APAR status
Closed as program error.
Error description
Redirect creates a http request instead of https when the
original https request comes to WebSphere over a SSL offloader
front end.
This issue occurs when a SSL offloader is used in front of
WebSphere. A https request comes to the SSL offloader and is
forwarded over http to a webserver with the WebSphere plugin.
The problem occurs if the original request is redirected by a
WebSphere application. The redirected request becomes an http
request because WebSphere is not aware that the original https
request was intercepted by a SSL offloader and forwared to
WebSphere over http.
The SSL offloader adds a header indicating the original request
was over https. WebSphere needs to be changed to be able to
look for this header that indicates the original request is over
https. By doing this WebSphere can correctly construct the
redirect using https.
Local fix
none known
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Servers users of an *
* SSL offloader front end. *
****************************************************************
* PROBLEM DESCRIPTION: Redirect creates an http request *
* instead of https when the original *
* https request comes to Application *
* Server over an SSL offloader front end. *
* *
****************************************************************
* RECOMMENDATION: *
* *
****************************************************************
This issue occurs when a SSL offloader is used in front of
WebSphere. An https request comes to the SSL offloader and is
forwarded over http to a webserver with the WebSphere plugin.
The problem occurs if the original request is redirected by an
Application Server application. The redirected request becomes
an http request because Application Server is not aware that
the original https request was intercepted by a SSL offloader
and forwarded to Application Server over http.
The SSL offloader adds a header indicating the original request
was over https. Application Server needs to be changed to be
able to look for this header that indicates the original
request is over https. By doing this Application Server can
correctly construct the redirect using https.
Problem conclusion
A WebContainer property, HttpsIndicatorHeader, is added for
this purpose. This indicator specifies the header name that
should be added by the SSL terminating device. The Application
Server WebContainer determines if SSL is being used by the
client so that some APIs (such as getScheme() of
ServletRequest) should return HTTPS by checking the existence
of the indicator header that is specified by this property.
When the header name exists as configured by the property
HttpsIndicatorHeader, it uses HTTPS scheme.
Note that the existence of the header, and not the header value,
is used to determine if SSL is to be returned. As an example,
if the response is 302 (redirect), and if the header exists, it
creates a Location header with a correct scheme (HTTPS instead
of HTTP) so that Redirect with SSL scheme in Location header is
sent to the client.
Temporary fix Comments
APAR information |
APAR number |
PQ86347 |
Reported component name |
WAS BASE 5.0 |
Reported component ID |
5630A3600 |
Reported release |
00S |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2004-03-18 |
Closed date |
2004-05-17 |
Last modified date |
2005-12-16 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
Applicable component levels |
R003 PSY |
UP |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R103 PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|