IBM Support

PK10334: UNABLE TO USE ABSOLUTE URL FOR LOGOUTEXITPAGE VALUE ON POST IBM_SECURITY_LOGOUT

A fix is available

PK10334; 6.0.2: Unable to use absolute URL for logoutexitpage value

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Forms based logout is misinterpreting the value for
name="logoutExitPage". An absolute value is being specified
(http://hostname.business.com/weblogin/logout) but it is
being converted to a URL relative to the to the application
context root,
  (/myapp/http://hostname.busness.com/weblogin/logout)
This causes the browser to issue "404 page not found".
 -
If the logout is done by a call to the special URI
"ibm_security_logout" with request parameter logoutExitPage set
to an absolute URL this worked with WAS 6.0.1. That is, after
the logout from WAS the browser was redirected to the specified
(absolute) logoutExitPage URL.
Example (logout button in application html page):
 <form method="post" action="ibm_security_logout" name="logout">
  <input type="submit" name="logout" value="Logout">
  <input type="hidden" name="logoutExitPage"
         VALUE="http://hostname.business.com/weblogin/logout">
 </form>
 -
After the POST to ibm_security_logout the browser is redirected
to:   http://hostname.business.com/weblogin/logout
 -
With WAS 6.0.2 this has changed. It obviously treats the value
of logoutExitPage always as a relative URI. That means, relative
to the to the application context root.
Example:
Assuming the context root of the application is "/myapp/" the
above sample will return a redirect to the URL
       /myapp/http://hostname.business.com/weblogin/logout
Of course that doesn't work and produces a "404 page not found"
on the browser.
 -
The change in processing was introduced in APAR PQ97264.
 -
Looking for a way to specify an absolute URL as the
LogoutExitPage value.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: WebSphere Application Server security        *
*                 users with Form Logout Exit pages            *
****************************************************************
* PROBLEM DESCRIPTION: Receive 404 error when POST to          *
*                      ibm_security_logout servlet             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When POST to ibm_security_logout servlet, you may get 404
error if Logout exit page is not relative URI. This is caused
by a previous APAR, which enforce all logout exit page be
relative URI to Context root.

    



Problem conclusion


    

  • Since there is no spec for the logout exist page, lot of
existing applications do not follow the relative URI rule. We
will allow the flexibility on logout page when
com.ibm.websphere.sendredirect.compatibility is set to false.
1. if logout exit page starts with  /,  it is a relative URI
by default.
2. if logout exit page starts with  /, and the system
property, com.ibm.websphere.security.web.absoluteUri is set to
"true",  the logout exit page is treated as absolute URI.
3. if logout page does NOT start with /, it will not be treated
as a relative URI,  For example, if logout page starts with
http:// or https://, it is absolute URL, and WebSphere
security will use as it is to call sendRedirect .


The fix for this APAR is currently targeted for inclusion in
fixpack 6.0.2.3. Please refer to the Recommended
Updates page for delivery dates:
http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP
&uid=swg27004980

    



Temporary fix


    

  • ZE Fix Error PK15680 2005/12/05
fix provided

    



Comments


    

  • 



APAR Information




    

  • APAR number
    PK10334
    • 

  • Reported component name
    WEBSPH APP SERV
    • 

  • Reported component ID
    5724J0800
    • 

  • Reported release
    60A
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2005-08-12
    • 

  • Closed date
    2005-09-26
    • 

  • Last modified date
    2005-12-05
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
PK14211
    

    • 



Fix information


    

  • Fixed component name
    WEBSPH APP SERV
    • 

  • Fixed component ID
    5724J0800
    • 



Applicable component levels


    

  • R60A  PSY
       UP
    • 

  • R60H  PSY
       UP
    • 

  • R60I  PSY
       UP
    • 

  • R60P  PSY
       UP
    • 

  • R60S  PSY
       UP
    • 

  • R60W  PSY
       UP
    • 

  • R60Z  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            19 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback