PQ62603: AFTER A SUCCESSFUL AUTHENTICATION, JSESSION=XXX NOT BEING PASSED TO THE APPSERVER CAUSES AUTHENTICATION TO BEGIN AGAIN

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
The customer is using Form-Based Login WebSecurity
and at the same time, his application is using
URL Rewriting to maintain the session state.
The two functions are working if used separatly.
When after calling the start URL the Form-Login apears
and does the Authentication correctly and displays the correct
page afterward. But all links (which all contain the
jsessionid=xxx in the URL) to other parts of the
application are not working. Instead, the LoginForm is
displayed again.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All Users of the WebSphere Application       *
*                 Server Version 4.0.1 for z/OS and OS/390     *
*                 using the local redirector plug-in, who      *
*                 are doing session URL rewriting, and Web     *
*                 security, may be affected.                   *
****************************************************************
* PROBLEM DESCRIPTION: Session URL Rewriting appends a string  *
*                      prefixed with ";jsessionid=" to the     *
*                      URL. This append may cause the Web      *
*                      security check for the new URL to       *
*                      fail.                                   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When the rewritten URL is returned to the WebSphere for z/OS,
local redirector plug-in fails to detect the challenge due
to the appended data and consequently ignores the Form
response data. This causes the user to get challenged again.
Problem conclusion
WebSphere for z/OS local redirector plug-in has been changed
to strip off the appended string from the URL before it
performs the Web security check.

This change affects the following COMPIDs:
5655A9800 R401 for z/OS and OS/390.

The code changes are stored in CMVC under defect PQ62603.
401Y
EJSJWBJR

* Cross Reference between External and Internal Names
Temporary fix Comments
APAR information
APAR number PQ62603
Reported component name WEBSPHERE OS/39
Reported component ID 5655A9800
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-06-25
Closed date 2002-07-31
Last modified date 2002-09-04

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
EJSJWBJR          

Fix information
Fixed component name WEBSPHERE OS/39
Fixed component ID 5655A9800

Applicable component levels
R401 PSY UQ68592    UP02/08/03 P F208

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ62603
IBM Group: Software Group
Modified date: Sep 4, 2002