IBM Support

PM14606: SENDING SIMULTANEOUS REQUESTS WITH HOME SUBSTITUTION FORCES USER LOGOUT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When home substitution is enabled (uri.home.substitution =
    true), an authenticated user can navigate to unprotected URLs
    without being logged out. Instead, a redirect from ../portal to
    ../myportal is issued to satisfy WAS security. This is done
    under the assumption that the LTPA token in the request matches
    the security context of the authenticated user. The respective
    check, however, is only done when the redirected requests
    arrives in Portal. In case a mismatch is detected, the user
    redirected back to ../portal. To avoid a loop, home substitution
    is only performed once and the user is logged out.
    
    When simultaneous requests to ../portal arrive at Portal, these
    look like a redirection loop when, in fact, they are not. This
    APAR makes the redirect loop detection more intelligent, using
    methods in WAS that are available with Portal 6.x.
    

Local fix

  • Avoid sending simultaneous requests when using home
    substitution.
    

Problem summary

  • When home substitution is enabled (uri.home.substitution =
    true), an authenticated user can navigate to unprotected URLs
    without being logged out. Instead, a redirect from ../portal to
    ../myportal is issued to satisfy WAS security. This is done
    under the assumption that the LTPA token in the request matches
    the security context of the authenticated user. The respective
    check, however, is only done when the redirected requests
    arrives in Portal. In case a mismatch is detected, the user
    redirected back to ../portal. To avoid a loop, home substitution
    is only performed once and the user is logged out.
    
    When simultaneous requests to ../portal arrive at Portal, these
    look like a redirection loop when, in fact, they are not.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PM14606

  • Reported component name

    WEBSPHERE PORTA

  • Reported component ID

    5724E7600

  • Reported release

    60G

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-05-17

  • Closed date

    2010-06-22

  • Last modified date

    2010-06-22

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE PORTA

  • Fixed component ID

    5724E7600

Applicable component levels

  • R60K PSY

       UP

  • R61A PSY

       UP

  • R61B PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHRKX","label":"WebSphere Portal"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.1.3","Line of Business":{"code":"LOB31","label":"WCE Watson Marketing and Commerce"}}]

Document Information

Modified date:
21 December 2021