IBM Support

JR52490: CROSS-SITE FILTER CAUSES BLANK J_SECURITY_CHECK PAGE TO BE DISPLAYED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Empty J_SECURITY_CHECK page may be displayed when trying to
    access the Process Center or Process Admin console.
    
    The following exception is seen in the SystemOut.log:
    
    "wle_servlet   E CrossSiteRequestForgeryFilter doFilter
    Cross-Site Request Forgery threat identified, session not found"
    

Local fix

  • *Disclaimer*:  This workaround is only intended to be temporary
    until the fix is applied as its possible other fixes will
    overwrite the changes.
    Sections that need to be commented out:
    ----
        <filter>
           <description>Blocks Cross Site Request Forgery
    threats</description>
           <filter-name>crossSiteRequestForgery</filter-name>
    <filter-class>com.lombardisoftware.servlet.CrossSiteRequestForge
    ryFilter
    </filter-class>
        </filter>
    ----
        <filter-mapping>
            <filter-name>crossSiteRequestForgery</filter-name>
            <url-pattern>/j_security_check</url-pattern>
        </filter-mapping>
    ----
    1.  Comment out the "crossSiteRequestForgery" filter and
    filter-mapping in the web.xml for the Process Center
    application.
    a.  Edit the web.xml in the location:
    /$install_root/profiles/$node_name/config/cells/$cell_name/appli
    cations/IBM_BPM_Repository_SingleCluster.ear/deployments/IBM_BPM
    _Repository_SingleCluster/repository.war/WEB-INF/web.xml
    b.  Comment out the "crossSiteRequestForgery" filter and
    filter-mapping element.
    2.  Comment out the "crossSiteRequestForgery" filter-mapping in
    the web.xml for the Process Admin application.
    a.  Edit the web.xml in the location:
    /$install_root/profiles/$node_name/config/cells/$cell_name/appli
    cations/IBM_BPM_ProcessAdmin_SingleCluster.ear/deployments/IBM_B
    PM_ProcessAdmin_SingleCluster/ProcessAdmin.war/WEB-INF/web.xml
    b.  Comment out the "crossSiteRequestForgery" filter-mapping
    element.
    3.  Apply the same changes on the DMGR.  Replace $node_name
    with $dmgr_name.
    4.  Restart the DMGR and Nodes.
    5.  Clear the cache in the client brower that will be retesting
    the issue.
    

Problem summary

  • ERROR DESCRIPTION -
    When you log in to the Process Center console or the Process
    Admin console, the browser is redirected to
    http://localhost:9080/ProcessCenter/j_security_check and a blank
    page is displayed.
    
    
    
    PRODUCTS AFFECTED
    IBM Business Process Manager (BPM) Advanced
    IBM BPM Standard
    IBM BPM Express
    
    LOCAL FIX -
    None
    
    
    PROBLEM SUMMARY
    This issue is a false Cross-Site Request Forgery threat and
    occurs when a session times out and you try to log in again.
    You can see the following log message in the SystemOut.log file:
    
        [5/17/13 7:48:34:559 CDT] 000000f4 wle_servlet   E
    CrossSiteRequestForgeryFilter doFilter Cross-Site Request
    Forgery threat identified, session not found
    

Problem conclusion

  • A fix is available for IBM BPM V8.5.0.0. With the fix applied,
    the false Cross-Site Request Forgery threat is handled and the
    authentication is properly handled so you do not see a blank
    page.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR52490:
    1.Select IBM Business Process Manager with your edition from the
    product selector, the installed version to the fix pack level,
    and your platform, and then click Continue.
    2.Select APAR or SPR, enter JR52490, and click Continue.
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR52490

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    801

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-02-03

  • Closed date

    2015-04-02

  • Last modified date

    2015-04-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
02 April 2015