APAR status
Closed as program error.
Error description
WasReqURL contains full URL which includes the hostname, not the
relative URL.
The Servlet Spec says the login form associated with the
security constraint is sent to the client and the URL path
triggering the authentication is stored by the container.
So the full URL might be:
http[s]://<servername>[:port]/<url-path>[?<query-string>]
However, only the <url-path> should be preserved, not the full
URL.
This could be seen in the network traffic:
HTTP/1.x 302 Found
Date: Tue, 30 May 2006 19:12:31 GMT
Server: IBM_HTTP_SERVER
Set-Cookie: WSESSIONID=0000FgFmJ1lBDFvVBdbN5uEfYqe:11cs198g2;
Path=/;
Secure
Set-Cookie:
WASReqURL=http://www.MyHostName.com/contextRoot/overview.html;
Path=/
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who are *
* using the FormLogin function. *
****************************************************************
* PROBLEM DESCRIPTION: One of the cookies for FormLogin *
* contains a fully qualified URL. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
When an application uses the Form Login function, WebSphere
Application Server generates a WASReqURL cookie which stores
the original request URL. The current implementation stores
the fully qualified URL rather than URL path.
Therefore, the Form Login function might expose a backend
hostname to clients even though the backend server is located
behind a reverse proxy to conceal it's hostname.
Problem conclusion
With this fix, the Form Login function generates a cookie
which only contains URL path.
The fix for this APAR is currently targeted for inclusion in
fixpack 5.1.1.13, 6.0.2.17 and 6.1.0.6. Please refer to the
Recommended Updates page for delivery information:
http://www-1.ibm.com/support/docview.wss?uid=swg27004980
Temporary fix Comments
APAR information |
APAR number |
PK29128 |
Reported component name |
WAS NETWRK DEPL |
Reported component ID |
5630A3601 |
Reported release |
00A |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2006-08-02 |
Closed date |
2006-09-15 |
Last modified date |
2006-09-15 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PK33494
Modules/Macros
Publications Referenced
|
Fix information |
Fixed component name |
WAS NETWRK DEPL |
Fixed component ID |
5630A3601 |
Applicable component levels |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|