31023 - HTTP 403 error when adding a link to a SAS Stored Process in a SAS® BI Dashboard Indicator

Problem Note 31023: HTTP 403 error when adding a link to a SAS Stored Process in a SAS® BI Dashboard Indicator

The following error may occur when either clicking on a SAS BI Dashboard indicator which contains a link to a SAS Stored Process or when using a graph indicator with a stored process url:

HTTP Status 403
Access to the specified resource () has been forbidden

Additionally, this error might be found in the application server log:

** UrlReplayBlockerFilter: SECURITY ACCESS VIOLATION **
The requested URL (/SASStoredProcess/do
can only be directly accessed from another SAS application, typically the SAS Information Delivery Portal.

This error is a result of a fix to the problem documented in SAS Note 20591 which is included in Hot Fix 913WEBINFRAKIT.

To avoid this error, you will need to uncomment a parameter in the web.xml file for the SASStoredProcess web application. This can be done by editing the following file:

\Web\Portal2.0.1\SASStoredProcess\WEB-INF\web.xml.orig

Once you have modified this file, re-run the SAS Information Delivery Portal configuration and deployment process.

Please note: By following these steps, the security fix documented in SAS Note 20591 will be disabled.

The lessSecure parameter needs to be uncommented. The file should have a section like this:



<filter>
    <filter-name>UrlReplayBlocker</filter-name>
    <filter-class>com.sas.webapp.servlet.filters.UrlReplayBlockerFilter</filter-class>
    <!-- uncomment to allow bip session id pass through filter if there
     is no SessionContext map id parameter 'saspfs_sessionrequest'
    <init-param>
        <param-name>less-secure</param-name>
        <param-value>true</param-value>
    </init-param>
    -->
 </filter>

To uncomment the lessSecure param, remove the html comments around it, so that it looks like the following:


<filter>
    <filter-name>UrlReplayBlocker</filter-name>
    <filter-class>com.sas.webapp.servlet.filters.UrlReplayBlockerFilter</filter-class>
    <init-param>
       <param-name>less-secure</param-name>
       <param-value>true</param-value>
    </init-param>
</filter>

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
SAS System	SAS BI Dashboard	Microsoft Windows 2000 Datacenter Server	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		Microsoft Windows 2000 Server	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		Microsoft Windows 2000 Professional	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		Microsoft Windows NT Workstation	3.1		9.1 TS1M3 SP4
		Microsoft Windows Server 2003 Datacenter Edition	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		Microsoft Windows Server 2003 Standard Edition	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		Microsoft Windows 2000 Advanced Server	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		Microsoft Windows Server 2003 Enterprise Edition	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		Microsoft® Windows® for x64	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		Microsoft Windows XP Professional	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		Windows Vista	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		64-bit Enabled AIX	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		64-bit Enabled Solaris	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0
		HP-UX IPF	3.1	4.2	9.1 TS1M3 SP4	9.2 TS2M0

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Type:	Problem Note
Priority:	medium

Date Modified:	2008-04-03 10:12:32
Date Created:	2008-01-25 10:16:55

Support

Problem Note 31023: HTTP 403 error when adding a link to a SAS Stored Process in a SAS® BI Dashboard Indicator

Operating System and Release Information