PQ70164: SECURE CONNECTION NOT REQUIRED WITH WEBAUTH.LOGINTOKEN.LIMITTOSECURECONNECTIONS SET TO TRUE | |||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Customer has the following setting specified in his webcontainer.conf file: . WebAuth.LoginToken.LimitToSecureConnections=true . According to this webcontainer definition a secure (https- connection) is required. However a form-based login is accidently called using a 'http://....' url and the login page is generated. The customer feels that, at least an error message should be generated. I found out that beginning with WEB_SECURITY_VERSION 2, we now support the setting of security connections in the xml file. These settings are application specific, meaning that you could have different settings for different applications. Prior to this functionality being added, we supported the setting of security settings only in the webcontainer.conf file, which pertained to all applications. Since adding this functionality to the xml file, we are no longer checking the setting in the webcontainer.conf file. It is being ignored. The customer feels that this is in error.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V4.0.1 for z/OS and OS/390. * **************************************************************** * PROBLEM DESCRIPTION: When the webcontainer.conf file * * property WebAuth.LoginToken.- * * LimitToSecureConnections * * is set to true and the the * * jvm.properties file property * * WEB_SECURITY_VERSION is set to 2, * * WebSphere Application Server * * incorrectly returns the Login page in a * * Form Based authentication Web * * application over a non-secure HTTP * * transport connection. * **************************************************************** * RECOMMENDATION: * **************************************************************** If the webcontainer.conf file property WebAuth.LoginToken.LimitToSecureConnections is set to true, a check for a secure connection is not performed when a request is received for a Form Based Authentication Web application via the HTTP Transport Handler. Because this check does not occur, the Login page is incorrectly returned to the client.Problem conclusion WebSphere Application Server Web Authentication code has been changed to check for a secure connection when a Form Based request Authentication Web application is received via the HTTP Transport Handler and the WebAuth.LoginToken.LimitToSecureConnections property is set to true. If the connection is not a secure one, the warning message "Authentication failed for reason Must use SSL for secure LoginToken" is issued and a status code 403 (Forbidden) is sent to the client. APAR PQ70164 is associated with SERVICE LEVEL W401501 of WebSphere Application Server V4.0.1 for z/OS and OS/390.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ70164
IBM Group: Software Group
Modified date: Apr 3, 2003
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.