Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-1029

Ignore Path Info is ignored although NEU rule does not contain wildcard

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 5.0.0.0, 4.1.0
    • 5.0.0.0, 4.2.0.0
    • Web Agents
    • Apache Server 2.4.x 64bit / 5.0.0-SNAPSHOT / Sep 4 2017 16:27:42
      Apache Server 2.4.x 64bit / 4.1.0-24 / Aug 11 2017 12:52:00

      Description

      Ignore Path Info is ignored although NEU rule does not contain wildcard.

       Property specification:

      Ignore Path Info for Not Enforced URLs
      
      When enabled, the path info and query are stripped from the request URL before being compared with the URLs of the not enforced list for those URLs containing a wildcard character. This prevents a user from accessing http://host/index.html by requesting http://host/index.html/hack.gif when the not enforced list includes http://host/*.gif.

      Steps to Reproduce

      1.) Enable ignore path info for NEU (Agent profile / Application / Ignore Path Info for Not Enforced URLs = true)
      2.) Set following rule for Not Enforced URLs list:
      http://<Agent FQDN>/index.html (in my case: http://riso-ubuntu14.test.forgerock.com/index.html)
      3.) Hit the page with path info
      http://riso-ubuntu14.test.forgerock.com/index.html/pathInfo
      Observed Result:
      Page is not enforced and you will see the page without login (404 if page does not exist)
      Expected Result:
      Page is protected and redirection to login page

      I reproduced this case with WPA 5.0.0 and 4.1.0-24, but I am not able to reproduce it with 3.3.4.

      Logs for agent 5:

      2017-09-06 12:46:19.502 +0100   DEBUG [0x7f6684398700:26930][source/request.c:245] setup_request_data():
      2017-09-06 12:46:19.502 +0100   DEBUG [0x7f6684398700:26930][source/request.c:267] setup_request_data(): client ip: 172.25.1.224
      2017-09-06 12:46:19.503 +0100   DEBUG [0x7f6684398700:26930][source/request.c:305] setup_request_data(): client hostname: (empty)
      2017-09-06 12:46:19.503 +0100   DEBUG [0x7f6684398700:26930][source/request.c:313] setup_request_data(): original request url: http://riso-ubuntu14.test.forgerock.com/index.html/pathInfo
      2017-09-06 12:46:19.503 +0100   DEBUG [0x7f6684398700:26930][source/request.c:401] setup_request_data(): 
      method: GET 
      original url: http://riso-ubuntu14.test.forgerock.com/index.html/pathInfo
      proto: http
      host: riso-ubuntu14.test.forgerock.com
      port: 80
      path: /index.html/pathInfo
      query: 
      complete: http://riso-ubuntu14.test.forgerock.com:80/index.html/pathInfo
      overridden: http://riso-ubuntu14.test.forgerock.com:80/index.html/pathInfo
      pathinfo: /pathInfo
      normalized (pathinfo removed): http://riso-ubuntu14.test.forgerock.com:80/index.html
      overridden (pathinfo removed): (empty)
      2017-09-06 12:46:19.503 +0100   DEBUG [0x7f6684398700:26930][source/request.c:425] validate_url():
      2017-09-06 12:46:19.503 +0100   DEBUG [0x7f6684398700:26930][source/request.c:442] validate_url(): request url validation feature is not enabled
      2017-09-06 12:46:19.503 +0100   DEBUG [0x7f6684398700:26930][source/request.c:451] validate_fqdn_access():
      2017-09-06 12:46:19.503 +0100   DEBUG [0x7f6684398700:26930][source/request.c:454] validate_fqdn_access(): feature is not enabled
      2017-09-06 12:46:19.504 +0100   DEBUG [0x7f6684398700:26930][source/request.c:670] handle_not_enforced(): client ip address 172.25.1.224 does not match 
      2017-09-06 12:46:19.505 +0100   DEBUG [0x7f6684398700:26930][source/request.c:696] handle_not_enforced(): validating http://riso-ubuntu14.test.forgerock.com:80/index.html/pathInfo
      2017-09-06 12:46:19.505 +0100   DEBUG [0x7f6684398700:26930][source/request.c:705] handle_not_enforced(): trying not enforced pattern http://riso-ubuntu14.test.forgerock.com:80/index.html
      2017-09-06 12:46:19.506 +0100   DEBUG [0x7f6684398700:26930][source/request.c:716] handle_not_enforced(): validating http://riso-ubuntu14.test.forgerock.com:80/index.html ignoring pathinfo
      2017-09-06 12:46:19.506 +0100   DEBUG [0x7f6684398700:26930][source/request.c:762] handle_not_enforced(): http://riso-ubuntu14.test.forgerock.com:80/index.html/pathInfo is not enforced
      2017-09-06 12:46:19.506 +0100   DEBUG [0x7f6684398700:26930][source/utility.c:1543] get_valid_openam_url(): active OpenAM service url: http://riso-centos7.test.forgerock.com:8080/am (0)
      2017-09-06 12:46:19.507 +0100   DEBUG [0x7f6684398700:26930][source/request.c:2059] handle_exit(): (entry status: success)
      2017-09-06 12:46:19.507 +0100   DEBUG [0x7f6684398700:26930][source/request.c:1772] set_user_attributes(): all set user attribute options are set to none
      2017-09-06 12:46:19.507 +0100   DEBUG [0x7f6684398700:26930][source/apache/agent.c:815] amagent_auth_handler(): exit status: success (0)
      2017-09-06 12:46:19.632 +0100   DEBUG [0x7f668aba5700:26932][source/config.c:464] config for agent apache24 is freed
      

      Logs for Agent 3.3.4

      2017-09-06 10:56:42.807     Info 3278:7f0f64000950 all: agent_check_access(): starting...
      2017-09-06 10:56:42.807    Debug 3278:7f0f64000950 all: get_request_url(): returning request url: http://perf-openam2.internal.forgerock.com/index.html/pathInfo
      2017-09-06 10:56:42.807    Debug 3278:7f0f64000950 all: get_method_num(): GET (GET, 0)
      2017-09-06 10:56:42.807    Debug 3278:7f0f64000950 all: get_method_num(): number corresponds to GET method
      2017-09-06 10:56:42.807 MaxDebug 3278:7f0f64000950 all: am_web_is_notification(): http://perf-openam2.internal.forgerock.com:80/index.html/pathInfo is not notification url http://perf-openam2.internal.forgerock.com:80/UpdateAgentCacheServlet?shortcircuit=false.
      2017-09-06 10:56:42.807 MaxDebug 3278:7f0f64000950 all: am_web_is_notification(): http://perf-openam2.internal.forgerock.com:80/index.html/pathInfo is not notification url http://perf-openam2.internal.forgerock.com:80/UpdateAgentCacheServlet?shortcircuit=false.
      2017-09-06 10:56:42.807    Debug 3278:7f0f64000950 all: get_sso_token(): sso token (null), status - not found
      2017-09-06 10:56:42.807    Debug 3278:7f0f64000950 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.25.1.224
      2017-09-06 10:56:42.807 MaxDebug 3278:7f0f64000950 all: get_normalized_url(): Original url: http://perf-openam2.internal.forgerock.com/index.html/pathInfo
      2017-09-06 10:56:42.807 MaxDebug 3278:7f0f64000950 all: get_normalized_url(): PathInfo: /pathInfo
      2017-09-06 10:56:42.807 MaxDebug 3278:7f0f64000950 all: get_normalized_url(): Using Full URI for policy evaluation.
      2017-09-06 10:56:42.807 MaxDebug 3278:7f0f64000950 all: get_normalized_url(): Normalized url: http://perf-openam2.internal.forgerock.com:80/index.html/pathInfo
      2017-09-06 10:56:42.807 MaxDebug 3278:7f0f64000950 all: am_web_is_access_allowed(): Processing url http://perf-openam2.internal.forgerock.com:80/index.html/pathInfo.
      2017-09-06 10:56:42.807    Debug 3278:7f0f64000950 all: is_url_not_enforced(): client_ip 172.25.1.224 not found in client ip not enforced list
      2017-09-06 10:56:42.807 MaxDebug 3278:7f0f64000950 AM_POLICY_SERVICE: am_policy_compare_urls: Comparison of "http://perf-openam2.internal.forgerock.com:80/index.html" and "http://perf-openam2.internal.forgerock.com:80/dummypost*" returned AM_NO_MATCH (usePatterns=true)
      2017-09-06 10:56:42.807 MaxDebug 3278:7f0f64000950 AM_POLICY_SERVICE: am_policy_compare_urls: Comparison of "http://perf-openam2.internal.forgerock.com:80/index.html/pathInfo" and "http://perf-openam2.internal.forgerock.com:80/index.html" returned AM_SUB_RESOURCE_MATCH (usePatterns=false)
      2017-09-06 10:56:42.807    Debug 3278:7f0f64000950 all: in_not_enforced_list: Enforcing access control for http://perf-openam2.internal.forgerock.com:80/index.html/pathInfo 
      2017-09-06 10:56:42.807 MaxDebug 3278:7f0f64000950 all: is_url_not_enforced(): URL http://perf-openam2.internal.forgerock.com:80/index.html/pathInfo is enforced.
      2017-09-06 10:56:42.808    Debug 3278:7f0f64000950 all: am_web_get_parameter_value(): Param Name = iPlanetDirectoryPro, & Param Value = NULL, status not found
      2017-09-06 10:56:42.808    Debug 3278:7f0f64000950 all: am_web_is_access_allowed()(http://perf-openam2.internal.forgerock.com:80/index.html/pathInfo,GET): no sso token, setting status to invalid session.
      2017-09-06 10:56:42.808     Info 3278:7f0f64000950 all: am_web_is_access_allowed()(http://perf-openam2.internal.forgerock.com:80/index.html/pathInfo, GET) returning status: invalid session.
      2017-09-06 10:56:42.808     Info 3278:7f0f64000950 all: process_request(): Access check for URL http://perf-openam2.internal.forgerock.com/index.html/pathInfo returned invalid session.
      2017-09-06 10:56:42.808    Debug 3278:7f0f64000950 all: process_request(): AM_INVALID_SESSION, will redirect (post data: (null))
      2017-09-06 10:56:42.808 MaxDebug 3278:7f0f64000950 all: am_web_get_url_to_redirect: goto URL is http://perf-openam2.internal.forgerock.com/index.html/pathInfo
      2017-09-06 10:56:42.808 MaxDebug 3278:7f0f64000950 all: find_active_login_server(): conditional login url is not available
      2017-09-06 10:56:42.808 MaxDebug 3278:7f0f64000950 all: find_active_login_server(): trying server: http://riso-centos7.test.forgerock.com:8080/am/UI/Login
      2017-09-06 10:56:42.808 MaxDebug 3278:7f0f64000950 all: is_server_alive(): connection timeout set to 2
      2017-09-06 10:56:42.809    Debug 3278:7f0f64000950 all: is_server_alive(): returned success
      2017-09-06 10:56:42.809    Debug 3278:7f0f64000950 all: process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [http://riso-centos7.test.forgerock.com:8080/am/UI/Login?goto=http%3A%2F%2Fperf-openam2.internal.forgerock.com%2Findex.html%2FpathInfo].
      2017-09-06 10:56:42.809    Debug 3278:7f0f64000950 all: process_access_redirect(): returning web result AM_WEB_RESULT_REDIRECT.
      2017-09-06 10:56:42.809    Debug 3278:7f0f64000950 all: process_request(): returning web result AM_WEB_RESULT_REDIRECT, data [http://riso-centos7.test.forgerock.com:8080/am/UI/Login?goto=http%3A%2F%2Fperf-openam2.internal.forgerock.com%2Findex.html%2FpathInfo]
      2017-09-06 10:56:42.809    Debug 3278:7f0f64000950 all: am_web_process_request(): Rendering web result AM_WEB_RESULT_REDIRECT
      2017-09-06 10:56:42.809    Debug 3278:7f0f64000950 all: am_web_process_request(): render result function returned AM_SUCCESS.
      

      To resolving this issue following rules have to be true:

      Ignore Path Info for Not Enforced URLs: enabled
      
      NEU rule: /*.html
      
      /index.html?param=1 		not enforced
      /index.html/pathInfo?param=1	not enforced
      /index.html/pathInfo		not enforced
      
      
      NEU rule: /index.html
      
      /index.html?param=1 		enforced
      /index.html/pathInfo?param=1	enforced
      /index.html/pathInfo		enforced
      

        Attachments

          Issue Links

            Activity

              People

              nick.james Nicholas James
              richard.hruza Richard Hruza
              Richard Hruza Richard Hruza
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: