IBM Support

WebDav connection to WebSphere Portal fails with HTTP Error 302

Technote (troubleshooting)


Problem

Unable to establish a connection using WebDav to WebSphere Portal. WebDrive, the Windows XP client and other supported WebDAV clients for use with WebSphere Portal also fail.

Symptom

The following output is shown for the client connection attempt (in this case using WebDrive):

Connected successfully to the server on port 10039
Unable to connect to server, error information below
Error: HTTP Redirects (302) are not supported (4515)
Operation: Connecting to server
Server Response: 302 Found


Cause

A change in the default settings for the HTTP Basic Authentication Trust Association Interceptor (TAI) caused the connection to be denied.


Diagnosing the problem

(1) Connecting to Portal using a WebDav client depends on the HTTP Basic Authentication Trust Association Interceptor (TAI). Ensure that the TAI is installed.

(2) Trace the TAI using com.ibm.portal.auth.tai.HTTPBasicAuthTAI=finest.

Note that the trace must be enabled so that logging is generated during Portal startup as well as for the connection failure. Startup trace is required to review the TAI configuration properties and their values which are only logged at initialization.

The trace extract below shows a number of the TAI properties and their values as well as a successful initialization of the TAI (timestamps and thread ids have been omitted):

HTTPBasicAuth > com.ibm.portal.auth.tai.HTTPBasicAuthTAI initialize ENTRY {authenticationRealm=WPS, userAgentBlackList=AllAgentsAllowed, enabled=true, urlWhiteList=/mum/mycontenthandler* /wps/mycontenthandler*, urlBlackList=/wps/myportal*, userAgentWhiteList=NoAgentSpecified, loginTarget=Portal_LTPA, useRegExp=true}
HTTPBasicAuth < com.ibm.portal.auth.tai.HTTPBasicAuthTAI initialize RETURN 0
TrustAssociat A SECJ0122I: Trust Association Init Interceptor signature: WebSphere Portal HTTP Basic Authentication TAI 0.1


The property urlWhiteList contains URIs the TAI will allow: /mum/mycontenthandler* /wps/mycontenthandler*

However, even though the incoming URI appears to match a URI in the allowed list, the WebDav connection fails:


HTTPBasicAuth < com.ibm.portal.auth.tai.HTTPBasicAuthTAI parseUserAgentHeader RETURN [WebDrive, 9.16.2385, DAV]

HTTPBasicAuth 3 com.ibm.portal.auth.tai.HTTPBasicAuthTAI isTargetInterceptor request url: /wps/mycontenthandler/dav/themelist/all/

HTTPBasicAuth < com.ibm.portal.auth.tai.HTTPBasicAuthTAI isTargetInterceptor - no match at all RETURN false


Resolving the problem

The TAI settings in the WebSphere Application Server Integrated Solutions Console on a test system were reviewed. The TAI properties can be accessed using the following path:

Security > Global Security > Expand "Web and SIP security > Trust Association > Interceptors

Select "com.ibm.portal.auth.tai.HTTPBasicAuthTAI"

The default property values are shown below:



In this scenario the configuration property useRegExp had been changed from "false" to "true."

useRegExp causes the TAI to evaluate both URL list parameters, urlWhiteList and urlBlackList as Java regular expressions. Neither /mum/mycontenthandler* nor /wps/mycontenthandler* are correct regular expressions so the URL match failed and the connection was denied.

The urlWhiteList was also modified specific to this environment.

To resolve:

1) Set useRegExp to false (the default) or

2) Set the value of urlWhiteList to "/mum/mycontenthandler.* /wps/mycontenthandler.*" (note the inclusion of the "." character in the URIs and a space in between each URI).

Related information

Java Regular Expressions
Properties for the HTTP Basic Auth TAI
Configuring Security for v7
Using WebDav with Portal v7

Document information

More support for: WebSphere Portal
WebDAV

Software version: 7.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition: Enable, Express, Extend, Hypervisor Edition, Server

Reference #: 1460933

Modified date: 08 March 2011


Translate this page: