IBM Support

PH49382: SAML WEB INBOUND: ADD REGEX AND LOGICAL OR TO FILTER PROPERTY

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as new function.

Error description

  • In the SAML Web Inbound TAI, the filter property does not
    accept regular expressions.  Also, although the filter
    property has a logical AND operator, it does not have a
    logical OR operator. These two missing functions often make it
    difficult for administrators to construct a filter to intercept
    requests.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: All users of IBM WebSphere Application  *
    *                      Server and SAML Web Inbound             *
    ****************************************************************
    * RECOMMENDATION:  Add support for regular expressions and     *
    *                  logical OR to the SAML Web Inbound TAI      *
    *                  filter                                      *
    *                  property.                                   *
    ****************************************************************
    The SAML Web Inbound TAI filter property does not support
    regular
    expressions or logical OR.
    

Problem conclusion

  • The SAML Web Inbound TAI is updated to support both regular
    expressions and a logical OR in its filter property.
    
    * The operator for using a regular expression in the value for
    the filter property is ~=.  (tilde, equals)
      * If you want to make sure that a header does not exist, use
    the value \0.
      * If you want to make sure that a header exists, regardless of
    the value, use ^.*.
      * When you use the regex operator with remote-address, the
    runtime does not verify the input as it does with the other
    operators.
    
    * The logical OR operator is ||.
      * At runtime, the request is evaluated against the filter from
    left to right.
      * The expressions between each logical OR operators are
    evaluated individually.
      * You can have logical AND operators (;) within each logical
    OR section.
      * The runtime returns true if any expression between the
    logical OR operators is true.
    
    Example:
    request-url~=/ibm/console(?!/images/)(.*).*;remote-
    address~=129\..*;INTERNAL_HEADER~=^.*;EXTERNAL_HEADER~=\0||reque
    st-url%=acme/login||applicationNames==DefaultApplication
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.23 and 9.0.5.14. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH49382

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2022-09-09

  • Closed date

    2022-09-16

  • Last modified date

    2022-09-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 September 2022