Receive 404 error when POST to ibm_security_logout servlet.
PK10334 resolves the following problem:
Forms based logout is misinterpreting the value for name="logoutExitPage". An absolute value is being specified ('http://hostname.business.com/weblogin/logout') but it is being converted to a URL relative to the to the application context root, (/myapp/http://hostname.busness.com/weblogin/logout). This causes the browser to issue "404 page not found".
If the logout is done by a call to the special URI "ibm_security_logout" with request parameter logoutExitPage set to an absolute URL this worked with IBM® WebSphere® Application Server V6.0.1. That is, after the logout from Application Server the browser was redirected to the specified (absolute) logoutExitPage URL.
Example (logout button in application html page):
<form method="post" action="ibm_security_logout" name="logout">
<input type="submit" name="logout" value="Logout">
<input type="hidden" name="logoutExitPage"
After the POST to ibm_security_logout, the browser is redirected
With Application Server V6.0.2 this has changed. It obviously treats the value of logoutExitPage always as a relative URI. That means, relative to the to the application context root.
Assuming the context root of the application is "/myapp/" the above sample will return a redirect to the URL /myapp/http://hostname.business.com/weblogin/logout
Of course that does not work and produces a "404 page not found" on the browser.
The change in processing was introduced in APAR PQ97264.
Looking for a way to specify an absolute URL as the LogoutExitPage value.
WebSphere Application Server security users with Form Logout Exit pages.
Receive 404 error when POST to ibm_security_logout servlet
When POST to ibm_security_logout servlet, you may get 404 error if Logout exit page is not relative URI. This is caused by a previous APAR, which enforce all logout exit page be relative URI to Context root.
Since there is no spec for the logout exist page, lot of existing applications do not follow the relative URI rule. We will allow the flexibility on logout page when com.ibm.websphere.sendredirect.compatibility is set to false.
1. If logout exit page starts with /, it is a relative URI by default.
2. If logout exit page starts with /, and the system property, com.ibm.websphere.security.web.absoluteUri is set to "true", the logout exit page is treated as absolute URI.
3. If logout page does NOT start with /, it will not be treated as a relative URI, For example, if logout page starts with http:// or 'https://', it is absolute URL, and WebSphere security will use as it is to call sendRedirect.
The fix for this APAR is currently targeted for inclusion in fix pack 18.104.22.168. Please refer to the Recommended Updates page for delivery dates:
Please download the UpdateInstaller below to install this fix.
Please review the readme.txt for detailed installation instructions.
|Download||RELEASE DATE||LANGUAGE||SIZE(Bytes)||Download Options
What is DD?
|6.0.2-WS-WAS-MultiOS-IFPK10334||11/22/2005||US English||10297||FTP DD|
Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).
|Application Servers||Runtimes for Java Technology||Java SDK|
Problems (APARS) fixed