We were under the impression that this issue had occurred in the last few days.
Now it appears that it is something that has been going on for a few weeks.
Because of this, we started looking at changes from longer ago and came up with:
allowed-referers = %HOST%
This is what caused the issue by the looks of it.
Original Message:
Sent: Fri August 19, 2022 04:03 AM
From: HANS VANDEWEGHE
Subject: "Forbidden The resource you have requested is secured by Access Manager WebSEAL" on /pkmslogout
Hi Jasper,
I don't have an immediate answer, but your VHJ setup is possibly somewhat related. (for example what comes to mind, is the match-vhj-first param)
(I'm not sure if CSRF check as explained above is the case here, since the "mobile-demo" to my knowledge also doesn't append pkmslogout?token=<token value>)
It's probably worth taking a short trace while you recreate this issue. More specifically this trace: pdweb.wan.azn , it can be a bit overloaded with info, but the main point if interest is the lines like this:
INPUTS - protected_resource=/WebSEAL/webpi.vwasp.gc.au.ibm.com-default/index.html, operation=r
This can give some insight in whether this is a real WebSEAL object (pkmslogout) or some VHJ referenced file/object.
(it won't fix anything, but might give more info to work with ;-) )
------------------------------
HANS VANDEWEGHE
Original Message:
Sent: Fri August 19, 2022 01:48 AM
From: Jasper Teuben
Subject: "Forbidden The resource you have requested is secured by Access Manager WebSEAL" on /pkmslogout
Hi,
At the moment we have a issue on 1 instance (Production and test environment) with the /pkmslogout that looks a bit like this one.
We get a 403 on /pkmslogout if we past it behind the baseURL, the user keeps his session and is not logged off in ISVA 10.0.3.1. The thing is that we setup the /mobile-demo junction and if we hit "logout" there it works just fine.
I must say that in this instance we have standard-junctions (/mobile-demo is one of them in test environment) and we have a Virtual-junction.
Jasper.
------------------------------
Jasper
Original Message:
Sent: Wed February 17, 2021 03:10 PM
From: Scott Exton
Subject: "Forbidden The resource you have requested is secured by Access Manager WebSEAL" on /pkmslogout
Alessandro,
I don't quite understand what you mean when you say 'Methods 2-3 added macro and header but did not correctly compose the pkmslogout URL (pkmslogout?token=<token value>)'. These methods simply make the token available to the client. It is still up to the client (e.g. JavaScript) to construct the correct URL. Put simply, something needs to construct the URL as you cannot simply enter '/pkmslogout' in the browser and expect the token value to be appended. Most customers have a page which contains a logout reference. This reference is then either constructed on the server side before the page is sent back to the browser, or on the client side using JavaScript.
Does this help?
Thanks.
Scott A. ExtonSenior Software Engineer
Chief Programmer - IBM Security Verify AccessIBM Master Inventor
|
Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com | 1 Corporate Court Bundall, QLD 4217 Australia |
Original Message:
Sent: 2/17/2021 6:59:00 AM
From: Alessandro Ciambricco
Subject: RE: "Forbidden The resource you have requested is secured by Access Manager WebSEAL" on /pkmslogout
Hi Scott,
thanks for your suggestion.
Unfortunally we tried the solutions listed in IBM link (https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.1/com.ibm.isva.doc/wrp_config/concept/con_conf_secret_token.htm) without solving our problem.
In the IBM link there are 3 methods:
1 - pkmshelp - this page could not be found
2 - macro - we added our macro (CREDATTR{tagvalue_session_index}) but this configuration didn't solve our problem
3 - header - we added our header and we see the token as header in the response page but this configuration didn't solve our problem
Methods 2-3 added macro and header but did not correctly compose the pkmslogout URL (pkmslogout?token=<token value>).
Are there any further configurations/tests to add the token in the logout URL?
Thanks in advance of the support
Best Regards
Alessandro
------------------------------
Alessandro Ciambricco
Original Message:
Sent: Thu February 11, 2021 03:12 PM
From: Scott Exton
Subject: "Forbidden The resource you have requested is secured by Access Manager WebSEAL" on /pkmslogout
Gianluca,
If you enable secret token validation it means that the majority of pkms pages require the token - and this in turn means that you can't just request a pkms resource (e.g. /pkmslogout), but instead need to generate the link to include the secret token. The Knowledge Centre has further information on this (
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.1/com.ibm.isva.doc/wrp_config/concept/con_conf_secret_token.htm), but the secret token can be obtained from the tagvalue_session_index attribute within the credential. There are numerous mechanisms available to get access to this attribute, as documented in the referenced page.
I hope that this helps.
Scott A. ExtonSenior Software Engineer
Chief Programmer - IBM Security Verify AccessIBM Master Inventor
|
Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com | 1 Corporate Court Bundall, QLD 4217 Australia |
Original Message:
Sent: 2/11/2021 1:12:00 PM
From: Gianluca Mamone
Subject: "Forbidden The resource you have requested is secured by Access Manager WebSEAL" on /pkmslogout
Hi,
I'm receiving the page "Forbidden The resource you have requested is secured by Access Manager WebSEAL" after hitting /pkmslogout .
I know that this could be caused by Prevention of Cross-site Request Forgery (CSRF) attacks, since this prevention affects /pkms* pages, but I'm not getting how to obtain self-logout capability again.
Thank you
------------------------------
Gianluca Mamone
Cybertech
Rome
------------------------------