PQ60108: SECURITY FOR WELCOME-FILE COMPONENTS APPEARS TO FAIL. | |||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description User has a webapp that contains a welcome file of index.html The webapp contains a security constraint that would include the welcome file, in this case a security constraint of *.html The auth constraint is role name manager. If the user enters /MyWebapp/index.html it is properly secured If the user enters /MyWebapp/ which defaults to index.html security is not properly handled. ADDITIONAL SYMPTOMS: ------------------------------------------- This error can cause you to be challenged several times and after entering a valid userid & password each time you may get a blank screen. ie: challenged 3 times then blank screen This error can cause you to be challenged forever even though you are entering a valid userid & password each time. If you include the welcome-file in the uri you enter at the browser you may see normal processing. ie: you are challenged once and after entering a valid userid & pwd you can continue.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of the WebSphere Application * * Server Version 4.0.1 for z/OS and OS/390 * * using local redirector plug-in and Web * * Basic Authentication may be affected. * **************************************************************** * PROBLEM DESCRIPTION: When WebSphere Application Server * * serves a page from the welcome file * * list for a directory request received * * via the local redirector plug-in, the * * Web Basic Authenication is not properly * * handled. The authorization header is * * ignored. * **************************************************************** * RECOMMENDATION: * **************************************************************** When the Web container detects that the welcome page for the directory request is protected, it sends a 401 challenge to the browser. When the directory request along with user ID and password (in the authorization header) is returned, the WebSphere for z/OS local redirector plug-in fails to detect the challenge and consequently ignores the authorization header. This causes the user to get another 401 challenge.Problem conclusion The Web container has been changed to issue a redirect to the welcome page for the directory request received from the local redirector plug-in. This change affects the following COMPIDs: 5655A9800 R401 for z/OS and OS/390. The code changes are stored in CMVC under defect PQ60108. 401Y EJSJWCWC * Cross Reference between External and Internal NamesTemporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: UQ68592 Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ60108
IBM Group: Software Group
Modified date: Sep 4, 2002
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.