IBM Support

JR52490: CROSS-SITE FILTER CAUSES BLANK J_SECURITY_CHECK PAGE TO BE DISPLAYED

Direct links to fixes

bpm.8560.cf1.delta.repository.2
bpm.8560.cf1.delta.repository.1
8.5.0.0-WS-BPM-IFJR52490
Version 8.5.0 Fix Pack 2 for the IBM Business Process Manager products
Version 8.5 Refresh Pack 7 for the IBM Business Process Manager products

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Empty J_SECURITY_CHECK page may be displayed when trying to
access the Process Center or Process Admin console.

The following exception is seen in the SystemOut.log:

"wle_servlet   E CrossSiteRequestForgeryFilter doFilter
Cross-Site Request Forgery threat identified, session not found"

Local fix

  • *Disclaimer*:  This workaround is only intended to be temporary
until the fix is applied as its possible other fixes will
overwrite the changes.
Sections that need to be commented out:
----
    <filter>
       <description>Blocks Cross Site Request Forgery
threats</description>
       <filter-name>crossSiteRequestForgery</filter-name>
<filter-class>com.lombardisoftware.servlet.CrossSiteRequestForge
ryFilter
</filter-class>
    </filter>
----
    <filter-mapping>
        <filter-name>crossSiteRequestForgery</filter-name>
        <url-pattern>/j_security_check</url-pattern>
    </filter-mapping>
----
1.  Comment out the "crossSiteRequestForgery" filter and
filter-mapping in the web.xml for the Process Center
application.
a.  Edit the web.xml in the location:
/$install_root/profiles/$node_name/config/cells/$cell_name/appli
cations/IBM_BPM_Repository_SingleCluster.ear/deployments/IBM_BPM
_Repository_SingleCluster/repository.war/WEB-INF/web.xml
b.  Comment out the "crossSiteRequestForgery" filter and
filter-mapping element.
2.  Comment out the "crossSiteRequestForgery" filter-mapping in
the web.xml for the Process Admin application.
a.  Edit the web.xml in the location:
/$install_root/profiles/$node_name/config/cells/$cell_name/appli
cations/IBM_BPM_ProcessAdmin_SingleCluster.ear/deployments/IBM_B
PM_ProcessAdmin_SingleCluster/ProcessAdmin.war/WEB-INF/web.xml
b.  Comment out the "crossSiteRequestForgery" filter-mapping
element.
3.  Apply the same changes on the DMGR.  Replace $node_name
with $dmgr_name.
4.  Restart the DMGR and Nodes.
5.  Clear the cache in the client brower that will be retesting
the issue.

Problem summary

  • ERROR DESCRIPTION -
When you log in to the Process Center console or the Process
Admin console, the browser is redirected to
http://localhost:9080/ProcessCenter/j_security_check and a blank
page is displayed.



PRODUCTS AFFECTED
IBM Business Process Manager (BPM) Advanced
IBM BPM Standard
IBM BPM Express

LOCAL FIX -
None


PROBLEM SUMMARY
This issue is a false Cross-Site Request Forgery threat and
occurs when a session times out and you try to log in again.
You can see the following log message in the SystemOut.log file:

    [5/17/13 7:48:34:559 CDT] 000000f4 wle_servlet   E
CrossSiteRequestForgeryFilter doFilter Cross-Site Request
Forgery threat identified, session not found

Problem conclusion

  • A fix is available for IBM BPM V8.5.0.0. With the fix applied,
the false Cross-Site Request Forgery threat is handled and the
authentication is properly handled so you do not see a blank
page.

On Fix Central (http://www.ibm.com/support/fixcentral), search
for JR52490:
1.Select IBM Business Process Manager with your edition from the
product selector, the installed version to the fix pack level,
and your platform, and then click Continue.
2.Select APAR or SPR, enter JR52490, and click Continue.
When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR52490
    • 

  • Reported component name
    BPM STANDARD
    • 

  • Reported component ID
    5725C9500
    • 

  • Reported release
    801
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2015-02-03
    • 

  • Closed date
    2015-04-02
    • 

  • Last modified date
    2015-04-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    

  • R855  PSY
       UP
    • 








      
          
                    

          

          [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
          

                    

        
        

        

      


      


        

            

            
Document Information


            

            


                        

            Modified date:
            

            02 April 2015
            

            
            
          

        


        

        


      


    


  





    

  



  
    
      

      
Page Feedback