eFix (APAR): pq48883 Status: eFix For Release: WebSphere 3.5.3, 3.5.4 For Operating System: ALL Supercedes eFixes: none Prerequisite eFixes: PQ48816 CMVC defect: PQ48883 Byte size of APAR: 37,027 bytes Date: 5/24/01 Abstract: THIS EFIX ALSO REQUIRES PQ48816. Unable to secure jsp and other resources served by WebSphere. Customer wants to create subdirectories underneath the document root of a particular webapp and define each directory as a secured or unsecured resource. Example: On the file system, the following directory structure is created. /secured_jsp /non_secured_jsp /secured_static /non_secured_static Customer should be able to define the following in the servlet web path list. For jsp's (removing the *.jsp in the servlet web path list for the servlet handling jsp's (1.0 and 1.1)).... default_host/secured_jsp/* default_host/non_secured_jsp/* For static content (edit the default "/" in the servlet web path list for the servlet handling static resources (SimpleFileServlet).... default_host/secured_static/* default_host/non_secured_static/* Restart the webapp(s) and check to see if the modified servlet path uris serve the correct pages. Note: Separate directories need to be specified if there is a need to create secured and non-secured directories for jsp's and static resources in the same webapp. For example, a "default_host/secured/*" can only be defined once in a webapp hence the sample above distinguished between jsp's and static resources. See below for a simple security setup for testing this fix. Description/symptom of problem: FileNotFoundExceptions were thrown. Directions to apply efix: 1) Create "efix" directory to store the efix jar file(s): AIX: /usr/WebSphere/AppServer/efix Solaris: /opt/WebSphere/AppServer/efix Linux: /opt/IBMWebAS/efix Windows: c:\WebSphere\AppServer\efix 2) Copy PQ48883.jar to the directory. 3) Add the directory/jar file to the beginning of the admin server's classpath in admin.config: com.ibm.ejs.sm.adminserver.classpath=C:/WebSphere/AppServer/efix/PQ48883.jar;C:/WebSphere/AppServer/efix/PQ48816.jar... 4) Stop and restart the Admin Server Additional Information: This efix is designed to work for SimpleFileServlet, com.sun.jsp.runtime.JspServlet (jsp1.0) and org.apache.jasper.runtime.JspServlet (jsp1.1). This efix also requires PQ48816 since this efix provides necessary fixes for both jsp's and static resources (SimpleFileServlet). Security Setup: L3 did the following when testing this efix. 1) Set up the directories and modified the servlet web paths similar to what was defined above. 2) Using the wizard, created an Enterprise Application. Fill in each page and click next. Finish when completed. 3) Configure Global Security. Click on enable security. Selected Local Operating System (Authentication Mechanism). User Reqistry (Enter OS username and password). 4) Configure Application Security. Select the Enterprise Application created in step 2. 5) Configure Resource Security. L3 went through this step once for each url to be secured. 6) Configure Security Permissions. L3 missed this step and received authorization denied without even receiving the challenge pop up window when requesting a secured url. 7) Shutdown the node and restart websphere. The security changes should be in effect at this time. ------------------------------------------------------------------