APAR status
Closed as new function.
Error description
In the OpenID Connect (OIDC) Trust Association Interceptor (TAI), the interceptedPathFilter and excludedPathFilter properties can use a regular expression to filter and intercept inbound requests. However, regular expressions cannot be used when the filter property is required to be used instead. Also, the filter property supports only a logical AND (;). A logical OR is needed to give administrators the flexibility they need to properly intercept requests.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: Add support for regular expressions and * * logical OR to the OIDC TAI filter * * property. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OIDC TAI filter property does not support regular expressions or logical OR.
Problem conclusion
The OIDC TAI is updated to support both regular expressions and a logical OR in its filter property. * The operator for using a regular expression in the value for the filter property is ~=. (tilde, equals) * If you want to make sure that a header does not exist, use the value \0. * If you want to make sure that a header exists, regardless of the value, use ^.*. * When you use the regex operator with remote-address, the runtime does not verify the input as it does with the other operators. * The logical OR operator is ||. * At runtime, the request is evaluated against the filter from left to right. * The expressions between each logical OR operators are evaluated individually. * You can have logical AND operators (;) within each logical OR section. * The runtime returns true if any expression between the logical OR operators is true. Example: request-url~=/ibm/console(?!/images/)(.*).*;remote- address~=129\..*;INTERNAL_HEADER~=^.*;EXTERNAL_HEADER~=\0||reque st-url%=acme/login||applicationNames==DefaultApplication The fix for this APAR is targeted for inclusion in fix pack 8.5.5.23 and 9.0.5.14. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH49279
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-09-06
Closed date
2022-09-16
Last modified date
2022-09-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
17 September 2022