IBM Support

PM69170: PROVIDE A WAY TO DISABLE CREATING LTPATOKEN COOKIE WHEN A TARGET WEB RESOURCE IS NOT PROTECTED

Fixes are available

8.5.0.1: WebSphere Application Server V8.5 Fix Pack 1
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • WebSphere Application Server will create a LTPA
    cookie for all request regardless if the request is for a
    protected or unprotected web resources
    
    When TAI handles the request, since there is a LTPA cookie,
    request for unprotected URI will also pass TAI
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: LTPAToken cookie is always generated    *
    *                      even when a target URI is not           *
    *                      protected.                              *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    LTPAToken cookie is always generated whenever authentication is
    completed successfully. This means that even target URIs are
    not protected, as far as the security is configured to perform
    either persistence login or always login, a LTPAToken cookie
    is generated and set to a response.
    This behavior is different from version 6.1. Therefore, some
    applications which used to run on version 6.1 no longer work
    on version 7, if these applications are designed to rely on
    this behavior.
    

Problem conclusion

  • With this fix, a new security custom property is introduced.
    This custom property provides a way to alter the behavior of
    cookie generation as same as WebSphere Application Server
    version 6.1.
    
    Property name:
    com.ibm.websphere.security.web.setLTPATokenCookieToUnprotectedUR
    I
    value:
    true - set LTPAToken cookie whenever authentication is
    completed successfully. This is a default.
    false - set LTPAToken cookie when a target URI is protected.
    This behavior is compatible with WebSphere Application Server
    version 6.1.
    
    To set this value, Navigate on Administration console as
    follows:
    
    Security > Global Security > Custom properties
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.27, 8.0.0.5. 8.5.0.1.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM69170

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-07-18

  • Closed date

    2012-08-07

  • Last modified date

    2012-08-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PM69170

Modified date: 07 August 2012