Novell Home

My Favorites

Close

Please to see your favorites.

Access Gateway Authorization Policy evaluation fails when ampersand & (unescaped) included in URL passed in

This document (7011673) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Access gateway Appliance and Service

Situation

Access Gateway Appliance configured to accelerate Kronos application. The protected resource assigned to the Kronos application has an authorization policy enabled . This Authorization policy simply checks if the URL being processed is https://deviwekronos.novell.com/wfc/applications/wtk/html/ess/logoff.jsp, and if it does redirects the user to a logout page.

When the user hits this protected resource with any URL that includes an ambersand '&' character, the"Access forbidden! - Policy Evaluation Failed." message is displayed on the browser.

Looking at the catalina log file on the Access Gateway serve, the following exception is displayed:

 <amLogEntry> 2012-07-18T18:16:14Z VERBOSE NIDS Application: AM#501101020: AMDEVICEID#esp-03811F2A412FD0A0: NXPESID#23107:  <?xml version="1.0" encoding="UTF-8"?><Evaluate PolicyId="2107N44P-M24N-M22L-7L60-415526P36MN2" Verbose="on"><ContextDataElement Enum="2506" Value="https://deviwekronos.novell.com/wfc/applications/suitenav/html/session-applet-loader.jsp"/></Evaluate></amLogEntry>
<amLogEntry> 2012-07-18T18:16:14Z DEBUG NIDS Application: Method: BaseHandler.handleSOAPMessage Thread: ajp-bio-/127.0.0.1-9009-exec-25 Attempting to handle SOAP MEssage! Exception message: "The reference to entity "JRE" must end with the ';' delimiter."    
y, Line: 583, Method: getSOAPDocument    
y, Line: 56, Method: handleSOAPMessage    
y, Line: 512, Method: handleRequest    
y, Line: 2573, Method: myDoGet   
y, Line: 1004, Method: doGet    
y, Line: 1710, Method: doPost    
HttpServlet.java, Line: 641, Method: service   
HttpServlet.java, Line: 722, Method: service

Getting more info re the XML request itself, a LAN trace was taken on TCP 9009 with tcpdump and see the following decoded output shown

4......INCLUDED.../nesp/app/soap...172.23.140.119.....deviweinwww.novell.com..........392.....text/xml.....deviweinwww.novell.com....
Keep-Alive...
AES128-SHA...@1E57FE4D39028FCF862F5C54073AE58685A826D4C06826DB90A046EEDFD17F21.... ..AJP_REMOTE_PORT...6933...4....<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><NXPES Id="23108"><Evaluate Verbose="on" PolicyId="2107N44P-M24N-M22L-7L60-415526P36MN2"><ContextDataElement Value="https://deviwekronos.novell.com/wfc/summarylaunch/quick?viewId=3&JRE=1" Enum="2506"/></Evaluate></NXPES></SOAP-ENV:Body></SOAP-ENV:Envelope>
AB.......OK......JJSESSIONID=5487B4D8981A3D5AD6DE178716027D4B; Path=/nesp/; Secure; HttpOnly...Pragma...No-cache.. Cache-Control...no-cache.....text/xml.....280.AB.....<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Client</faultcode><faultstring>The reference to entity "JRE" must end with the ';' delimiter.</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>.AB....

We pass in the value of"https://deviwekronos.novell.com/wfc/summarylaunch/quick?viewId=3&JRE=1" but the Policy evaluator fails with "The reference to entity "JRE" must end with the ';' delimiter." message.

If we generate a request without the &, all works fine.
If we generate the request with the ambersand escaped, it works fine eg.https://nam32app-vm.lab.novell.com/formfill/phpinfo.php?viewId=3%26JRE=1

Resolution

Fixed with 3.2 Support Pack 1.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7011673
  • Creation Date:22-JAN-13
  • Modified Date:29-APR-13
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback