PK10334; 6.0.2: Unable to use absolute URL for logoutexitpage value

Downloadable files


Abstract

Receive 404 error when POST to ibm_security_logout servlet.

Download Description

PK10334 resolves the following problem:

ERROR DESCRIPTION:
Forms based logout is misinterpreting the value for name="logoutExitPage". An absolute value is being specified ('http://hostname.business.com/weblogin/logout') but it is being converted to a URL relative to the to the application context root, (/myapp/http://hostname.busness.com/weblogin/logout). This causes the browser to issue "404 page not found".

If the logout is done by a call to the special URI "ibm_security_logout" with request parameter logoutExitPage set to an absolute URL this worked with IBM® WebSphere® Application Server V6.0.1. That is, after the logout from Application Server the browser was redirected to the specified (absolute) logoutExitPage URL.

Example (logout button in application html page):

<form method="post" action="ibm_security_logout" name="logout">
<input type="submit" name="logout" value="Logout">
<input type="hidden" name="logoutExitPage"
VALUE="http://hostname.business.com/weblogin/logout">
</form>

After the POST to ibm_security_logout, the browser is redirected
to: 'http://hostname.business.com/weblogin/logout'

With Application Server V6.0.2 this has changed. It obviously treats the value of logoutExitPage always as a relative URI. That means, relative to the to the application context root.

Example:
Assuming the context root of the application is "/myapp/" the above sample will return a redirect to the URL /myapp/http://hostname.business.com/weblogin/logout

Of course that does not work and produces a "404 page not found" on the browser.

The change in processing was introduced in APAR PQ97264.

Looking for a way to specify an absolute URL as the LogoutExitPage value.

LOCAL FIX:

PROBLEM SUMMARY

USERS AFFECTED:
WebSphere Application Server security users with Form Logout Exit pages.

PROBLEM DESCRIPTION:
Receive 404 error when POST to ibm_security_logout servlet

RECOMMENDATION:
None

When POST to ibm_security_logout servlet, you may get 404 error if Logout exit page is not relative URI. This is caused by a previous APAR, which enforce all logout exit page be relative URI to Context root.

PROBLEM CONCLUSION:
Since there is no spec for the logout exist page, lot of existing applications do not follow the relative URI rule. We will allow the flexibility on logout page when com.ibm.websphere.sendredirect.compatibility is set to false.

1. If logout exit page starts with /, it is a relative URI by default.
2. If logout exit page starts with /, and the system property, com.ibm.websphere.security.web.absoluteUri is set to "true", the logout exit page is treated as absolute URI.
3. If logout page does NOT start with /, it will not be treated as a relative URI, For example, if logout page starts with http:// or 'https://', it is absolute URL, and WebSphere security will use as it is to call sendRedirect.

The fix for this APAR is currently targeted for inclusion in fix pack 6.0.2.3. Please refer to the Recommended Updates page for delivery dates:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL LANGUAGE SIZE(Bytes)
Readme US English 7723

Download package

Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is DD?
6.0.2-WS-WAS-MultiOS-IFPK10334 11/22/2005 US English 10297 FTP DD

Technical support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).

Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK

Problems (APARS) fixed
PK10334

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server
Security

Software version:

6.0.2, 6.0.2.1, 6.0.2.2, 6.0.2.3

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, i5/OS

Software edition:

Base, Network Deployment

Reference #:

4010999

Modified date:

2007-03-14

Translate my page

Machine Translation

Content navigation