PK16987: WEBSECURITYEXCEPTION: INVALID URI PASSED TO SECURITY COLLABORATOR WHEN THE PATHINFO IS NULL IN THE REQUEST.

APAR status
Closed as program error.

Error description
When global security is enabled servlets returns 403/401
response codes either sporadically or consistently.
WebSecurityException: Invalid URI passed to Security
Collaborator when the pathinfo is null in the request.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users who   *
*                 have enabled security and using              *
*                 servlet mapping.                             *
****************************************************************
* PROBLEM DESCRIPTION: In servlet request there is a problem   *
*                      with the second and any subsequent      *
*                      request is that no longer               *
*                      "/" is added by the web component.      *
*                                                              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
In servlet request there is a problem with the second and any
subsequent request is that no longer "/" is added.

The first request gets a / appended  even if no / is
submitted. Every following request does not get this slash
appened. The resulting "empty" URI causes an incorrect 403
response code to be returned by WebSphere.
Problem conclusion
Fixed the code as per Servlet 2.4 specification. If there is no
servletpath or pathInfo, Security should pass in a "/"  to the
security check.

The fix for this APAR is currently targeted for inclusion in
fixpack 6.0.2.7. Please refer to the Recommended  Updates page
for delivery dates:

http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&
uid=swg27004980
Temporary fix
Sent a testfix
Comments
APAR information
APAR number PK16987
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 00W
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2005-12-19
Closed date 2005-12-19
Last modified date 2005-12-19

APAR is sysrouted FROM one or more of the following:
PK16893

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Publications Referenced

Fix information
Fixed component name WAS BASE 5.0
Fixed component ID 5630A3600

Applicable component levels
R10A PSY    UP
R10H PSY    UP
R10S PSY    UP
R10W PSY    UP
R003 PSY    UP
R00A PSY    UP
R00H PSY    UP
R00W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00W
Software edition:
Reference #: PK16987
IBM Group: Software Group
Modified date: Dec 19, 2005