PQ69643: AUTHORIZATION (403) FAILURES FORWARDING FROM AN UNPROTECTED SERVLET OR JSP TO A PROTECTED ONE.

 Fixes are available

4.0.6: WebSphere Application Server Version 4.0 Fix Pack 6
Security; V4.0.2-V4.0.7: Cumulative fix for security component



APAR status
Closed as program error.

Error description
Authorization (403) failures when forwarding from an
unprotected servlet or JSP to a protected one.
This issue can also be seen if the contect root is not
protected but the default page is protected as a forward
is implicit in this scenario.
Local fix
Protect the initially requested page.
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users       *
*                 who have enabled security and are            *
*                 using RequestDispatcher.forward() to         *
*                 forward from an unprotected servlet          *
*                 or JSP to a protected one.                   *
****************************************************************
* PROBLEM DESCRIPTION: Authorization failure (403) is          *
*                      received.                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
An authorization failure is received when using
RequestDispatcher.forward() to forward from an unprotected
servlet or JSP to a protected one.
Problem conclusion
The servlet 2.3 specification, section 12.2, specifies that the
security model does not apply when using a RequestDispatcher.
Therefore, the recommended resolution to this issue is to
protect the URI which is invoking RequestDispatcher.forward().
This prepares the application for migration to WebSphere 5.X.

If this is not possible then setting the following property on
each application server will yield a challenge when forwarding
from an unprotected URI to a protected one.

com.ibm.ws.security.RequestDispatcherChallenge=true

Code implementing this property will be contained in any
security cumulative eFix dated after the closure date of this
APAR as well as the cumulative eFix dated 01-06-2003.

Internal defect number 155475.
Temporary fix Comments
APAR information
APAR number PQ69643
Reported component name WEBSPHERE AE AI
Reported component ID 5630A2200
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2003-01-08
Closed date 2003-01-21
Last modified date 2003-01-21

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

SRLS

Fix information
Fixed component name WEBSPHERE AE AI
Fixed component ID 5630A2200

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ69643
IBM Group: Software Group
Modified date: Jan 21, 2003