com.ibm.websphere.security.WSSecurityException: the realms do not match

Question

I'm getting this exception when trying to access a JAX-WS webservice running on the same WAS 7.0 server as the client.

Caused by: javax.xml.ws.WebServiceException: java.io.IOException: Unable to deserialize the Subjects in this Context, cause: the realms do not match

I have a realm set up for user authentication and this call works fine with that realm disabled. Both server and client are running in the same cell.

My current thinking is that my web service is not providing any realm information at all, causing this problem, so I need to do something in my web service to provide a realm - but what? Even google-fu is failing me on this one!

Answer 1

It turned out to be that there needed to be a trust relationship between my local file-based admin realm and the realm I set up for my users to log on with.

WAS seems to do a lot of security gubbins under the covers, but turning on trace output for WSSecurity stuff helps shed light on problems.

Answer 2

The Realm is set in the LTPA token assigned to the call, and the realms of the client and server needs to match.

I.e. if client authenticates the user and sets and LTPA token with realm="Ldap1:389" then the server needs to have the same realm set. Or it needs to explicitly trust the given realm. This can be set up in WAS admin console, for an explanation of LTPA have a look here: http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/csec_ltpa.html