CR# 6770231: Access Manager 7 Patch 12 validates goto URLs (Sun Java System Access Manager 7 2005Q4 Release Notes)

Sun Java System Access Manager 7 2005Q4 Release Notes

Previous: CR# 6916733: updateschema script checks for LDAP JDK version 4.21 or later
Next: CR# 6926203 Distributed Authentication UI server deployment validates goto URLs

CR# 6770231: Access Manager 7 Patch 12 validates `goto` URLs

After installing patch 12, Access Manager 7 2005Q4 server can validate a goto URL after a user logs in. This fix prevents a hacker from sending the user to an imposter site in order to steal the user's personal information.

To set valid goto URLs, follow these steps:

After you install patch 12, make sure you run the updateschmema.sh or updateschema.bat script and then restart the Access Manager web container.
Log in to the Access Manager Administration Console.
Click Configuration, Authentication, and then Core.
Under Valid goto URL domains, add each valid goto domain name, as follows:
- A domain name starting with a dot (.) such as .example.com allows all hosts in the example.com domain to be used in a success redirect URL.
- A domain name that does not start with a dot (.) such as example.com allows the host example.com to be used in a success redirect URL. For example, http://example.com would be valid, but http://host.example.com would not be valid.
- If you don't add the entire domain to the list, you must add each individual agent host name being used.
- You do not need to add domains for agents in CDSSO mode, because they are protected automatically.
Click Save.
Restart the Access Manager web container.

If you subsequently want to disable the goto URL validation, remove all entries from the Valid goto URL domains list. If a goto URL is found to be invalid, the user will be redirected to the default success login URL.