HTTPOnly Cookies and Web Applets

Question & Answer

Question

Why do I receive the error "java.lang.ClassFormatError: Incompatible magic value" when attempting to launch an applet through an application through WebSEAL?

Cause

The setting use-http-only-cookies is set to yes in the webseald.conf file.

Answer

This error is received because the Java Plugin that is attempting to load the applet does not have access to the WebSEAL session cookie when The HttpOnly attribute is used. Instead of returning the jar file that is expected, it returns the login page for WebSEAL thus throwing the incompatible magic value error.

By changing the value of use-http-only-cookies to no, you will be allowing the applet to access the WebSEAL session cookie and automatically authenticate so that the jar file can be received as expected. If the HttpOnly attribute is used, the only other way around this error would be to un-secure the applet.

#---------------------
# Adding HttpOnly attribute
#---------------------
# When use-http-only-cookies is set to 'yes', WebSEAL will add the
"HttpOnly"
# attribute to the session and failover cookies. This will help defend
against
# cross-site-scripting attacks by informing the browser not to make
these
# cookies available to browser scripts.
#use-http-only-cookies = no
use-http-only-cookies = yes

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WebSEAL","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

TAM;ISAM;Access Manager

Was this topic helpful?

Document Information

Modified date:
16 June 2018

UID

swg21968876

Tips