PK29128: WASREQURL CONTAINS FULL URL WHICH INCLUDES THE HOSTNAME, NOT THERELATIVE URL.

 Fixes are available

6.1.0.15 WebSphere Application Server V6.1 Fix Pack 15 for i5/OS
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for AIX
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for HP-UX
6.1.0.13 WebSphere Application Server V6.1 Fix Pack 13 for AIX
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for Linux
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for AIX
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for AIX
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for HP-UX
6.1.0.15 WebSphere Application Server V6.1 Fix Pack 15 for AIX
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for Solaris
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for Windows
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for HP-UX
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Windows
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Windows
6.1.0.17 WebSphere Application Server V6.1 Fix Pack 17 for i5/OS
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for i5/OS
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for HP-UX
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Linux
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Solaris
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for HP-UX
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Windows
6.1.0.17 WebSphere Application Server V6.1 Fix Pack 17 for AIX
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Solaris
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for Linux
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Linux
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for Linux
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for Solaris
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for Windows
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Solaris
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for AIX
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for Windows
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for Solaris
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for Windows
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for Solaris
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for Solaris
6.1.0.7 WebSphere Application Server V6.1 Fix Pack 7 for AIX
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for AIX
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for AIX
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for Windows
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for HP-UX
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for Solaris
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for Solaris
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for Linux
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for Windows
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for HP-UX
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for i5/OS
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for i5/OS
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for AIX
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for Linux
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for Windows
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for Windows
6.1.0.9 WebSphere Application Server V6.1 Fix Pack 9 for AIX
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for i5/OS
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for Windows
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for HP-UX
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for HP-UX
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for AIX
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for HP-UX
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for Linux
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for HP-UX
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Linux
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Solaris
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Windows
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for HP-UX
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Windows
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for HP-UX
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for Linux
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for Linux
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for Solaris
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for Linux
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Solaris
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Linux
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for i5/OS
6.1.0.11 WebSphere Application Server V6.1 Fix Pack 11 for AIX
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Linux
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for HP-UX
6.1.0.19 WebSphere Application Server V6.1 Fix Pack 19 for AIX
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for HP-UX
6.1.0.19 WebSphere Application Server V6.1 Fix Pack 19 for i5/OS
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Linux
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Solaris
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Windows
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
6.1.0.21 WebSphere Application Server V6.1 Fix Pack 21 for AIX
6.1.0.21 WebSphere Application Server V6.1 Fix Pack 21 for i5/OS
6.1.0.21: WebSphere Application Server V6.1 Fix Pack 21 for Windows
6.1.0.21: WebSphere Application Server V6.1 Fix Pack 21 for Solaris
6.1.0.21: WebSphere Application Server V6.1 Fix Pack 21 for Linux
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
6.1.0.21: WebSphere Application Server V6.1 Fix Pack 21 for HP-UX



APAR status
Closed as program error.

Error description
WasReqURL contains full URL which includes the hostname, not the
relative URL.

The Servlet Spec says the login form associated with the
security constraint is sent to the client and the URL path
triggering the authentication is stored by the container.

So the full URL might be:
http[s]://<servername>[:port]/<url-path>[?<query-string>]

However, only the <url-path> should be preserved, not the full
URL.

This could be seen in the network traffic:

HTTP/1.x 302 Found
Date: Tue, 30 May 2006 19:12:31 GMT
Server: IBM_HTTP_SERVER
Set-Cookie: WSESSIONID=0000FgFmJ1lBDFvVBdbN5uEfYqe:11cs198g2;
Path=/;
Secure
Set-Cookie:
WASReqURL=http://www.MyHostName.com/contextRoot/overview.html;
Path=/
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who are   *
*                 using the FormLogin function.                *
****************************************************************
* PROBLEM DESCRIPTION: One of the cookies for FormLogin        *
*                      contains a fully qualified URL.         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When an application uses the Form Login function, WebSphere
Application Server generates a WASReqURL cookie which stores
the original request URL. The current implementation stores
the fully qualified URL rather than URL path.
Therefore, the Form Login function might expose a backend
hostname to clients even though the backend server is located
behind a reverse proxy to conceal it's hostname.
Problem conclusion
With this fix, the Form Login function generates a cookie
which only contains URL path.



The fix for this APAR is currently targeted for inclusion in
fixpack 5.1.1.13, 6.0.2.17 and 6.1.0.6. Please refer to the
Recommended Updates page for delivery information:

http://www-1.ibm.com/support/docview.wss?uid=swg27004980
Temporary fix Comments
APAR information
APAR number PK29128
Reported component name WAS NETWRK DEPL
Reported component ID 5630A3601
Reported release 00A
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2006-08-02
Closed date 2006-09-15
Last modified date 2006-09-15

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PK33494

Modules/Macros
SECURITY          

Publications Referenced

Fix information
Fixed component name WAS NETWRK DEPL
Fixed component ID 5630A3601

Applicable component levels
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP
R10A PSY    UP
R10H PSY    UP
R10I PSY    UP
R10P PSY    UP
R10S PSY    UP
R10W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00A
Software edition:
Reference #: PK29128
IBM Group: Software Group
Modified date: Sep 15, 2006