Bug in redirect

Similar Messages

• PEI event not working as expected after Hofix 1 for 5.0.2

  Dear all,
  we are running in some problems after installing the Hotfix to our Portalversion 5.0.2.
  After installing the Hotfix 1 for Plumtree Portal 5.02 we have a problem with a PEI event that worked without any problem before. The redirect does not work anymore, instead it redirects to the standard login view (the same you would see if you try to login with the wrong password, username or authentication source). Are there any hints on a solution for that problem?
  Many thanks in advance,
  This is an excerpt of the code:
  import com.plumtree.uiinfrastructure.activityspace.Redirect;
  public class LoginActions implements ILoginActions {
  public Redirect OnBeforeLogin(ApplicationData appData, String userName) {
       if (someCondition()) {
            Redirect r = new Redirect();
            r.SetLinkToExternalURL("http://www.foo.bar");
            r.SetIsHTTPRedirect(true);
            return r;
       } else {
            return null;
  // rest of code omitted for clarity

  Some of the Redirects returned by the methods in LoginActions are broken. These problems will be addressed in the next Service Pack. In the meantime, here is a summary of what works, what doesn't and how you can code around those bugs: OnAfterLogin: Redirecting the Guest user to an external URL doesn't work. Instead of using the Redirect object, set the URL in the header. Here is how you can do this:_appData.SetHeader("Location", "http://www.plumtree.com");_appData.SetStatus(302); All other redirects work. OnBeforeLogin: Redirecting from OnBeforeLogin doesn't work at all. Once again, instead of using the Redirect object, set the URL in the header:_appData.SetHeader("Location", "http://www.plumtree.com");_appData.SetStatus(302); Another option is to redirect from OnAfterLogin.

• Restrict Access behaviour still has redirect bug in CS4

  I have just upgraded to Dreamweaver CS4 and see that there is still a PHP error in the code for this behaviour, which if used out of the box will never redirect authorised users to the page they came from.
  The lines which read:
    if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
    $MM_referrer .= "?" . $QUERY_STRING;
  Should be:
    if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)
    $MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
  Does Adobe have any plans to correct this old bug?
  Ed

  I reported the bug to Adobe some time ago, and understand that it will be fixed in the next release.
  You can fix it easily yourself by editing lines 43 and 44 of RestrictAccess_main.edml:
    if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
    $MM_referrer .= "?" . $QUERY_STRING;
  In Windows, the file is located in C:\Program Files\Adobe\Adobe Dreamweaver CS4\configuration\ServerBehaviors\PHP_MySQL. It's in the same location in the Applications folder on a Mac.

• BUG AIR Webkit : referrer empty after a redirect

  Hi all,
  I've noticed a bug with AIR 1.5.1 : the document.referrer is empty just after a HTTP redirection (status code 302).
  As a consequence, the referer for the final page is "http://adobe.com/apollo".
  I don't known if it's due to the Webkit port done by the AIR team or else a bug in the Webkit trunk.
  How can I make it fixed?
  Regards,
  jp

  This bug is not related to Flex (I don't use Flex). It's reproduced with only the AIR SDK 1.5.1 (that containins webkit version 34190). It's a pure AIR html application. Where can I post this AIR/webkit bug?

• EA6500 NAT Redirection Bug???

  I have a pair EA4500s that I am swapping out for a pair of EA6500s.  One EA6500 is a router.  The 2nd EA6500 is set as a bridge and us being used as an Access Point about 200ft and two floors above the main EA6500 router.  The two units are connected via DECA (200MB Ethernet over DirecTV cable - an alternative for others with a cable provider is called MOCA).  So, basically two EA6500s serving as two Access Points on opposite sides of the house and all wireless networks on different channels but all sharing the same SSID.  Everything works GREAT except for one unusual issue.
  The issue is with wired or wireless clients.  If I try to use my PUBLIC address with port number to address a local client on the local network inside the NAT network the NAT redirection fails.  In other words if I use 172.16.16.8 for a local web cam while inside my network from an iPhone or PC all works great.  If I use the external public address, however, the connection times out.  If I pop out the EA6500 doing the routing/NAt and swap it with the old EA4500 with basically the same config as the EA6500 everything works again.  The EA6500 and the EA4500 are configured identical for the most part and with the EA4500 as the main router NAT redirection works great but with the EA6500 NAT redirection fails.  I have the firewall setting to FILTER NAT REDIRECTION unchecked so that's not the problem.
  Seems very odd.... and only seems to happen with the EA6500..... the work around is to use the local IP address when the client is on the inside and the public address when on the outside, but what a pain that is....
  I think this must be a bug.  Anyone else able to reproduce this issue...  I have not reset the router EA6500 to factory and reconfigured from scratch.  That is my last resort that I'm dragging my feet on.... but no idea if that will solve anything anyway...  just an idea I've not tried yet...
  Thoughts?

  Thanks for the comment but unfortunatly I think you may be are responding some other post that has some issue with SSID or WiFi???  Might check that you are responding to the correct post given I'm not aware there was any comment or issue about wireless or SSID or even a 2.4ghs or 5ghz issue here.  My issues are with wired clients but I cna alos reproduce the same issue over WiFi as well.
  Unfortunatly, SSID and wireless functionality have nothing to do with this thread or the issue.  This is a NAT REDIRECTION problem that happens on wired clients even if WiFi functionality (guest and regular) is disabled and the 2nd EA6500 is removed completly.  This is a routing or firewall issue I suspect.
  In regards to wireless (not a problem in this case), all works fine wiht the same SSID on 2.5Ghz and 5Ghz on two different WiFi devices.  Thanks for the feedback and info but SSID is irrelevant and I regret now even mentioning it in the original post given it has no bearing on this issue.  I was just trying to be complete in my description of the environment.

• I have a bug that is known as "testendonline". How can I remove this as it keeps hijacking webpages and redirecting them.

  any websites I go to that reference removing it are part of the bug. This is all I know

  Do a malware check with some malware scan programs. You need to scan with all programs because each program detects different malware. Make sure that you update each program to get the latest version of the database before doing a scan.
  * http://www.malwarebytes.org/mbam.php - Malwarebytes' Anti-Malware
  * http://www.superantispyware.com/ - SuperAntispyware
  * http://www.microsoft.com/windows/products/winfamily/defender/default.mspx - Windows Defender: Home Page
  * http://www.safer-networking.org/en/index.html - Spybot Search & Destroy
  * http://www.lavasoft.com/products/ad_aware_free.php - Ad-Aware Free
  See also "Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked and Searches are redirected to another site

• JSP bug? url.openStream() = server redirected too many times

  I tried something the other day that works in Java, so it should work as a JSP scriptlet, but I received an error message that others have posted elsewhere without a compete resolution. Specifically, given a URL, say u, one ought to be able to do u.openStream() and eventually read the remote page. Typically, one might want to try
  URL u = new URL("http://someserver.com/path/file.xxx")
  BufferedReader bfr = new BufferedReader(new InputStreamReader(u.openStream()))and then read bfr line-by-line. The problem that seems to be fairly common is that the openStream() call throws a ProtocolException claiming "server redirected too many times (20), ."
  What I've seen is that this exception occurs whenever the URL is outside the Tomcat server whence the call is being made; in our case, we're running "out-of-the-box" Jakarta Tomcat 4.1.29 on port 8080 of a w2k server. The code works perfectly in native Java and in JSP for a URL of the form "/anotherpage.jsp"
  Is this a bug in JSP, or in our version of Tomcat, or is there just some configuration parameter that needs to be changed from its default? As I said, I've seen similar posts (with less detailed analysis) in the Usenet newsgroups, but not one has generated a response that explains and resolves the matter.
  Perhaps a JSP guru out there could set the record straight? Thanks.
  P.S. I know that the use of scriptlets in JSP is being discouraged, but they are still supported AFAIK.

  Sure scriptlets are still supported. Most times though you can do things better with a custom tag. Why reinvent the wheel?
  Just as a suggestion, you might try the JSTL <c:import> tag.
  It basically does just this behind the scenes.
  However I don't think that will help you in the end - it will probably hit the same error message.
  My guess would be that the problem is not caused by java/JSP as such, but by a firewall, or configuration somewhere.
  The following works fine for me (ignoring broken images of course)
  <%@ page import="java.net.*, java.io.*" %>
  <%
  URL u = new URL("http://www.google.com");
  BufferedReader bfr = new BufferedReader(new InputStreamReader(u.openStream()));
  String line = null;
  while ((line = bfr.readLine()) != null){
    out.println(line);
  %>Hope this helps,
  evnafets

• Redirect Bug?

  The behaviour of the servlet below differs benteen App server Plarform edition and App server Standard edition 2005Q1:
  import javax.servlet.http.HttpServlet;^M
  import javax.servlet.http.HttpServletRequest;^M
  import javax.servlet.http.HttpServletResponse;^M
  import javax.servlet.ServletException;^M
  import java.io.IOException;^M
  ^M
  /**^M
  public class ServletA extends HttpServlet {^M
  protected void service(HttpServletRequest reqeuest, HttpServletResponse resp
  onse) throws ServletException, IOException {^M
  response.sendRedirect("ServletB");^M
  }^M
  }^M
  User connects to app server https port. On platform edition the response is correct (https://server/path/), on Standard Edition the redirect is wrong (https/server:80/path
  Could this be a config issue or is it a bug?

  Google redirect virus is challenging to get rid of due to its capability to hide deep inside the operating system as well as its potential to eliminate traces and footprints on how it got inside the computer. As of nowadays, not a single security application in the industry can guarantee 100% protection from this infection. This explains, why your pc got infected even having a safety software installed.
  Some computer users know that Google redirect virus is just not a virus, but in fact a rootkit. Rootkit infections unlike other virus, spyware or trojan infections are really difficult to get rid of. In most cases, google redirect virus rootkit is seen related to Trojans which makes it a lot more deadly. In accordance with a 2011 report, Google redirect virus have currently infected 45,00,000 computers worldwide, out of which 1/3rd is from US.
  Some symptoms that you are having this virus on your PC:
  * Browsers freeze
  * Pages not loading at all
  * Google/Bing/Yahoo searches redirected to malicious site/s
  * Some programs won’t respond
  * Internet connection brakes itself
  * Terrible adds popping on visited webpage/s
  If you have these symptoms on your Computer, I suggest using safe and respected software program as the 1 I've provided below. The Google redirect virus removal tool deals with malware infections that lead to Google redirect virus symptoms and are so difficult to detect and fix.
  ''moderator removed spam link'' <br />
  ''[https://support.mozilla.com/en-US/kb/Forum+and+chat+rules+and+guidelines Forum rules and guidelines]''

• Possible bug using go tag with redirection under SSL?

  I've been testing an application under SSL and have noticed that some links "pop-out of SSL". Upon further inspection I noticed the links were using <go> tags with redirect set to true.
  Does anyone know where <go> gets the URL it uses? I'm wondering if this might be a webcache configuration issue or appserver config issue.
  note: using AS 10g 9.0.4.1.1
  Thanks in advance!
  /SFL

  Hi all,
  Just thought I'd update on resolution. As suspected, an AS config issue was responsible for this glitch. Long story short WebCache can communicate in 2 ways w/ an origin server (HTTP or HTTPS). You can have WebCache use SSL w/ the client and still communicate with the origin server using HTTP (which was our case). PITFALL: the origin server is unaware of the use of SSL by the client (WebCache only "knows"). SINCE THE ORIGIN SERVER IS THE ONE EXECUTING THE <GO> TAG, when using redirect=true attribute with the tag, the URL generated by the rewrite routine is HTTP and not HTTPS as one might expect when accessing the app via SSL.
  Hope I can spare someone else the headache...
  Cheers!
  /SFL

• 7912 and CCM 4.2. Response redirect not working. 7912 Bug

  I'm using response.redirect. All of a sudden we do receive support cases from customers using CCM 4.1.3SR2 and 4.2.
  It turns out that when using response.redirect (ASP) it does work anymore. 7940,60 still works. You have to press a button twice to be redirected. Can someone please help me with this.

  Do you have the same phone load as your customer? I'd tend more towards a load problem. What I found when using redirects is that phone loads play a role. For instance I had a redirect to a directory that has a default document defined. So I sent a redirect to
  http://myserver/mydirectory
  It worked on the 7960/40 but not on the 7970 and IPC. If however I changed the url to
  http://myserver/mydirectory/
  then it worked.
  I don't have any 7912s so I don't know how they react, and I'm not using my 7905 for a lot of testing.

• Bug (minor): Cancel in create report wizard does not redirect correctly

  All,
  If I go to create from application home page:
  1. Create page
  2. Report, next
  3. Wizard Report, next
  4. Next
  5. Next
  6. Emp table, all cols
  Hitting "cancel" from this page forward will yield inconsistent results. You may end up at any of the following:
  1. Start of create page wizard
  2. Page definition screen for page 1
  3. Application home page (expected)
  Regards,
  Dan
  Blog: http://DanielMcGhan.us/
  Work: http://SkillBuilders.com/apex/

  Thank you for innovating the trick to go around this (bug?) !!!
  rgrds Paavo

• Safari redirect caching bug

  At some point recently, Safari's caching with respect to 302 redirects changed.
  I have the following setup:
  URL A is handled dynamically, and redirects the user to one of several possibilities.
  One of the possibilities is to redirect (302) to a static HTML page.
  If I start up a fresh Safari process then the first time I go to URL A, then it's handled correctly. Any subsequent attempts to go to URL A result in the browser immediately showing the cached static content, and never hitting A.
  This still works as expected (ie how it's been working for the last few years) on all other browsers, but it looks like this behaviour changed with the most recent Safari releases. It's true for Safari 7.0 on Mavericks and 6.1 (8537.71) on Mountain Lion.
  Obviously I can code round this, but the behaviour seems surprising.
  Neil

  I'm seeing this behavior on iOS 7 Safari, probably older versions as well though I've not confirmed yet.
  We have a web filter. When a web page is blocked, a 302 redirect is issued redirecting to a block page which tells the user that the site is blocked, why it is blocked, and lets them log in to bypass the block. Upon logging in, the user should not longer be redirected to a block page. Revisiting the blocked site, now unblocked, results in the 302 redirect again. The only solution is to clear safari cache and try again, but this is too complicated for the majority of users.

• I think there is a very annoying bug after the latest update of firefox, can I talk to someone, or chat with someone so I can get rid of it

  Since the latest auto update of my firefox browser I am experiencing strange issues. Every evening when I stop working, I close my browser (closing all the tabs that I am working on and in the morning, I restore the session) . For many years everything worked just fine ... untill after the last auto update of the firefox browser .. all of a sudden a got 302 errors ( a blank page with the description 302 and I believe "page moved here" or something to that extend ... i try to click the link and get nowhere.
  I first noticed it on a few wordpress pages (backend ) that I was working on and which were restored from the previous day ...
  thinking it was a server error, since we have several vps and dedicated servers .. i contacted the company who hosts our servers ..
  they looked into it and apparently .. there were no issues on the server side and neither on that particular computer ... but our server hosts told us .. that it is probably browser related and seemed to have something to with a bug with the cache of the browser
  we didn't know what to do .. it was very annoying .. but at that point it only happened once on a hew pages .. so we decided to see what happened the next time
  Next time we did not restore a session with wordpress pages .. but with the google search engine open and on a few other tabs logged into social media .... and as was saidn by our server hosts it was indeed not related to work that we did on pages on our servers ... since that time even the google search engine homepage ... showed us ... moved here
  Can you pease look into it and fix this .. we are doing the same thing as many years on the same computer also a few years .. so it is not anything we do wrong either .. it is most definitely browser related
  so can you please fix it asap .. since when we work on wordpress .. that is not the only thing that goes wrong .. we also have difficulty uploading updates ... when updating sometimes after the update of any particular change on a wordpress page is done ... we are also redirected to a blank page .. so the updated page does not want to load ... in that case we have use our back button ...
  which sends us back to the right page ... but with the old data on it ... then we have to refresh that page .. and only then we see the page updated ... so it seems that there is an issue in both direction with the caching of the browser after the last update
  Kind regards,
  Robert

  uninstalled firefox ....deleted all files still remaining under mozilla firefox directory in program files ... to avoid having to reprogram all my settings, reisntall all addons as well .. I did not remove anything from mozilla firefox that is stored in either appdata or under the windows users directory (if any)
  ... the as suggested reinstalled the latest version of the firefox browser using the link you provided in the email ..; tested and several issues still remain present and unresolved ....
  so please this is urgent or I will have to jump browsers and start using chrome .. because we work 14 hours a day 6 (sometimes 7) days a week, to get ready for the launch of our newest venture and we cannot lose that much days on browser related issues ... so please instead of putting me through week long step process .. of do this .. do that .. can you please actually look into the issue from your end .. I use firefox for so many, many years thta I deserve this kind of support .. thnx Robert

• Microsoft-Windows-Folder Redirection Error 502. CSC database locked by another user

  Dear all,
  We are finalizing our Windows 7 migration where we migrated 500+ clients. In our enterprise concept we implemented RUP (Roaming User Profiles) and Redirected Folders for all
  users. The Redirected Folders have been by enabled by a single GPO which redirects all folders from
  AppData to
  Searches \\servername.domain.name\documents$\%username%.
  Problem:
  The RUP and Redirected folders solution works fine until a new user wants to logon. This new user has been migrated to RUP and Redirected on another system and
  he just wants to work on another workplace or gets a temporary pc. What happens is that redirected folders do not work. The user gets a message that the folder is not reachable and desktop is empty.
  Troubleshooting:
  Soon I found out that something was being locked. If we used a user account which had working Redirect Folders than this
  worked for that user. An event of 10 was logged in OfflineFiles area of EventViewer to reconnect the path which was configured in the GPO.
  This is example screenshot. It says "Error on Open Folder. \\server.domain.name\documents$\%username%\Desktop refers to a location that is unavailable. It could be on a hard disk
  on this computer, or a on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location."
  These symptoms happen randomly and not on all workstations. The pain here is when it happens on a portable computer. For desktop we disabled the "Disable Offline Files' in "Manage
  Offline Files" control panel and then reboot. After the reboot the folders are directed
  and it works without these errors... On portable computer we can't use this work around as they need to work offline.
  If I connect to the share without the FQDN like \\servername\documents$\%username%\Desktop than this works fine and user can access all folders. When I try the FQDN path which is
  configured in the GPO to redirect user to like \\servername.domain.name\documents$\%username%\Desktop than it fails with this message. I personally think because the C:\Windows\CSC database is locked by the previous user who has been logged on this system.
  An example of the event generated in the Applications Event viewer part (I removed some username and server path):
  Log Name:      Application
  Source:        Microsoft-Windows-Folder Redirection
  Date:          1-2-2011 17:40:11
  Event ID:      502
  Task Category: None
  Level:         Error
  Keywords:     
  User:          domain\ivan
  Computer:      computer.domain.name
  Description:
  Failed to apply policy and redirect folder "Videos" to "\\servername.domain.name\documents$\ivan\Documents\My Videos".
   Redirection options=0x1001.
   The following error occurred: "Can not create folder "\\\servername.domain.name\documents$\ivan\Documents\My Videos"".
   Error details: "Access is denied.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Folder Redirection" Guid="{7D7B0C39-93F6-4100-BD96-4DDA859652C5}" />
      <EventID>502</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2011-02-01T16:40:11.486983400Z" />
      <EventRecordID>2754</EventRecordID>
      <Correlation ActivityID="{3211E6FB-2801-456D-BE6E-66AAE150A4DC}" />
      <Execution ProcessID="968" ThreadID="5856" />
      <Channel>Application</Channel>
      <Computer>computer.domain.name</Computer>
      <Security UserID="S-1-5-21-3705223304-2632712944-1292073641-26755" />
    </System>
    <EventData Name="EVENT_FDEPLOY_FailedToApplyPolicy">
      <Data Name="FromFolder">Videos</Data>
      <Data Name="ToFolder">\\servername.domain.name\documents$\ivan\Documents\My Videos</Data>
      <Data Name="Options">0x1001</Data>
      <Data Name="Error">Can not create folder "\\servername.domain.name\documents$\ivan\Documents\My Videos"</Data>
      <Data Name="ErrorDetails">Access is denied.
  </Data>
    </EventData>
  </Event> 
  Something like this I see in the Application Eventviewer:
  Environment:
  Windows 7 Enterprise client with patches until 1-Nov-2010
  Windows Server 2008 R2 for the Documents$ share
  Windows Server 2003 R2 as the domain controller
  I have tried all different option even to rebuild the CSC database but this also was not helping. I hope we are not dealing with a bug.
  Any help is much appreciated.
  Best regards, Ivan Versluis http://www.networknet.nl

  Ivan and SteveDIG - Thanks for taking the time to post detailed information about what you have found.  I have found the same things over the past few months and have been working with Microsoft to resolve this.  Like Ivan, I have been told by
  MS that this is a design problem in Windows 7, but they did admit it is a bug and did not charge me for the case.  That was the good news.  The bad news was that the problem is so 'deep' in Windows 7 that it will not be fixed until Windows 8 and
  the CSC engineering team in Redmond has rejected several requests to fix this issue in Windows 7 from several customers.  I personally feel we should have hauled our TAM in over this, but that wasn't my call so we haven't attempted to get an attitude
  change from MS.
  <RANT> I find this completely outrageous.  Windows is supposed to be a multi-user operating system suitable for deployment to mobile workforces spread around the world and often using slow VPN links.  Offline folders, folder redirection,
  slow link detection, etc. are all great on paper and as I did the design work for the W7 solution I've just built I sold these advantages heavily.  I now have serious egg on my face and am not happy.  Like others here I missed this in testing as
  multiple users are a fringe for us, but still important, I unfortunately didn't think to specifically test for multiple users, though I tested the features thoroughly and was happy with the results when used on single user machines.</RANT>
  As identified above, this issue manifests when more than one user uses a machine and their Offline folders (all redirected folders are configured this way by default) are in an offline state when the first user logs off.  The second user cannot access
  this 'offline' share so folder redirection fails.  We get burnt as we have latency=0 configured for slow link detection with Offline folders so users always work offline.  This is partly because of WAN optimisers in the network that lie to Windows
  so the online/offline transition doesn't work on slow links (not MS's fault), and partly because it made sense for other reasons.
  The workaround Microsoft and I came up with for our environment was to use individual file shares for each user.  We had been using a common file share with each user folder under that file share.  Changing to an individual share for each users
  means the share is not locked by the previous user.
  Examples
  This would cause a problem if John then Emma logged on to the same machine. Folder redirection would fail for Emma:
  \\FileServer1\Users$\john
  \\FileServer1\Users$\emma
  So would this if DFS was used
  \\my.domain\users\john            (points to \\FileServer1\Users$\John)
  \\my.domain\users\emma          (points to \\FileServer1\Users$\Emma)
  This would fix the problem:
  \\FileServer1\John$
  \\FileServer1\Emma$
  Unfortunately we then figured we could move these shares behind DFS like so:
  \\my.domain\homes\john             (points to \\FileServer1\John$)
  \\my.domain\homes\emma          (points to \\FileServer1\emma$)
  This was wrong.  The problem returned.  I assume the share that is being locked is now the DFS root and not the user share.
  The operations team here is very reluctant to go with direct access to the file servers and not use DFS as that will create issues for them in the future when they need to make file server changes.  I sympathise with them but can't see an alternative
  at the moment as we are deploying W7 and can't stop.  If I'd picked this up earlier a third party product might have been the solution (MS actually suggested this when I opened my case).
  I hope the information about individual shares above is helpful to someone.  Otherwise I don't really have more to add but I needed the rant :-)
  <RANT>BTW.  Has anyone tested changing a user’s home directory path once it is cached?  Try it. Test a scenario where you move the user from one file server to another.  You will not enjoy the results.  I'll say no more
  than this as it is off topic, but it shows the lack of investment in the CSC feature in Windows.  Very disappointing</RANT>

• UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

  PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
  In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  Is there some known bug or workaround that matches this description?
  Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
  We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
  So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
  Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
  So, we have the following software stack:
  1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
  2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
  These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
  3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
  At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
  Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
  Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
  4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
  In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
  5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
  This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
  The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
  # imsimta version
  Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
  libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
  SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
  While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
  "Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
  We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
  Here's the configuration we did specifically for AM SSO:
  1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
  com.iplanet.am.cookie.encode=false
  am.encryption.pwd=<the same value>
  all hostname-related parameters point to "psam.domain.ru"
  2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
  com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
  com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
  3) in "msg.conf" on "sunmail" (entries added via configutil):
  local.webmail.sso.amcookiename = iPlanetDirectoryPro
  local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
  local.webmail.sso.singlesignoff = yes
  local.webmail.sso.uwcenabled = 1
  service.http.ipsecurity = no
  (perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
  4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
  5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
  --- main.js.orig        Sat Jan 26 07:52:09 2008
  +++ main.js     Mon Jul 21 01:06:29 2008
  @@ -667,7 +667,8 @@
  function cleanup() {
     if(laurel)
  -      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +//      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +      top.window.location =  "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     else
         exec('logout', '', 'exit()')
  @@ -1707,7 +1708,8 @@
     if(lg) {
           url = document.location.href
           url = url.substr(0,url.indexOf('webmail'))
  -        uwcurl = url + 'base/UWCMain?op=logout'        
  +//      uwcurl = url + 'base/UWCMain?op=logout'        
  +        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     exit()
  }6) Calendar SSO - per docs...
  According to ngrep sniffing,
  1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
  2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
  3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
  Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
  Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
  4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
  Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
  5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
  Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
  6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
  Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
  7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
  <Request><![CDATA[
  <NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
  <GetNamingProfile>
  </GetNamingProfile>
  </NamingRequest>]]>
  </Request>
  </RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
  ...then a double-request to /amserver/sessionservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="Session" reqid="686">
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="678">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]>
  </Request>
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="679">
  <AddSessionListener>
  <URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </AddSessionListener>
  </SessionRequest>]]>
  </Request>
  </RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
  !!!*** Now, the problem part ***!!!
  8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
  I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
  For the most detail I can provide, I'll even paste the whole HTTP packet:
  POST /amserver/sessionservice HTTP/1.1
  Proxy-agent: Sun-Java-System-Web-Server/7.0
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
  Content-type: text/xml;charset=UTF-8
  Content-length: 336
  Cache-control: no-cache
  Pragma: no-cache
  User-agent: Java/1.5.0_09
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Host: cos-psam-01.domain.ru
  Client-ip: 194.xxx.xxx.xxx
  Via: 1.1 https-weblb.domain.ru
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="258">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]></Request>
  </RequestSet> The server's error response is apparent:
  HTTP/1.1 200 OK
  Server: Sun-Java-System-Web-Server/7.0
  Date: Thu, 31 Jul 2008 05:49:50 GMT
  Content-type: text/html
  Transfer-encoding: chunked
  19b
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="258">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
  <GetSession>
  <Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
  AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
  </GetSession>
  </SessionResponse>]]></Response>
  </ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
  POST /amserver/sessionservice HTTP/1.1
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
  Content-Type: text/xml;charset=UTF-8
  Content-Length: 379
  Cache-Control: no-cache
  Pragma: no-cache
  User-Agent: Java/1.5.0_09
  Host: psam.domain.ru
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="281">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
  <SetProperty>
  <SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
  <Property name="uwcstatus" value="active"></Property>
  </SetProperty>
  </SessionRequest>]]></Request>
  </RequestSet> ...and the response is OK:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="281">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
  <SetProperty>
  <OK></OK>
  </SetProperty>
  </SessionResponse>]]></Response>
  </ResponseSet>

  There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
  The solution for these customers was the following:
  => AM server/client side:
  Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
  => AM client (UWC) side:
  - Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
  <sun-web-app>
     <property name="encodeCookies" value="false"/>
     <session-config>
        <session-manager/>
     </session-config>
     <jsp-config/>
  <property name="allowLinking" value="true" />
  </sun-web-app>Regards,
  Shane.