|
Problem(Abstract) |
Microsoft® Internet Information Services (IIS) returns a
404 "File Not Found" when requesting a WebSphere page which contains a
long URI, Query String or content length. The request is logged in the
exlog of the Web server, but is not found in the http_plugin.log
file. |
|
|
|
Cause |
This problem is typically encountered when the Microsoft
Internet Information Services (IIS) UrlScan Security Tool is
enabled to protect the Web server against processing certain HTTP
requests. This tool consists of two files, UrlScan.dll and
UrlScan.ini.
The UrlScan.ini contains a RequestsLimits section with
three entries that can prevent WebSphere requests with long URIs or query
strings from reaching the HTTP plug-in ISAPI Filter.. This can also
effect WebSphere requests with large Content Lengths.
The following three entries are briefly listed below and documented as
such on the Microsoft web site for the UrlScan Security Tool:
- MaxAllowedContentLength
Enforces a maximum value to content?length. It does not actually
prevent the server from necessarily reading in more data than the value
specifies. For example, if a client makes a chunk transfer encoded POST,
this UrlScan option is not effective in tracking the size of the entity in
the request. The default value is ~2 GB (2,000,000,000 bytes).
- MaxUrl
Restricts the length of the request URL, in bytes, but it does not
restrict the length of the query string. When you upgrade UrlScan by using
the installer, the default value is 16 KB.
- MaxQueryString
Restricts the length of the query string, in bytes. The default value
is 4 KB.
|
|
|
Resolving the
problem |
To resolve the problem, the
MaxAllowedContentLength, MaxUrl and MaxQueryString
settings should be evaluated and adjusted if needed to accommodate the
size of the WebSphere request's long URI, Query String or large Content
Length. By doing so, this should prevent the URLScan Security Tool from
blocking these requests and allow them to be passed to the HTTP plug-in
ISAPI Filter for further processing.
The URLScan Security Tool is configured in IIS as an ISAPI Filter.
Therefore, you can review the ISAPI Filters section of IIS configuration
to see if it is being used.
How to quickly identify if the URLScan Filter is configured in IIS:
- IIS 5.0
- Right-click the host name in the tree on the left and click
Properties.
- Go to the Internet Information Services tab.
- Click WWW Service in the Master properties window.
- Click Edit to open the WWW Service master properties
window.
- Click the ISAPI Filters tab.
- The URLScan Filter will be displayed in the list.
- IIS 6.0
- Right-click Default Web Site in the tree on the left and click
Properties.
- Go to the Internet Information Services tab.
- Go to the ISAPI Filters tab.
- The URLScan Filter will be displayed in the list.
Also, if you have the IIS 6.0 configuration file (metabase.xml)
you can open the file in a text editor and search on keyword "UrlScan".
You should see something similar to the following:
<IIsFilter Location
="/LM/W3SVC/Filters/URLSCAN"
FilterDescription="UrlScan ISAPI Filter"
FilterEnableCache="TRUE"
FilterFlags="NotifyPreProcHeaders | NotifySendResponse |
NotifySendRawData | NotifyEndOfRequest | NotifyOrderHigh"
FilterPath="C:\WINDOWS\system32\inetsrv\urlscan\urlscan.dll"
FilterState="1"
>
</IIsFilter> |
|
|
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
Runtimes for Java Technology |
Java SDK |
|
|
|
|
|
|