Skip to main content
avillanueva
avillanueva23-Emerald I
23-Emerald I
May 26, 2026
Question

Security patch CS466318, web app config and SSO

  • May 26, 2026
  • 1 reply
  • 37 views

Just a note for all when applying the security patch for CS466318. We are using SSO and have made the indicates changes to our web app as directed for Shibboleth. I had not realized that this patch rebuilds the HTTPServer configuration so some of my manual SSO changes were reverted.

In particular, addition of “JkMount /Windchill/sso/* ajpWorker” to conf.d/30-app-Windchill-AJP.conf was wiped. This is documented here: https://www.ptc.com/en/support/article/CS394860?source=search where you fail to get back to Windchill from the redirect session hook. 

The requested URL was not found on this server

The right solution should (I feel) is to add this like to the main template file that builds the conf file. This is documented here: https://www.ptc.com/en/support/article/CS394860?source=search. A but more complicated but I think safer from a reconfig perspective. 

Now, if anyone knows what templates need to update to change AuthType and ShibRequestSetting in the Auth conf file so that reconfig does that too, that would be helpful.  I will post if I find it first.

    1 reply

    avillanueva
    avillanueva23-Emerald IAuthor
    23-Emerald I
    May 27, 2026

    So, what I am looking at now is the Auth conf files. Normally, when we run regenWebApp, it takes the entries in the app-Windchill-AuthProvider.xml and configures 30-app-Windchill-Auth.conf to use LDAP and basic authentication. You get the resulting block like this:

    <LocationMatch ^/+Windchill/+(;.*)?>
      AuthName "Windchill"
      AuthType Basic
      AuthBasicProvider 1-Windchill-EnterpriseLdap 2-Windchill-AdministrativeLdap
      Require valid-user
    </LocationMatch>

    But with SSO and Shibboleth, the block should be changed to look like this:

    <LocationMatch ^/+Windchill/+(;.*)?>
      AuthType shibboleth
      ShibRequestSetting requireSession 1
      require shib-session
    </LocationMatch>

    Easy enough to manually update the resulting file and I keep backup copies if I ever needed to toggle back and forth but the main question is there a switch, template or modifier to tell the regen scripts that I want it to use the shibboleth AuthType not Basic. Or do I have to let it do its thing, then replace the resulting file with my SSO version that I formatted? Not hard to do but I am trying to eliminate one extra step or thing to remember. 

     

    Terms & ConditionsAccessibility statement