Download
Abstract
Welcome pages are not secured by having /* as a URL pattern in security constraint, if accessed by directly giving the context-root.
Download Description
PK10057 resolves the following problem:
ERROR DESCRIPTION:
WebSphere Application Server version 6.0.2 web application welcome pages not secured.
The welcome pages are secured by having URL pattern /* in the web application security constraint.
If welcome page(home page) is accessed by hitting.
Example: 'http://ServerHost/webapp_context/homepage.jsp' authentication window appears. The welcome page is secured.
However if welcome page is accessed by hitting just context root Example: 'http://ServerHost/webapp_context/' welcome page is displayed bypassing security authentication.In this case welcome page is insecure.
PROBLEM SUMMARY:
USERS AFFECTED:
WebSphere Application Server version 6.0 users who try to access the welcome page of their application by giving the default context root in the browser.
PROBLEM DESCRIPTION:
There is a possible security issue with web application's welcome pages.
RECOMMENDATION:
The welcome pages are secured by having URL pattern /* in the web application security constraint.
If the welcome page(home page) is accessed by hitting
Example: 'http://ServerHost/webapp_context/homepage.jsp' the authentication window appears. The welcome page is secured.
However if the welcome page is accessed by hitting just the context root Example: 'http://ServerHost/webapp_context/' the welcome page is displayed bypassing security authentication. In this case the welcome page is not secure.
PROBLEM CONCLUSION:
This problem was solved by making changes in the webcontainer component.
The fix for this APAR is currently targeted for inclusion in fixpack version 6.0.2.3.
Please refer to the recommended updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Prerequisites
Please download the UpdateInstaller below to install this fix.
Installation Instructions
Please review the readme.txt for detailed installation instructions.
Technical Support
1-800-IBM-SERV (U.S. Only)
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24010245