APAR status
Closed as new function.
Error description
In the SAML Web Inbound TAI, the filter property does not accept regular expressions. Also, although the filter property has a logical AND operator, it does not have a logical OR operator. These two missing functions often make it difficult for administrators to construct a filter to intercept requests.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * **************************************************************** * PROBLEM DESCRIPTION: All users of IBM WebSphere Application * * Server and SAML Web Inbound * **************************************************************** * RECOMMENDATION: Add support for regular expressions and * * logical OR to the SAML Web Inbound TAI * * filter * * property. * **************************************************************** The SAML Web Inbound TAI filter property does not support regular expressions or logical OR.
Problem conclusion
The SAML Web Inbound TAI is updated to support both regular expressions and a logical OR in its filter property. * The operator for using a regular expression in the value for the filter property is ~=. (tilde, equals) * If you want to make sure that a header does not exist, use the value \0. * If you want to make sure that a header exists, regardless of the value, use ^.*. * When you use the regex operator with remote-address, the runtime does not verify the input as it does with the other operators. * The logical OR operator is ||. * At runtime, the request is evaluated against the filter from left to right. * The expressions between each logical OR operators are evaluated individually. * You can have logical AND operators (;) within each logical OR section. * The runtime returns true if any expression between the logical OR operators is true. Example: request-url~=/ibm/console(?!/images/)(.*).*;remote- address~=129\..*;INTERNAL_HEADER~=^.*;EXTERNAL_HEADER~=\0||reque st-url%=acme/login||applicationNames==DefaultApplication The fix for this APAR is targeted for inclusion in fix pack 8.5.5.23 and 9.0.5.14. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH49382
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-09-09
Closed date
2022-09-16
Last modified date
2022-09-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
17 September 2022