.doLoginContext(JAASServiceImpl.java:369)
        at com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl.performLogin(JAASServiceImpl.java:355)
        at com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl.performLogin(JAASServiceImpl.java:340)
        at com.ibm.ws.security.authentication.internal.AuthenticationServiceImpl.performJAASLogin(AuthenticationServiceImpl.java:558)
        at com.ibm.ws.security.authentication.internal.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:223)
        at com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator.basicAuthenticate(BasicAuthAuthenticator.java:130)
        at com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator.handleBasicAuth(BasicAuthAuthenticator.java:121)
        at com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator.authenticate(BasicAuthAuthenticator.java:74)
        at com.ibm.ws.webcontainer.security.WebAuthenticatorProxy.authenticate(WebAuthenticatorProxy.java:89)
        at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.authenticateRequest(WebAppSecurityCollaboratorImpl.java:1239)
        at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.setAuthenticatedSubjectIfNeeded(WebAppSecurityCollaboratorImpl.java:872)
        at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.optionallyAuthenticateUnprotectedResource(WebAppSecurityCollaboratorImpl.java:829)
        at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.determineWebReply(WebAppSecurityCollaboratorImpl.java:988)
        at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.performSecurityChecks(WebAppSecurityCollaboratorImpl.java:695)
        at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.preInvoke(WebAppSecurityCollaboratorImpl.java:622)
        at com.ibm.wsspi.webcontainer.collaborator.CollaboratorHelper.preInvokeCollaborators(CollaboratorHelper.java:472)
        at com.ibm.ws.webcontainer.osgi.collaborator.CollaboratorHelperImpl.preInvokeCollaborators(CollaboratorHelperImpl.java:290)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1221)
        at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:5076)
        at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:328)
        at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1038)
        at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:293)
        at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1260)
        at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:476)
        at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:435)
        at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:569)
        at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:503)
        at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:363)
        at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:330)
        at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:169)
        at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:77)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:516)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:586)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:970)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1059)
        at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:280)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)

Dump of callerThis
Object type = com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule
  tc = class com.ibm.websphere.ras.TraceComponent@66c4354e
    strings[0] = "TraceComponent[com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule,class com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule,[Authentication],com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages,null]"
  userRegistry = null
  username = null
  urAuthenticatedId = null
  serialVersionUID = -1034522143030294360
  tc = class com.ibm.websphere.ras.TraceComponent@ecf3fbb8
    strings[0] = "TraceComponent[com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule,class com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule,[Authentication],com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages,null]"
  jsonWebTokenProperties = class java.lang.String[1]
    String[0] = "com.ibm.ws.authentication.internal.json.web.token"
  subjectHelper = class com.ibm.ws.security.authentication.utility.SubjectHelper@fc31f3ce
    tc = class com.ibm.websphere.ras.TraceComponent@25e299a
      strings[0] = "TraceComponent[com.ibm.ws.security.authentication.utility.SubjectHelper,class com.ibm.ws.security.authentication.utility.SubjectHelper,[],null,null]"
    serialVersionUID = -2679843572021519452
  userIdOnlyProperties = class java.lang.String[2]
    String[0] = "com.ibm.wsspi.security.cred.userId"
    String[1] = "com.ibm.ws.authentication.internal.assertion"
  customPropertiesFromSubject = false
  serialVersionUID = 2946373732615217215
  callbackHandler = class javax.security.auth.login.LoginContext$SecureCallbackHandler@19ba1031
    acc = "/* Could not access acc */"
    ch = "/* Could not access ch */"
  subject = class javax.security.auth.Subject@10767745
    serialVersionUID = "/* Could not access serialVersionUID */"
    principals = "/* Could not access principals */"
    pubCredentials = "/* Could not access pubCredentials */"
    privCredentials = "/* Could not access privCredentials */"
    readOnly = "/* Could not access readOnly */"
    PRINCIPAL_SET = "/* Could not access PRINCIPAL_SET */"
    PUB_CREDENTIAL_SET = "/* Could not access PUB_CREDENTIAL_SET */"
    PRIV_CREDENTIAL_SET = "/* Could not access PRIV_CREDENTIAL_SET */"
    NULL_PD_ARRAY = "/* Could not access NULL_PD_ARRAY */"
  sharedState = class java.util.HashMap@7c77b092
    serialVersionUID = "/* Could not access serialVersionUID */"
    DEFAULT_INITIAL_CAPACITY = "/* Could not access DEFAULT_INITIAL_CAPACITY */"
    MAXIMUM_CAPACITY = "/* Could not access MAXIMUM_CAPACITY */"
    DEFAULT_LOAD_FACTOR = "/* Could not access DEFAULT_LOAD_FACTOR */"
    TREEIFY_THRESHOLD = "/* Could not access TREEIFY_THRESHOLD */"
    UNTREEIFY_THRESHOLD = "/* Could not access UNTREEIFY_THRESHOLD */"
    MIN_TREEIFY_CAPACITY = "/* Could not access MIN_TREEIFY_CAPACITY */"
    table = "/* Could not access table */"
    entrySet = "/* Could not access entrySet */"
    size = "/* Could not access size */"
    modCount = "/* Could not access modCount */"
    threshold = "/* Could not access threshold */"
    loadFactor = "/* Could not access loadFactor */"
    keySet = "/* Could not access keySet */"
    values = "/* Could not access values */"
  options = class java.util.Collections$UnmodifiableMap@bf751b89
    serialVersionUID = "/* Could not access serialVersionUID */"
    m = "/* Could not access m */"
    keySet = "/* Could not access keySet */"
    entrySet = "/* Could not access entrySet */"
    values = "/* Could not access values */"
  temporarySubject = null
  serialVersionUID = -8873301121271047884
  $$$tc$$$ = class com.ibm.websphere.ras.TraceComponent@d860172f
    strings[0] = "TraceComponent[com.ibm.ws.security.jaas.common.modules.CommonLoginModule,class com.ibm.ws.security.jaas.common.modules.CommonLoginModule,[security],com.ibm.ws.security.jaas.common.internal.resources.JAASCommonMessages,null]"