Access Gateway Authorization Policy evaluation fails when ampersand & (unescaped) included in URL passed in

  • 7011673
  • 22-Jan-2013
  • 29-Apr-2013

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Access gateway Appliance and Service

Situation

Access Gateway Appliance configured to accelerate Kronos application. The protected resource assigned to the Kronos application has an authorization policy enabled . This Authorization policy simply checks if the URL being processed is https://deviwekronos.novell.com/wfc/applications/wtk/html/ess/logoff.jsp, and if it does redirects the user to a logout page.

When the user hits this protected resource with any URL that includes an ambersand '&' character, the"Access forbidden! - Policy Evaluation Failed." message is displayed on the browser.

Looking at the catalina log file on the Access Gateway serve, the following exception is displayed:

 <amLogEntry> 2012-07-18T18:16:14Z VERBOSE NIDS Application: AM#501101020: AMDEVICEID#esp-03811F2A412FD0A0: NXPESID#23107:  <?xml version="1.0" encoding="UTF-8"?><Evaluate PolicyId="2107N44P-M24N-M22L-7L60-415526P36MN2" Verbose="on"><ContextDataElement Enum="2506" Value="https://deviwekronos.novell.com/wfc/applications/suitenav/html/session-applet-loader.jsp"/></Evaluate></amLogEntry>
<amLogEntry> 2012-07-18T18:16:14Z DEBUG NIDS Application: Method: BaseHandler.handleSOAPMessage Thread: ajp-bio-/127.0.0.1-9009-exec-25 Attempting to handle SOAP MEssage! Exception message: "The reference to entity "JRE" must end with the ';' delimiter."    
y, Line: 583, Method: getSOAPDocument    
y, Line: 56, Method: handleSOAPMessage    
y, Line: 512, Method: handleRequest    
y, Line: 2573, Method: myDoGet   
y, Line: 1004, Method: doGet    
y, Line: 1710, Method: doPost    
HttpServlet.java, Line: 641, Method: service   
HttpServlet.java, Line: 722, Method: service

Getting more info re the XML request itself, a LAN trace was taken on TCP 9009 with tcpdump and see the following decoded output shown

4......INCLUDED.../nesp/app/soap...172.23.140.119.....deviweinwww.novell.com..........392.....text/xml.....deviweinwww.novell.com....
Keep-Alive...
AES128-SHA...@1E57FE4D39028FCF862F5C54073AE58685A826D4C06826DB90A046EEDFD17F21.... ..AJP_REMOTE_PORT...6933...4....<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><NXPES Id="23108"><Evaluate Verbose="on" PolicyId="2107N44P-M24N-M22L-7L60-415526P36MN2"><ContextDataElement Value="https://deviwekronos.novell.com/wfc/summarylaunch/quick?viewId=3&JRE=1" Enum="2506"/></Evaluate></NXPES></SOAP-ENV:Body></SOAP-ENV:Envelope>
AB.......OK......JJSESSIONID=5487B4D8981A3D5AD6DE178716027D4B; Path=/nesp/; Secure; HttpOnly...Pragma...No-cache.. Cache-Control...no-cache.....text/xml.....280.AB.....<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Client</faultcode><faultstring>The reference to entity "JRE" must end with the ';' delimiter.</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>.AB....

We pass in the value of"https://deviwekronos.novell.com/wfc/summarylaunch/quick?viewId=3&JRE=1" but the Policy evaluator fails with "The reference to entity "JRE" must end with the ';' delimiter." message.

If we generate a request without the &, all works fine.
If we generate the request with the ambersand escaped, it works fine eg.https://nam32app-vm.lab.novell.com/formfill/phpinfo.php?viewId=3%26JRE=1

Resolution

Fixed with 3.2 Support Pack 1.