Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8318

Nginx WPA: Fetch Attributes does not work for Not Enforced URLs

    XMLWordPrintable

    Details

    • Rank:
      1|hzqyxr:

      Description

      Fetch Attributes does not work for Not Enforced URLs on nginx WPA. The same issue for fetch mode HTTP_HEADER and HTTP_COOKIE

      Steps to reproduce

      1.) Set following properties in the <agent profile> / Application /

      • Not Enforced URLs = */cgi-bin/show.cgi
      • Fetch Attributes for Not Enforced URLs = true
      • Profile Attribute Fetch Mode = HTTP_COOKIE
      • Profile Attribute Map = [cn] = PROFILE-ATTR

      2.) Hit the agent protected page and login with user to get valid cookie
      http://perf-openam2.internal.forgerock.com/index.html
      3.) Hit the NEU page with valid iPDP cookie
      http://perf-openam2.internal.forgerock.com/cgi-bin/show.cgi

      Observed result

      The cookie HTTP_PROFILE_ATTR = <USER NAME> is cleared, but NOT created

      GET /cgi-bin/show.cgi HTTP/1.1
      Host: perf-openam2.internal.forgerock.com
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
      Accept-Encoding: gzip, deflate, sdch
      Accept-Language: en-US,en;q=0.8,cs;q=0.6
      Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfczJoMX_cadSGK_8IkouCGtlDPVU-DeJdYE.*AAJTSQACMDEAAlNLABM0MDQ0ODY3NzE3Mjk1NzMwOTM4AAJTMQAA*
      Upgrade-Insecure-Requests: 1
      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/48.0.2564.82 Chrome/48.0.2564.82 Safari/537.36
      X-DevTools-Emulate-Network-Conditions-Client-Id: 72A4B417-F1F9-4151-8DA7-6FDFAB7817DA
      
      HTTP/1.1 200 OK
      Connection: keep-alive
      Content-Type: text/html
      Date: Tue, 09 Feb 2016 13:44:27 GMT
      Server: nginx/1.9.10
      Set-cookie: HTTP_PROFILE-ATTR=;Max-Age=0;Expires=Thu, 01-Jan-1970 00:00:01 GMT;Path=/
      Transfer-Encoding: chunked
      

      Expected result

      The cookie HTTP_PROFILE_ATTR = <USER NAME> is cleared and after that created

      GET /cgi-bin/show.cgi HTTP/1.1
      Host: perf-openam2.internal.forgerock.com
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
      Accept-Encoding: gzip, deflate, sdch
      Accept-Language: en-US,en;q=0.8,cs;q=0.6
      Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfczJoMX_cadSGK_8IkouCGtlDPVU-DeJdYE.*AAJTSQACMDEAAlNLABM0MDQ0ODY3NzE3Mjk1NzMwOTM4AAJTMQAA*
      Upgrade-Insecure-Requests: 1
      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/48.0.2564.82 Chrome/48.0.2564.82 Safari/537.36
      X-DevTools-Emulate-Network-Conditions-Client-Id: 72A4B417-F1F9-4151-8DA7-6FDFAB7817DA
      
      HTTP/1.1 200 OK
      Connection: keep-alive
      Content-Type: text/html
      Date: Tue, 09 Feb 2016 13:44:27 GMT
      Server: nginx/1.9.10
      Set-Cookie: HTTP_PROFILE_ATTR=;Max-Age=0;Expires=Thu, 01-Jan-1970 00:00:01 GMT;Path=/
      Set-Cookie: HTTP_PROFILE_ATTR=Richard Hruza;Max-Age=300;Expires=Tue, 09-Feb-2016 13:45:38 GMT;Path=/
      Transfer-Encoding: chunked
      
      agent debug log
      2016-02-09 13:48:52.167 +0000   DEBUG [0x7ffc0d31f700:12947][source/utility.c:1651] get_valid_openam_url(): active OpenAM service url: http://riso-ubuntu14.test.forgerock.com:8080/openam (0)
      2016-02-09 13:48:52.167 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:130] setup_request_data():
      2016-02-09 13:48:52.167 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:152] setup_request_data(): client ip: 172.25.1.18
      2016-02-09 13:48:52.167 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:190] setup_request_data(): client hostname: (empty)
      2016-02-09 13:48:52.167 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:198] setup_request_data(): original request url: http://perf-openam2.internal.forgerock.com/cgi-bin/show.cgi
      2016-02-09 13:48:52.167 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:310] setup_request_data(): no token in query parameters
      2016-02-09 13:48:52.167 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:320] setup_request_data(): 
      method: GET 
      original url: http://perf-openam2.internal.forgerock.com/cgi-bin/show.cgi
      proto: http
      host: perf-openam2.internal.forgerock.com
      port: 80
      path: /cgi-bin/show.cgi
      query: 
      complete: http://perf-openam2.internal.forgerock.com:80/cgi-bin/show.cgi
      overridden: http://perf-openam2.internal.forgerock.com:80/cgi-bin/show.cgi
      pathinfo: (empty)
      normalized (pathinfo removed): (empty)
      overridden (pathinfo removed): (empty)
      2016-02-09 13:48:52.167 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:335] validate_url():
      2016-02-09 13:48:52.167 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:347] validate_url(): request url validation feature is not enabled
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:355] handle_notification():
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:411] validate_fqdn_access():
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:431] validate_fqdn_access(): host name perf-openam2.internal.forgerock.com is valid (maps to fqdn default: perf-openam2.internal.forgerock.com)
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:741] validate_token():
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/utility.c:957] get_cookie_value(;): parsing cookie header: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfczJoMX_cadSGK_8IkouCGtlDPVU-DeJdYE.*AAJTSQACMDEAAlNLABM0MDQ0ODY3NzE3Mjk1NzMwOTM4AAJTMQAA*
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/utility.c:957] get_cookie_value(=): parsing cookie header:  iPlanetDirectoryPro=AQIC5wM2LY4SfczJoMX_cadSGK_8IkouCGtlDPVU-DeJdYE.*AAJTSQACMDEAAlNLABM0MDQ0ODY3NzE3Mjk1NzMwOTM4AAJTMQAA*
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:833] validate_token(): sso token: AQIC5wM2LY4SfczJoMX_cadSGK_8IkouCGtlDPVU-DeJdYE.*AAJTSQACMDEAAlNLABM0MDQ0ODY3NzE3Mjk1NzMwOTM4AAJTMQAA*, status: success
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:840] validate_token(): sso token SI: 01, S1: 
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:492] handle_not_enforced():
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:564] handle_not_enforced(): application logout url feature is not enabled
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:622] handle_not_enforced(): not enforced client ip validation feature is not enabled
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:625] handle_not_enforced(): validating http://perf-openam2.internal.forgerock.com:80/cgi-bin/show.cgi
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:634] handle_not_enforced(): trying not enforced pattern */cgi-bin/show.cgi
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:674] handle_not_enforced(): http://perf-openam2.internal.forgerock.com:80/cgi-bin/show.cgi is not enforced
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:923] validate_policy(): for http://perf-openam2.internal.forgerock.com:80/cgi-bin/show.cgi (ignoring pathinfo: no), entry status: success
      2016-02-09 13:48:52.168 +0000 WARNING [0x7ffc0d31f700:12947] am_get_session_policy_cache_entry(): failed to locate data for a key (AQIC5wM2LY4SfczJoMX_cadSGK_8IkouCGtlDPVU-DeJdYE.*AAJTSQACMDEAAlNLABM0MDQ0ODY3NzE3Mjk1NzMwOTM4AAJTMQAA*)
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:971] validate_policy(): get session cache status: not found
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:1779] handle_exit(): (entry status: success)
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:1606] set_user_attributes(): clearing headers/cookies
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:1448] do_cookie_set(): clearing PROFILE-ATTR
      2016-02-09 13:48:52.168 +0000   DEBUG [0x7ffc0d31f700:12947][source/process.c:1437] do_cookie_set_generic(): HTTP_PROFILE-ATTR=;Max-Age=0;Expires=Thu, 01-Jan-1970 00:00:01 GMT;Path=/
      

        Attachments

          Activity

            People

            nick.james Nicholas James
            richard.hruza Richard Hruza
            Richard Hruza Richard Hruza
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: