IBM Support

PM25450: Invalid redirect after login

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Immediately after logging in, rather than seeing the default
    authenticated page, you see a single image (for example,
    a.jpg or b.gif) or are prompted to download a file (for example,
    x.js or y.css).  Often the image or file is served by Web
    Content Management (WCM).
    
    Depending on the test case, this behavior can be intermittent.
    
    If you trace the HTTP headers you observe that, immediately
    before the problem, WASReqURL was set to the image or file.
    
    
    This problem can be reproduced with the following test case:
    
    When a user opens two browser windows and has two authenticated
    Portal sessions, rendering a page in one window while logging
    out in the second window can lead to the WasReqURL cookie being
    wrong. That is, the WasReqURL cookie will point to the first
    resource that is requested without a valid security context (as
    the logout in the second window has already been processed).
    When the same user tried to login again with second window, the
    login process believes the WasReqURL cookie to point a Portal
    page that the user wants to visit, when in fact it is just a
    resource (e.g. an image) that was requested from the first
    window. Rather than landing on a proper Portal page, the user
    is redirected to that resource.
    
    
    This APAR supersedes PM19405.  This fix for this APAR takes into
    account more use cases, including when a base portal and one or
    more virtual portals are in use.
    

Local fix

  • Any workaround for this problem is highly dependent on the test
    case.  If you cannot install this fix, engage IBM support to
    investigate potential workarounds.
    

Problem summary

  • When a user opens two browser windows and has two authenticated
    Portal sessions, rendering a page in one window while logging
    out in the second window can lead to the WasReqURL cookie being
    wrong. That is, the WasReqURL cookie will point to the first
    resource that is requested without a valid security context (as
    the logout in the second window has already been processed).
    When the same user tried to login again with second window, the
    login process believes the WasReqURL cookie to point a Portal
    page that the user wants to visit, when in fact it is just a
    resource (e.g. an image) that was requested from the first
    window. Rather than landing on a proper Portal page, the user is
    redirected to that resource.
    

Problem conclusion

  • This APAR introduces a login filter that can be enabled and
    configured to validate the WasReqURL cookie. In the WAS Admin
    Console, add the following custom property to the resource
    environment provider "WP Authentication Service":
    login.explicit.filterchain=com.ibm.wps.auth.impl.ValidateRedirec
    tLoginFilter You can determine which redirect URLs should be
    considered as "invalid" and should be replaced by a default
    redirect URL by setting the following additional property:
    filterchain.properties.com.ibm.wps.auth.impl.ValidateRedirectLog
    inFilter.blacklist.pattern= where "regexp" will be interpreted
    as a regular expression (see java.util.regex.Pattern) and
    compared to redirect URL (case-insensitive). If, for example,
    all redirect URLs that end with *.* should be considered as
    invalid, the following pattern can be used: .*/[^/]*[.]+[^/]* If
    the current redirect URL matches the specified pattern, then
    this redirect URL will be replaced by URL for default selection
    of current scope, which also contains the virtual portal URL
    context, for example "/wps/myportal/finance". A different
    redirect URL can be configured with property
    filterchain.properties.com.ibm.wps.auth.impl.ValidateRedirectLog
    inFilter.redirect.url
    However, note that using a "static" redirect URL breaks login
    to virtual portals if virtual portals are URL context mapped,
    not host name mapped.
    
       Note: This APAR supersedes PM19405.
    
    Manual Steps:
       None
    
    Failing Module(s):
       Authorization/Authentication (login/logout)
    
    Affected Users:
       All Users
    
    Version Information:
        Portal Version(s): 6.0.1.1
         Pre-Requisite(s):
          Co-Requisite(s): ---
    
        Portal Version(s): 6.1.0.4
         Pre-Requisite(s):
          Co-Requisite(s): ---
    
    Platform Specific:
       This fix applies to all platforms.
    
    A fix is available from Fix Central:
    
    http://www.ibm.com/eserver/support/fixes/fixcentral/swgquickorde
    r?apar=PM25450&productid=WebSphere%20Portal&brandid=5
    
    You may need to type or paste the complete address into your Web
    browser.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM25450

  • Reported component name

    WEBSPHERE PORTA

  • Reported component ID

    5724E7600

  • Reported release

    61C

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-10-29

  • Closed date

    2010-11-17

  • Last modified date

    2010-12-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE PORTA

  • Fixed component ID

    5724E7600

Applicable component levels

  • R60E PSY

       UP

  • R610 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHRKX","label":"WebSphere Portal"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1.0.3","Line of Business":{"code":"LOB31","label":"WCE Watson Marketing and Commerce"}}]

Document Information

Modified date:
21 December 2021