IBM Support

PM25773: PORTLET-CONTAINER NEEDS TO PRESERVE ISSECURE() INFORMATION.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The WebSphere Application Server Portlet-Container sets the
    PortletURL.setSecure(Boolean) setting per default to the value
    of the current request. This behavior prevents a default of
    null, which is possible according to the JSR286 specification.
    This leads to unexpected results when generating URLs on not
    SSL enabled WSRP-Producer servers and sending the
    URL-Rewrite-Expressions to SSL-enabled WSRP-Consumers. The URL
    then may be unsecure on the SSL-enabled WSRP-Consumer, because
    the default of the not SSL-enabled Producer applies and forces
    the URL to be generated as unsecure-URL.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V7.0                                 *
    ****************************************************************
    * PROBLEM DESCRIPTION: Portlet-Container needs to preserve     *
    *                      PortletURL.isSecure() information.      *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The WebSphere Application Server Portlet-Container sets the
    PortletURL.setSecure(Boolean) setting by default to the value
    of the current request. This behavior prevents a default of
    null, which is possible according to the JSR286 specification.
    This leads to unexpected results when generating URLs on
    non-SSL enabled WSRP-Producer servers and sending the
    URL-Rewrite-Expressions to SSL-enabled WSRP-Consumers. The URL
    then may be unsecure on the SSL-enabled WSRP-Consumer, because
    the default of the not SSL-enabled Producer applies and forces
    the URL to be generated as an unsecure-URL.
    

Problem conclusion

  • Corrected the code that in case of JSR 286 Portlets the value
    of PortletURL.isSecure() defaults to null and is only set if
    the PortletURL.setSecure(Boolean) method was called explicitly
    by client code.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.17.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM25773

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    61A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-11-02

  • Closed date

    2010-12-07

  • Last modified date

    2010-12-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 6.1

Reference #: PM25773

Modified date: 07 December 2010