PQ60108: SECURITY FOR WELCOME-FILE COMPONENTS APPEARS TO FAIL.

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
User has a webapp that contains a welcome file of index.html
The webapp contains a security constraint that would include the
welcome file, in this case a security constraint of *.html
The auth constraint is role name manager.
If the user enters /MyWebapp/index.html it is properly secured
If the user enters /MyWebapp/ which defaults to index.html
security is not properly handled.

ADDITIONAL SYMPTOMS: -------------------------------------------
 This error can cause you to be challenged several times
and after entering a valid userid & password each time you
may get a blank screen. ie: challenged 3 times then blank screen
 This error can cause you to be challenged forever even though
you are entering a valid userid & password each time.
 If you include the welcome-file in the uri you enter at the
browser you may see normal processing. ie: you are challenged
once and after entering a valid userid & pwd you can continue.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of the WebSphere Application       *
*                 Server Version 4.0.1 for z/OS and OS/390     *
*                 using local redirector plug-in and Web       *
*                 Basic Authentication may be affected.        *
****************************************************************
* PROBLEM DESCRIPTION: When WebSphere Application Server       *
*                      serves a page from the welcome file     *
*                      list for a directory request received   *
*                      via the local redirector plug-in, the   *
*                      Web Basic Authenication is not properly *
*                      handled. The authorization header is    *
*                      ignored.                                *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When the Web container detects that the welcome page for the
directory request is protected, it sends a 401 challenge to
the browser. When the directory request along with user ID and
password (in the authorization header) is returned, the
WebSphere for z/OS local redirector plug-in fails to detect the
challenge and consequently ignores the authorization header.
This causes the user to get another 401 challenge.
Problem conclusion
The Web container has been changed to issue a redirect to the
welcome page for the directory request received from the local
redirector plug-in.

This change affects the following COMPIDs:
5655A9800 R401 for z/OS and OS/390.

The code changes are stored in CMVC under defect PQ60108.
401Y
EJSJWCWC

* Cross Reference between External and Internal Names
Temporary fix Comments
APAR information
APAR number PQ60108
Reported component name WEBSPHERE OS/39
Reported component ID 5655A9800
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-04-15
Closed date 2002-07-31
Last modified date 2002-09-04

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
UQ68592

Modules/Macros
EJSJWCWC          

Fix information
Fixed component name WEBSPHERE OS/39
Fixed component ID 5655A9800

Applicable component levels
R401 PSY UQ68592    UP02/08/03 P F208

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ60108
IBM Group: Software Group
Modified date: Sep 4, 2002