WebSphere Portal: Specify White and Black List for Web Application

If your SystemOut.log is throwing the following warning message, it means that you will need to specific white and black list for your custom web application:

[3/24/16 12:18:17:143 SGT] 0000027f AbstractReque W com.ibm.wps.resolver.resource.AbstractRequestDispatcherFactory matchesWebAppDefault(aResource) Servlet context [/WebApp] does not specify a blackwhite list when accessing resource [themes/html/dynamicSpots/custom/header.jsp], falling back to the default [[whitelist(null), blacklist(WEB-INF/.*)]]. Applications can define a custom list by adding the keys [com.ibm.portal.resource.whitelist] and [com.ibm.portal.resource.blacklist] to their web.xml deployment descriptor. For details see information for APAR PI47714 related to CVE-2014-8912 (Security bulletin: http://www.ibm.com/support/docview.wss?uid=swg21963226).

Add the following parameters to your web.xml and redeployed your application:

<web-app> 
...
<context-param>
 <description>A regular expression that defines which of the resources in the war file can be served by the portal res datasource.</description> 
 <param-name>com.ibm.portal.resource.whitelist</param-name> 
 <param-value>.*</param-value>
</context-param> 
<context-param>
 <description>A regular expression that defines which of the resources in the war file cannot be served by the portal res datasource.</description> 
 <param-name>com.ibm.portal.resource.blacklist</param-name> 
 <param-value>WEB-INF/.*</param-value>
</context-param>
... 
</web-app> 

Leave a Reply

Your email address will not be published. Required fields are marked *