PQ69643: AUTHORIZATION (403) FAILURES FORWARDING FROM AN UNPROTECTED SERVLET OR JSP TO A PROTECTED ONE. | |||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Authorization (403) failures when forwarding from an unprotected servlet or JSP to a protected one. This issue can also be seen if the contect root is not protected but the default page is protected as a forward is implicit in this scenario.Local fix Protect the initially requested page.Problem summary **************************************************************** * USERS AFFECTED: All WebSphere Application Server users * * who have enabled security and are * * using RequestDispatcher.forward() to * * forward from an unprotected servlet * * or JSP to a protected one. * **************************************************************** * PROBLEM DESCRIPTION: Authorization failure (403) is * * received. * **************************************************************** * RECOMMENDATION: * **************************************************************** An authorization failure is received when using RequestDispatcher.forward() to forward from an unprotected servlet or JSP to a protected one.Problem conclusion The servlet 2.3 specification, section 12.2, specifies that the security model does not apply when using a RequestDispatcher. Therefore, the recommended resolution to this issue is to protect the URI which is invoking RequestDispatcher.forward(). This prepares the application for migration to WebSphere 5.X. If this is not possible then setting the following property on each application server will yield a challenge when forwarding from an unprotected URI to a protected one. com.ibm.ws.security.RequestDispatcherChallenge=true Code implementing this property will be contained in any security cumulative eFix dated after the closure date of this APAR as well as the cumulative eFix dated 01-06-2003. Internal defect number 155475.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
SRLS
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ69643
IBM Group: Software Group
Modified date: Jan 21, 2003
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.