APAR status
Closed as program error.
Error description
When home substitution is enabled (uri.home.substitution = true), an authenticated user can navigate to unprotected URLs without being logged out. Instead, a redirect from ../portal to ../myportal is issued to satisfy WAS security. This is done under the assumption that the LTPA token in the request matches the security context of the authenticated user. The respective check, however, is only done when the redirected requests arrives in Portal. In case a mismatch is detected, the user redirected back to ../portal. To avoid a loop, home substitution is only performed once and the user is logged out. When simultaneous requests to ../portal arrive at Portal, these look like a redirection loop when, in fact, they are not. This APAR makes the redirect loop detection more intelligent, using methods in WAS that are available with Portal 6.x.
Local fix
Avoid sending simultaneous requests when using home substitution.
Problem summary
When home substitution is enabled (uri.home.substitution = true), an authenticated user can navigate to unprotected URLs without being logged out. Instead, a redirect from ../portal to ../myportal is issued to satisfy WAS security. This is done under the assumption that the LTPA token in the request matches the security context of the authenticated user. The respective check, however, is only done when the redirected requests arrives in Portal. In case a mismatch is detected, the user redirected back to ../portal. To avoid a loop, home substitution is only performed once and the user is logged out. When simultaneous requests to ../portal arrive at Portal, these look like a redirection loop when, in fact, they are not.
Problem conclusion
This APAR makes the redirect loop detection more intelligent, using methods in WAS that are available with Portal 6.x. Manual Steps: None Failing Module(s): Authorization/Authentication (login/logout) Affected Users: All users Version Information: Portal Version(s): 6.1.0.1 Pre-Requisite(s): PM14621 Co-Requisite(s): --- Portal Version(s): 6.1.0.2 Pre-Requisite(s): PM14621 PK92357 Co-Requisite(s): --- PM14606 is also part of Cumulative Fix 04 for Portal 6.0.1.6. The Cumulative Fix is available from Fix Central: http://www.ibm.com/eserver/support/fixes/fixcentral/swgquickorde r?apar=PM13577&productid=WebSphere%20Portal&brandid=5 You may need to type or paste the complete address into your Web browser. Platform Specific: This fix applies to all platforms. A fix is available from Fix Central: http://www.ibm.com/eserver/support/fixes/fixcentral/swgquickorde r?apar=PM14606&productid=WebSphere%20Portal&brandid=5 You may need to type or paste the complete address into your Web browser.
Temporary fix
Comments
APAR Information
APAR number
PM14606
Reported component name
WEBSPHERE PORTA
Reported component ID
5724E7600
Reported release
60G
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-05-17
Closed date
2010-06-22
Last modified date
2010-06-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE PORTA
Fixed component ID
5724E7600
Applicable component levels
R60K PSY
UP
R61A PSY
UP
R61B PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHRKX","label":"WebSphere Portal"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.1.3","Line of Business":{"code":"LOB31","label":"WCE Watson Marketing and Commerce"}}]
Document Information
Modified date:
21 December 2021