PQ70164: SECURE CONNECTION NOT REQUIRED WITH WEBAUTH.LOGINTOKEN.LIMITTOSECURECONNECTIONS SET TO TRUE

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Customer has the following setting specified in his
webcontainer.conf file:
.
WebAuth.LoginToken.LimitToSecureConnections=true
.
According to this webcontainer definition a secure (https-
connection) is required.  However a form-based login is
accidently called using a 'http://....' url and the login page
is generated.  The customer feels that, at least an error
message should be generated.  I found out that beginning with
WEB_SECURITY_VERSION 2, we now support the setting of security
connections in the xml file.  These settings are application
specific, meaning that you could have different settings for
different applications.   Prior to this functionality being
added, we supported the setting of security settings only in the
webcontainer.conf file, which pertained to all applications.
Since adding this functionality to the xml file, we are no
longer checking the setting in the webcontainer.conf file.  It
is being ignored.  The customer feels that this is in error.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V4.0.1 for z/OS and OS/390.                  *
****************************************************************
* PROBLEM DESCRIPTION: When the webcontainer.conf file         *
*                      property WebAuth.LoginToken.-           *
*                                  LimitToSecureConnections    *
*                      is set to true and the the              *
*                      jvm.properties file property            *
*                      WEB_SECURITY_VERSION is set to 2,       *
*                      WebSphere Application Server            *
*                      incorrectly returns the Login page in a *
*                      Form Based authentication Web           *
*                      application over a non-secure HTTP      *
*                      transport connection.                   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
If the webcontainer.conf file property
  WebAuth.LoginToken.LimitToSecureConnections
is set to true, a check for a secure connection is not performed
when a request is received for a Form Based Authentication Web
application via the HTTP Transport Handler.

Because this check does not occur, the Login page is incorrectly
returned to the client.
Problem conclusion
WebSphere Application Server Web Authentication code has been
changed to check for a secure connection when a Form Based
request Authentication Web application is received via the HTTP
Transport Handler and the
  WebAuth.LoginToken.LimitToSecureConnections
property is set to true.

If the connection is not a secure one, the warning message
"Authentication failed for reason Must use SSL for secure
LoginToken" is issued and a status code 403 (Forbidden) is
sent to the client.

APAR PQ70164 is associated with SERVICE LEVEL W401501 of
WebSphere Application Server V4.0.1 for z/OS and OS/390.
Temporary fix Comments
APAR information
APAR number PQ70164
Reported component name WEBSPHERE OS/39
Reported component ID 5655A9800
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2003-01-22
Closed date 2003-03-05
Last modified date 2003-04-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
EJSJWCWC          

Fix information
Fixed component name WEBSPHERE OS/39
Fixed component ID 5655A9800

Applicable component levels
R401 PSY UQ74747    UP03/03/12 P F303

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ70164
IBM Group: Software Group
Modified date: Apr 3, 2003