IBM Support

PM70260: LIBERTY PROFILE IS IGNORING CERTAIN INBOUND PRIVATE HEADERS FROM THE WEB SERVER PLUG-IN

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Inbound HTTP requests originating from the web server plug-in,
    where a page redirect is generated (such as during user
    authentication), incorrectly redirects the browser client.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty Profile                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: Inbound HTTP requests originating       *
    *                      from the web server plug-in, might be   *
    *                      incorrectly redirected.                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Inbound HTTP requests originating from the web server plug-in,
    where a page redirect is generated (such as during user
    authentication), incorrectly redirects the browser client.
    This redirection is incorrect because you cannot usually
    access the backend server directly. The redirection should
    retain the host, port and scheme of the original request.
    

Problem conclusion

  • The Liberty profile server runtime code was updated to honor
    the private headers that the web server plug-in attaches to the
    incoming request. These headers include host, port and scheme
    information that are used to formulate the redirection URL.
    
    In the Liberty profile server, the <webContainer/> element
    includes specific attributes that affect behavior related to
    front-end Webservers. These attributes were all updated to be
    properly honored:
    
    1. trusted (These headers are now properly honored: $WSSP,
    $WSSC, $WSIS and $WSSN)
    2. extractHostHeaderPort
    3. trustHostHeaderPort
    4. httpsIndicatorHeader
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.0.1. Please refer to the Recommended Updates page
    for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM70260

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-08-03

  • Closed date

    2012-10-02

  • Last modified date

    2012-10-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROFILE

  • Fixed component ID

    5724J0814

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 October 2021