IBM Support

IT38371: APIGW RETURN 403 FORBIDDEN ERROR IF SECONDARY CLIENT_ID IS IN THE REQUEST BODY

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • A new security check been added in v10.0.1.4 to prevent
The user from sending the client id in multiple places. The
security check checks
the message body and header. If the request body contain
"client_id" APIGW will return the following error if the client
id already provided in the header or query parameter:
{"httpCode":"403","httpMessage":"Forbidden","moreInformation":"
APIsecurity action found multiple references to the client ID in
the request."}








In this case the client_id in message body is not for APIC
security check but only for use in the main assembly flow (for
example, pass to a backend server).

Local fix

  • 1. Use a different name rather than ?cliend_id? in the body, and
then rename in by using gatewayscript or xslt policy before
invoke to the backend

2. Send the client id in request header with a different header
name, and then use set-variable, gatewayscript, or xslt policy
to copy it to somewhere else after APIGW's security check and
before invoke to the backend

Problem summary

  • APIGW returns 403 forbidden error if secondary client_id is in
the request body

Problem conclusion

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT38371
    • 

  • Reported component name
    DATAPOWER
    • 

  • Reported component ID
    DP1234567
    • 

  • Reported release
    A0X
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-09-14
    • 

  • Closed date
    2021-12-01
    • 

  • Last modified date
    2022-02-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    DATAPOWER
    • 

  • Fixed component ID
    DP1234567
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateways"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A0X"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            18 February 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback