Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-3666

Not Enforced Favicon property does not work, if java agent listens on root URL path

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.7.0
    • Fix Version/s: 5.7.1, 5.8.0
    • Component/s: Java Agents
    • Environment:
      Version: 5.7.0-RC3
      Build Date: 2020-07-22 12:42:28
      Build Revision: a6eeeac4bf74fc30895d305987405eba870208ac
    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      1
    • Sprint:
      2020.11 - Agents, 2020.12 - Agents

      Description

      Not Enforced Favicon(org.forgerock.agents.auto.not.enforce.favicon.enabled) property does not work, if java agent listens on root URL path

       

      Steps to reproduce

      1.) Install agent to listen on root URL path e.g. http://jpa.pentest.forgeops.com:80/
      Note: in install process need to be used http://jpa.pentest.forgeops.com/agentapp as root is not allowed
      2.) Be sure that "Not Enforced Favicon" property is enabled (enabled by default)

      3.) Do request directly to http://jpa.pentest.forgeops.com/favicon.ico

      Expected

      Favicon will be loaded because it is not enforced

      Observed

      Redirected to login page, because rule does not match.

      Debug logs:

      AmFilter.isAccessAllowed: GET http://jpa.pentest.forgeops.com/favicon.ico
      AmFilterMode for application DefaultWebApp is URL_POLICY
      AmFilter processing XSS Detection Task Handler
      AmFilter processing AuthnFragmentRelayTaskHandler
      AmFilter processing AuthnExchangeTaskHandler
      AmFilter processing Notification Task Handler
      AmFilter processing FQDN Task Handler
      AmFilter processing Application Logout Handler
      AmFilter processing NotEnforcedTaskHandler
      NotEnforcedTaskHandler.process: reworked URL http://jpa.pentest.forgeops.com:80/favicon.ico
      >2020-08-07 12:25:00:007 UTC: http-nio-80-exec-2/5/main
      INFO: NotEnforcedRuleHelper.isAuthNRequest: requestURI: http://jpa.pentest.forgeops.com:80/favicon.ico; AuthNRedirectURI is /agentapp/post-authn-redirect; result is false
      NotEnforcedRulePatternMatcher: classic pattern: */favicon.ico url: http://jpa.pentest.forgeops.com:80/favicon.ico gave: false
      NotEnforcedRulePatternMatcher: classic pattern: */favicon.ico?* url: http://jpa.pentest.forgeops.com:80/favicon.ico gave: false
      NotEnforcedRuleHelper.isNotEnforced(http://jpa.pentest.forgeops.com:80/favicon.ico, 10.16.0.10, GET) FAILED to find a match
      NotEnforcedTaskHandler: Request URI http://jpa.pentest.forgeops.com:80/favicon.ico not found in any lists, so is enforced
       

      Workaround

      Set favicon as Not Enforced URL rule (org.forgerock.agents.notenforced.uri.list) rule:

      http://jpa.pentest.forgeops.com:80/favicon.ico
      or
      /favicon.ico
      

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tony.bamford Tony Bamford
              Reporter:
              richard.hruza Richard Hruza
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: