PQ53428: NO CHALLENGE ON JSPS WHEN SECURE URIS ARE INCLUDED.


APAR

APAR status
Closed as program error.

Error description
Problem definition:
.
I want to secure the contents of a subdirectory which is off the
document root of my webapp. The subdirectory contains nothing
but html files.
My WebApp contains the File Serving Enabler.
.
I can secure the sub-directory (/html/sub/*) such that if I type
in a fully qualified url to a specifc html file
(host/webapp_path /html/sub/subsa1.html) I get challenged.
.
PROBLEM: JSPs do not get challenged when they have the 'secure'
content included!
.
If I use the JSP include directive i.e. <% @ include file
="/html/sub/subsa1.html" %> , this includes the file without
challenge.
.
If I use the JSP include element i.e. <jsp:include page
="/html/sub/subsa1.html"/>, this tries to include the file but I
get a AuthorizationFailure page returned & no challenge.
.
The difficulty I see here is the URI that I am using in the JSP& the URI that I am securing...
.
The URI that I am securing is 'webapp_path/html/sub/*' ; the one
that that I'm using is '/html/sub/subsa1.html'; is the
webapp_path an issue here?
.
How do I protect these files from the JSPs without creating a
separate webapp and segragating the content or by securign the
JSP itself?
I have also tried creating '/html/sub/*' &
'/html/sub/subsa1.html' as URI's& securing them & still no joy
.
.
SIMPLE TEST
refer to tsite.zip
.
1. Unzip 'tsite.zip' onto your C drive
.
It creates the following directory structure:Problem definition:.I want to secure the contents of a subdirectory which is off thedocument root of my webapp. The subdirectory contains nothingbut html files.My WebApp contains the File Serving Enabler..I can secure the sub-directory (/html/sub/*) such that if I typein a fully qualified url to a specifc html file(host/webapp_path /html/sub/subsa1.html) I get challenged..PROBLEM: JSPs do not get challenged when they have the 'secure'content included!., If I use the JSP include directive i.e.<% @ include file="/html/sub/subsa1.html" %>, , this includes the file withoutchallenge.., If I use the JSP include element i.e., this tries to include the file but I, get a AuthorizationFailure page returned & no challenge..The difficulty I see here is the URI that I am using in the JSP & the URI that I am securing....The URI that I am securing is 'webapp_path/html/sub/*' ; the onethat that I'm using is '/html/sub/subsa1.html'; is thewebapp_path an issue here?.How do I protect these files from the JSPs without creating aseparate webapp and segragating the content or by securign theJSP itself?, I have also tried creating '/html/sub/*' &'/html/sub/subsa1.html' as URI's & securing them & still no joy..SIMPLE TESTrefer to tsite.zip.1. Unzip 'tsite.zip' onto your C drive.
. i. c:data\src\test\ -no files ii. c:data\src\test\workdir\ -no files iii. c:data\src\test\lib\ - no files iv. c:data\src\test\HTML - no files v. c:data\src\test\HTML\html - conatains sa1/2/3.html vi. c:data\src\test\HTML\html\sub -contains subsa1/2/3.html vii. c:data\src\test\jsp -contains framework1/2.jsp . 2. Create your app server Create a simple webapp (AlBait) with JSP 1.0 Processor & File Serving Enabler set WebApplication web path to '/AlBait' Document root to iv Classpath to iii set working directory to ii . 3. Enable WebSphere Security Basic Authentication Realm Default I'm using a netscape based ldap service. . 4. Create Enterprise (MyApp) Create Enterprise App --> Add AlBait webapp as a resource, Revoke no others, Finish Configure Application Security --> Realm 'Default'; Challenge 'Basic', Finish Configure Security Permissions --> Select All Methods, Grant Permissions to All Authenticated user' Revoke no other resources & finish . 5. Create & Secure URI . I want to secure everything in '../sub' directory (i.e. vi in 1 above) To do this I need to create a URI to this sub-directory i.e. '/AlBait/html/sub/*' and secure it. I also need to add it to the webpath of the File Enabling Servlet (I read this in the InfoCenter) However, there is a bug in this process according to FP4 release notes. . The way to get round this is by first adding the URI to the WebPath of the FSE. The URI is then created for you & can be seen under <Default_host>. When I add a new webapth & you press ADD yoou see that 'albait' is already filled in & can't be removed. so you append '/html/sub/*'' then save & apply.You then actually have to start & stop the console & service to see the new URI! . Once the URI is available then go to Configure Resouce > expand Virtual Hosts > expand default_host > select 'AlBait/html/sub/*' > Next> Select all Methods then > Finish. To see the method groups under the URI you have to restart the Console & server. . RESULTS:It creates the following directory structure:.i. c:data\src\test\ -no filesii. c:data\src\test\workdir\ -no filesiii. c:data\src\test\lib\ - no filesiv. c:data\src\test\HTML - no filesv. c:data\src\test\HTML\html - conatains sa1/2/3.htmlvi. c:data\src\test\HTML\html\sub -contains subsa1/2/3.htmlvii. c:data\src\test\jsp -contains framework1/2.jsp.2. Create your app server, Create a simple webapp (AlBait) with JSP 1.0 Processor & FileServing Enabler set WebApplication web path to '/AlBait'Document root to iv Classpath to iii set working directory to ii.3. Enable WebSphere Security Basic Authentication Realm DefaultI'm using a netscape based ldap service..4. Create Enterprise (MyApp)Create Enterprise App -->, Add AlBait webapp as a resource,Revoke no others, Finish Configure Application Security -->Realm 'Default'; Challenge 'Basic', Finish Configure SecurityPermissions -->, Select All Methods, Grant Permissions to, All Authenticated user' Revoke no other resources & finish., 5. Create & Secure URI.I want to secure everything in '../sub' directory (i.e. vi in 1above) To do this I need to create a URI to this sub-directoryi.e. '/AlBait/html/sub/*' and secure it. I also need to addit to the webpath of the File Enabling Servlet (I read this inthe InfoCenter) However, there is a bug in this processaccording to FP4 release notes. .The way to get round this is by first adding the URI to the, WebPath of the FSE. The URI is then created for you & can be, seen under, . When I add a new webapth & you, press ADD yoou see that 'albait' is already filled in & can't, be removed. so you append '/html/sub/*'' then save & apply.You, then actually have to start & stop the console & service to seethe new URI!., Once the URI is available then go to Configure Resouce>, expand, Virtual Hosts>, expand default_host>, select, 'AlBait/html/sub/*'>, Next>, Select all Methods then>, Finish. To see the method groups, under the URI you have to restart the Console & server..
Once restarted, I get the following results:RESULTS:
. http://host/AlBait/html/sub/subsa1.html gives me a challenge In fact any html file in this path is challenged. . http://host/AlBait/jsp/Framework2.jsp does not give me a challenge! This has both JSP include statements.<% @ include file="/html/sub/subsa1.html" %> shows subsa1.html<jsp:include page="/html/sub/subsa1.html"/> gives an AuthorizationFailure, error 403
Once restarted, I get the following results:.http://host/AlBait/html/sub/subsa1.html gives me a challengeIn fact any html file in this path is challenged..http://host/AlBait/jsp/Framework2.jsp does not give me achallenge! This has both JSP include statements.<% @ include file="/html/sub/subsa1.html" %>, shows subsa1.html, gives anAuthorizationFailure, error 403
Local fix
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users       *
*                 which have enabled security and have         *
*                 problems accessing protected resources       *
*                 from unprotected resources.                  *
****************************************************************
* PROBLEM DESCRIPTION: Configuration restriction which does    *
*                      not allow access of protected           *
*                      resources from unprotected resources.   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
If a user tries to access a protected resource from an
unprotected resource, an authorization failure occurs without
the user being challenged for authentication.
Problem conclusion
The reason this occurred is that authentication was already
assumed to be done by the time the second resource was
accessed even though the user had not been authenticated.
A boolean value is now used to determine if the user has been
authenticated.
Temporary fix
Comments
APAR information
APAR numberPQ53428
Reported component nameWAS ADVANCED AI
Reported component ID5648C8400
Reported release350
StatusCLOSED PER
PENoPE
HIPERNoHIPER
Submitted date2001-10-13
Closed date2001-11-06
Last modified date2001-11-06

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:

PQ54124

Modules/Macros
SECURITY
APAR is sysrouted TO one or more of the following:PQ54124Modules/Macros

Fix information
Fixed component nameWAS ADVANCED AI
Fixed component ID5648C8400

Applicable component levels
R350 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ53428
IBM Group: Software Group
Modified date: 2001-11-06