Saturday, August 04, 2007

Forbidden. You don't have permission to access /.. on this server.

Finding the root cause of this issue took me 1 day. Without talking much nonsense, let us have a look on the problem and resolution.

We have a new web application deployed into Websphere application server (WAS). Similar to the standard production environment, we have a IBM HTTP web server that routes all the request to application server. Problem arises when we try to access the application via web server and get the error page as mentioned. However, the application is accessible if we hit the app server IP directly.

Normally for any issue related to web server, there are only 2 config files that need to be looked into: httpd.conf and plugin-cfg.xml. From the httpd.conf, we can find the path of plugin-cfg.xml the web server referred. As for my case, this is the one i get
WebSpherePluginConfig /usr/IBM/HTTPServer/Plugins1/config/webserver1/plugin-cfg.xml.
Therefore we need to make sure we are modifying the correct plugin-cfg.xml in order for the changes to get reflected. A thorough check on the plugin-cfg.xml revealed the new application context path is missing. There is a portion in the file where we need to configure all application context path. For example, i have a web application with context "ABC", this would need to be included as below
UriGroup Name="default_host_server1_AppSvrNode01_Cluster_URIs"
Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/ABC/*"/

If your application is deployed into WAS, you can conveniently retrieve the plugin-cfg.xml from the WAS admin console, web server portion. Right after u click on the web server link, there will be a link forward you to the plugin configuration. Another click on the view button will show you the file content that supposed to be referred in web server. A simple step to replace the web server plugin-cfg.xml with the one from application server will solve the "Forbidden" issue. You can also add this new line
directly to the web server plugin-cfg.xml without referring to the WAS admin console provided you know the application context path.
Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/ABC/*"/

In the end, the whole issue is because of the missing 1 liner in the config file. Well, i think the time spent on troubleshooting is well worth it. At least i have learned more on the web and app server configuration. Special thank to my sifu, Jenny :).

No comments: