PQ58541: SETSTATUS() METHOD DOES NOT SET HTTP_REASON CORRECTLY. IT IS ALWAYS SET TO 'OK'.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• When setStatus() method is used to set the response to a value
  other than 'SC_OK' (200), the HTTP_RESPONSE is sent correctly
  but the HTTP_REASON is always send as 'ok'. For example, if
  setStatus() is used to set the response to SC_MOVED_TEMPORARILY
  (302) or SC_UNAUTHORIZED (401), HTTP_RESPONSE is set to 302 or
  401 respectively, but HTTP_REASON is still set as 'ok'.
  Therefore the web server sends the response as '200 ok'.
  NOTE: The new directive ServiceSync is discussed in the
        Recommendations below. ServiceSync will work with
        the settings of either,  Yes|No or On|Off
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of HTTP Server for OS/390 and z/OS     *
  *                 who find that HTTP response codes set by     *
  *                 service exits are not handled as expected.   *
  ****************************************************************
  * PROBLEM DESCRIPTION: The HTTP status seen by the client is   *
  *                      not always what is expected.            *
  *                      When a service exit sets a value for    *
  *                      HTTP_RESPONSE, it is not handled the    *
  *                      same as the service exit return_code,   *
  *                      resulting in incorrect HTTP status      *
  *                      200 for a request.                      *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  The HTTP status seen by the client is not always what is
  expected. A service exit has two methods of setting the HTTP
  status for a request: it can return a value in return_code or
  in HTTP_RESPONSE. The result seen by the client is not always
  the same for these two methods.
  

Problem conclusion

• The HTTP Server is modified to accept a new configuration
  directive, ServiceSync. The default value of "no" preserves
  the old behavior of the server. A value of "yes" causes the
  server to synchronize the return code with HTTP_RESPONSE after
  a service exit, so that setting HTTP_RESPONSE results in the
  expected status code at the browser. Documentation is enhanced
  to clarify the usage of GWAPI exits.
  
  PQ48541 is making changes to the behavior of the HTTP Server
  to synchronize the HTTP status code seen at a browser with the
  HTTP_RESPONSE variable set by a service exit using HTTPD_set()
  or its Java equivalent, HttpServletResponse.setStatus().
  It is recommended that the service exit return the desired
  HTTP status code in the return_code argument; however, some
  applications, such as Java HTTP Servlets, return the status
  code in HTTP_RESPONSE.
  A new directive, ServiceSync, enables the new ability to
  synchronize return_code with HTTP_RESPONSE.
  ServiceSync is OFF by program default. This directive is
  documented in the sample configuration file httpd.conf and in
  the HTTP Server Planning manual.
  You will find the sample file changes in the HFS directory
  <install path>/samples/config, where <install path> is your
  webserver's install path.
  The default path is /usr/lpp/internet/samples/config.
  
  The following COMPID's are affected by these changes:
  
  5697D4300 LDGW for OS/390  Version 5
  
  PTF H2
  The code changes are stored in CMVC under defect PQ58541.
  
  SC31-8690 LDGW 5.2 Planning, Installing, and Using
  SC31-8690 IHS 5.3 Planning, Installing, and Using (for OS/390)
  SC34-4826 IHS 5.3 Planning, Installing, and Using (for z/OS)
  
  For the latest documentation for the 5.x releases, please use
  one of the following URLs:
  http://www.ibm.com/software/websphere/httpservers/doc53.html
  http://www.ibm.com/software/websphere/httpservers/doc52.html
  
  In the HTTP Server Planning, Installing, and Using manual,
  some information will be added or changed.
  In Chapter 19, "Writing GWAPI programs", under "Application
  functions", there is this text:
  
  Each of your functions must fill in the return code parameter
  with a value that indicates what action was taken.
  
  HTTP_NOACTION (value of 0) means no action was taken.
  Otherwise one of the valid HTTP return codes is expected,
  indicating the application function handled the step. As a
  result, no other application functions will be called to
  handle that step of this request.
  
  It will be revised along these lines:
  
  Each of your functions must fill in the return code parameter
  with a value that indicates how the HTTP Server should
  continue. The exit should leave a value in the return code
  parameter using  a line of code similar to one of these (but
  not limited to one of these):
  
      *return_code = HTTP_NOACTION;
      *return_code = HTTP_OK;
      *return_code = HTTP_UNAUTHORIZED;
  
  HTTP_NOACTION (0) - The HTTP Server continues with its usual
  processing of this step. For example, if an authorization exit
  returns HTTP_NOACTION, the HTTP Server continues with its
  usual authorization processing. If there are other exits for
  this same step, they may be called, based on any URI templates
  for the directive.
  
  HTTP_OK (200) or any other value - The exit has fulfilled the
  processing necessary for this step, and the HTTP Server should
  not continue with its usual processing of this step. If there
  are other exits for this same step, they will not be called.
  
  There are several ways that an exit can indicate the results
  of its processing:
  (1) Exit with a value in the return_code parameter (required).
  Generally, unless this is HTTP_NOACTION, this is the response
  code that the HTTP Server will return to the client.
  (2) Use HTTPD_set() to set HTTP_RESPONSE (optional, and useful
  only in some steps). Sometimes, this is the response code that
  the HTTP Server will return to the client, if the exit setting
  this variable continues with an HTTPD_write().
  (3) Use HTTPD_set() to set ERRORINFO (optional).
   This variable is used to select an ErrorPage.
  (4) Use HTTPD_set() to set HTTP_REASON (optional).
   This is part of the header returned to the client.
  (5) Use HTTPD_set() to set HTTP_STATUS.
   This sets HTTP_RESPONSE and HTTP_REASON with one GWAPI call.
  
  The first line of headers returned to the client usually looks
  similar to one of these examples:
  HTTP/1.1 200 Document Follows
  HTTP/1.1 401 Unauthorized
  HTTP/1.1 404 Not Found
  The middle part of the header, the number, is set from the
  exit's return_code or the variable HTTP_RESPONSE. The last
  part, the text, is set from the variable HTTP_REASON, or is
  set by default based on the number.
  
  After application of PQ60323, if ERRORINFO is not set, then
  the HTTP Server sets ERRORINFO from return_code. However,
  because there is more than one possible value of ERRORINFO
  for each value of return_code, the value chosen is just a best
  estimate.
  
  In Chapter 19, "Writing GWAPI programs", under "Application
  function prototypes", there is this text:
  
  Existing text for PreExit:
  Called after the request has been read, but before any
  processing has occurred.
  All server predefined functions are valid during this step.
  
  It will be revised along these lines:
  Called after the request has been read, but before any
  processing has occurred. Because this exit is invoked very
  early in processing, some environment variables are not yet
  set. For example, PROXY_ACCESS will always be "No" in this
  step, even if the request will be proxied; on the other hand,
  the QUERY_STRING variable is available at this point. This
  exit can add request headers to the incoming request, but it
  is already too late for the server to process them; if the
  request is being proxied to another server, the newly added
  headers will be passed with the request to the other server.
  
  If this step does not write to the client, it should return
  HTTP_NOACTION, even though it may have performed some actions,
  such as adding a request header.
  
  If this step returns an indication that the request was
  processed (HTTP_OK), the exit should issue an HTTPD_write()
  to send output to the client, since the server then skips the
  other steps in the request process and performs only the Data
  Filter, Log, and PostExit steps.
  All server predefined functions are valid during this step.
  
  Recommended ADDED text for Service exit:
  After application of PQ58541, if the directive "ServiceSync
  on" is coded in httpd.conf, when a service exit returns, the
  return_code parameter is loaded from HTTP_RESPONSE if
  HTTP_RESPONSE is not 200 and if return_code is 200. The effect
  is that if a service exit sets HTTP_RESPONSE but returns
  HTTP_OK (200) in return_code, then HTTP_RESPONSE is used as
  the return_code. This is useful for existing service exits
  that were not coded to set return_code.
  
  Existing text for Error exit:
  Called only when an error is encountered and provides an
  opportunity to customize the response.
  
  This Error exit information will be ADDED:
  The Error exit can take action similar to the effect of an
  ErrorPage directive by writing a response to the client. If it
  writes to the client, it should return HTTP_OK (200) in
  return_code to tell the HTTP Server not to send a response
  (a response has already been sent). If it does not write to
  the client, it should return HTTP_NOACTION (0) in return_code
  to tell the HTTP Server to continue with its usual error
  handling, such as writing a default error message or sending
  an ErrorPage.
  
  This information is to be added to Appendix B (Configuration
  directives):
  
  ServiceSync - Specify whether HTTP_RESPONSE should be copied
  to return_code after a service exit
  
  Use this directive to specify whether HTTP_RESPONSE should be
  copied to return_code after a service exit, for service exits
  that set HTTP_RESPONSE instead of setting *return_code. This
  is common for Java servlets. The format of the directive is:
   ServiceSync On|Off
  On
   HTTP_RESPONSE is copied to return_code after a service
  exit, if return_code contains the default HTTP_OK (200).
  Off
   HTTP_RESPONSE is not copied to return_code after a service
  exit. This was the behavior of the HTTP Server before the
  introduction of this directive.
  Example
   ServiceSync On
  Initial configuration file setting
   Off
  Program default setting
   ServiceSync Off
  
  * Cross Reference between External and Internal Names
  

Temporary fix

Comments

• ×**** PE03/03/07 PTF IN ERROR. SEE APAR PQ67022  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UQ66642 UQ66644 UQ67103 UQ67104

Modules/Macros

•    IMWFCGI  IMWGSIPC IMWGSKIP IMWHTSCJ IMWHTSEC
  IMWJAV   IMWJAVDL IMWJJAVA IMWJPR   IMWLDAP  IMWLFMT  IMWLISOC
  IMWLSEM4 IMWLSNPL IMWLTFPT IMWLTPOL IMWLWRTR IMWOCGTL IMWOHTAP
  IMWOHTDM IMWSACL  IMWSAFIL IMWSAPID IMWSAPIP IMWSAPRO IMWSARGV
  IMWSASRV IMWSAUTH IMWSCACH IMWSCACP IMWSCAGC IMWSCCHI IMWSCLC
  IMWSCONF IMWSCONS IMWSDAPI IMWSDMDR IMWSDOGC IMWSDSTR IMWSDVAR
  IMWSENTY IMWSENV  IMWSERVR IMWSFCGI IMWSFNM  IMWSGC   IMWSGLOB
  IMWSGRP  IMWSHBF  IMWSHEAD IMWSHTHP IMWSIFMS IMWSIMGE IMWSIMS
  IMWSIUMS IMWSJAPI IMWSJBE  IMWSJCFG IMWSJTHD IMWSKILL IMWSLEX
  IMWSLOAD IMWSLOG  IMWSLOOP IMWSLSTT IMWSMETH IMWSNS   IMWSOSMF
  IMWSPCA  IMWSPCSP IMWSPDB  IMWSPERF IMWSPEV  IMWSPF   IMWSPICS
  IMWSPL   IMWSPRD  IMWSPW   IMWSQUEU IMWSREQ  IMWSRLDB IMWSRNGE
  IMWSRSP  IMWSRSRT IMWSRTRC IMWSRTRV IMWSSCRP IMWSSECP IMWSSGNL
  IMWSSIO  IMWSSIPC IMWSSNMP IMWSSRC  IMWSSRER IMWSSRVR IMWSSSI
  IMWSSTAT IMWSSTBD IMWSSTHD IMWSSUTL IMWSTEC  IMWSTIMR IMWSUID
  IMWSUIDU IMWSURDB IMWSUSRI
  

Fix information

• Fixed component name

  DGW/WAS OS/390

• Fixed component ID

  5697D4300

Applicable component levels

• R52B PSY UQ66642

     UP02/06/13 P F206

• R520 PSY UQ67103

     UP02/06/13 P F206

• R53B PSY UQ66644

     UP02/06/13 P F206

• R530 PSY UQ67104

     UP02/06/13 P F206

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.