APAR status
Closed as program error.
Error description
Customer states that the same security constraints work on AWS
4.0.6.
He set up 2 constraints /* with everyone and all authenticated
and
/secure adn /* with all authenticated. If they go through
/secure/index.jsp the user gets asked for the security
creditials. But
if they go to url /secure or /secure/ they get to the default
page and
it doesn't ask for the security constraints.
They have a simple webapp of the testcase that he can send. I
asked him
to send the ear, with the url that works and doesn't work and
the
security.xml file.
Received email in weblev2 with ear file:
According to the security constraints, the following two url's
should be
secured and require authentication, but they do not:
/SecurityConstraintDefectWeb/secure
/SecurityConstraintDefectWeb/secure/
The following url is also secured and it does prompt for
authentication
as expected:
/SecurityConstraintDefectWeb/secure/index.jsp
Here are the security constraints:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<description></description>
<url-pattern>/*</url-pattern>
<http-method>
GET</http-method>
<http-method>
POST</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>Everyone</role-name>
<role-name>AllAuthenticated</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<description></description>
<url-pattern>/secure/*</url-pattern>
<http-method>
GET</http-method>
<http-method>
POST</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>AllAuthenticated</role-name>
</auth-constraint>
</security-constraint>
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who *
* have enabled security and deployed *
* applications defining security constraints *
* on web resources. *
****************************************************************
* PROBLEM DESCRIPTION: Security constaints defined for *
* /someURI/* do not map to the /someURI/ *
* and /someURI URIs. This does not *
* conform to the Servlet 2.3 *
* specification. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
Security constaints defined for /someURI/* do not map to the
/someURI/ and /someURI URIs. This does not conform to the
Servlet 2.3 specification.
This defect was induced by changes introduced in
PQ83913.
Problem conclusion
Wild card URI mappings for security contraints have been
corrected to conform to section 11.2 of the Servlet 2.3
specification.
Temporary fix
Sent a testfix to the customer.
Comments
APAR information |
APAR number |
PQ91780 |
Reported component name |
WAS BASE 5.0 |
Reported component ID |
5630A3600 |
Reported release |
00S |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2004-07-21 |
Closed date |
2004-08-04 |
Last modified date |
2004-08-04 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
Applicable component levels |
R003 PSN |
UP |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSN |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R103 PSN |
UP |
R10A PSN |
UP |
R10H PSN |
UP |
R10I PSN |
UP |
R10P PSN |
UP |
R10S PSN |
UP |
R10W PSN |
UP |
|