DASH/TDI servlet is rejecting the request.

Troubleshooting

Problem

The TDI CURI REST servlet configured with Webseal rejects requests due to referer check.

Symptom

Entry in SystemOut.log may contain:

8/7/14 10:53:29:170 PDT] 00000192 rest E
com.ibm.tivoli.rest.RestRequestProcessor service ##### Rejecting request due to invalid Referer attribute:https://<servername>:443

[8/7/14 10:53:29:171 PDT] 00000192 webapp E
com.ibm.ws.webcontainer.webapp.WebApp logServletError

SRVE0293E: [Servlet Error]-[RestServlet]:
com.ibm.ws.webcontainer.webapp.WebAppErrorReport: SRVE0295E: Error reported:

Cause

In JazzSM fixpack 3, a referer check for the CURI REST servlet was added to protect against security vulnerabilities.

In this scenario where JazzSM fixpack 3 has been applied, WebSEAL is acting as a reverse proxy and translating the public URLs into those of the private network.

The requested URL is updated correctly as it passes through WebSEAL, but the referer in the request header is unmodified and still contains the hostname of the WebSEAL server.

The referrer is not getting updated and that is resulting in the REST call failure.

Environment

TDI 7.1.1 fp3, JazzSM 1.1 (fp3), TAM 7

Resolving The Problem

There's a configuration option that can be added to the [junction] stanza.

[junction]
adjust-referer =yes

Additional details:

DESCRIPTION
To make WebSEAL even more transparent to junctioned servers, this function will attempt to detect WebSEAL filtered URLs in the Referer: header sent from the browser and undo the filtering before passing it onto the junction.

The "unfiltering" involves:
1) changing the protocol to match the one used to access the junction server.
2) changing the hostname from the WebSEAL one to the virtual hostname of the junction the Referer is from.
3) removes the junction path (except for Transparent path junctions).

The host in the absolute Referer: header must match the Host: header send from the client. If the Host: header does not exist, the referer is not updated.
If a match is not made, the referer is not updated.
If the WebSEAL host has other host name aliases, these will not be unfiltered if present in the referer header.

The Host: and Referer: headers are from an untrusted source, but this will not cause any security issues for this referer header manipulation.

[{"Product":{"code":"SSCQGF","label":"Tivoli Directory Integrator"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WebSEAL","Platform":[{"code":"","label":""}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSRLR8","label":"Tivoli Components"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Jazz for Service Management","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.1.0.3","Edition":"","Line of Business":{"code":"","label":""}}]

Tips

DASH/TDI servlet is rejecting the request.

Troubleshooting

Problem

Symptom

Cause

Environment

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?