PK58563: WCM-ANONYMOUS ACCESS GIVES BLANK PAGE, NOT 404 ERROR

APAR status

• Closed as program error.

Error description

• Summary: Anonymous users are confronted with a
  blank page when rendering expired content they
  don't have access to.
  
  Problem:
  When an anonymous user attempts to render an expired content
  item they don't have read access to
  via the WCM servlet, a blank page is presented to the user. This
  is incorrect - a 404 Error page should be presented.
  
  
  
  Analysis:
  The content item to be rendered is retrieved using system level
  access. In order to determine
  if it is published, a method isPublished() in WorkflowUtils is
  called.
  This attempts to retrieve the WorkflowControl and
  SecurityControl on the content item and will fail because the
  anonymous user
  does not have access to the content item.
  The code implicitly then assumes that because the item does not
  have a workflow control and SecurityControl, it is published
  and that everyone has read access to it which is incorrect.
  
  
  Solution:
  
  The content has already been retrieved with system level access.
  To check whether its is published,
  we simply check it on the content that has been retrieved as
  aforementioned.
  This will reveal that it is expired and will trigger an
  exception which will cause a HTTP response code of
  404 to be returned to the client.
  

Local fix

Problem summary

• Users Affected: All Java Edition LWWCM users
  
  Problem Decsription:
  When an anonymous user attempts to render an expired content
  item they don't have read access to
  via the WCM servlet, a blank page is presented to the user. This
  is incorrect - a 404 Error page should be presented.
  

Problem conclusion

• The content item to be rendered is retrieved using system level
  access. In order to determine
  if it is published, a method isPublished() in WorkflowUtils is
  called.
  This attempts to retrieve the WorkflowControl and
  SecurityControl on the content item and will fail because the
  anonymous user
  does not have access to the content item.
  The code implicitly then assumes that because the item does not
  have a workflow control and SecurityControl, it is published
  and that everyone has read access to it which is incorrect.
  
   The content has already been retrieved with system level
  access.
  To check whether its is published,
  we simply check it on the content that has been retrieved as
  aforementioned.
  This will reveal that it is expired and will trigger an
  exception which will cause a HTTP response code of
  404 to be returned to the client.
  
  This fix applies to WCM release 6012
  
  An interim fix for this APAR is available from Fix Central at:
  
  http://www.ibm.com/eserver/support/fixes/fixcentral/swgquickorde
  r?brandid=2&productid=Workplace%20Web%20Content%20Management&fix
  es=6.0.1.2-WCM-PK58563
  
  You will need to cut/paste the entire URL into a browser to
  resolve the address.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WRKPLC WEB CON

• Fixed component ID

  5724I2900

Applicable component levels

• R601 PSY

     UP