SM_USER null for Auto-Authorized Resources
Article ID: 105874
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
We are facing a problem with the web agent in that some applications that depend on SM_USER are complaining that the header is empty even thought the user is already logged in. Our assumption is that if a user is already logged into the application, SM_USER should be set for unprotected resources also. Can you please clarify?
Environment
Release:
Component: SMPLC
Component: SMPLC
Cause
We have a documentation page that goes over why this is happening
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/handle-complex-uris
Basically, the URI has a domain in it and this triggers the double-dot rule. Which then forces the request to be processed by the agent and policy server. This will ignore the IgnoreExt parameter and set the SM headers for the request.
Example WebAgent Trace logs:
With "domain" in URL, Resource is Processed and HTTP Headers are set:
[07/06/2018][08:00:29][966][1066997888][CSmHttpPlugin.cpp:656][CSmHttpPlugin::ProcessResource][000000000000000000000000aa0ba20a-03c6-5b3f59dd-3f991880-2deb40b9e870][*138.42.47.153][][dummy_apache_agent][][][Resolved URL: '/testing123.ca.com/splash.jpg'.]
[07/06/2018][08:00:29][966][1066997888][CSmHttpPlugin.cpp:5849][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][Unable to auto-authorize resource, double-dot rule in effect.]
If there is no 'domain' in the URI, then the resource is auto-authorized
[07/06/2018][07:59:46][1060][1066997888][CSmHttpPlugin.cpp:656][CSmHttpPlugin::ProcessResource][000000000000000000000000aa0ba20a-0424-5b3f59b2-3f991880-ee655d706253][*138.42.47.153][][dummy_apache_agent][][][Resolved URL: '/testing123/splash.jpg'.]
[07/06/2018][07:59:46][1060][1066997888][CSmHttpPlugin.cpp:5873][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][Auto-authorizing resource, matches IgnoreExt filter.]
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/handle-complex-uris
Basically, the URI has a domain in it and this triggers the double-dot rule. Which then forces the request to be processed by the agent and policy server. This will ignore the IgnoreExt parameter and set the SM headers for the request.
Example WebAgent Trace logs:
With "domain" in URL, Resource is Processed and HTTP Headers are set:
[07/06/2018][08:00:29][966][1066997888][CSmHttpPlugin.cpp:656][CSmHttpPlugin::ProcessResource][000000000000000000000000aa0ba20a-03c6-5b3f59dd-3f991880-2deb40b9e870][*138.42.47.153][][dummy_apache_agent][][][Resolved URL: '/testing123.ca.com/splash.jpg'.]
[07/06/2018][08:00:29][966][1066997888][CSmHttpPlugin.cpp:5849][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][Unable to auto-authorize resource, double-dot rule in effect.]
If there is no 'domain' in the URI, then the resource is auto-authorized
[07/06/2018][07:59:46][1060][1066997888][CSmHttpPlugin.cpp:656][CSmHttpPlugin::ProcessResource][000000000000000000000000aa0ba20a-0424-5b3f59b2-3f991880-ee655d706253][*138.42.47.153][][dummy_apache_agent][][][Resolved URL: '/testing123/splash.jpg'.]
[07/06/2018][07:59:46][1060][1066997888][CSmHttpPlugin.cpp:5873][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][Auto-authorizing resource, matches IgnoreExt filter.]
Resolution
You have two options. Either change the URI path to have a 'domain' in the URI, or remove the extensions from the IgnoreExt parameter that you want to have the SM headers set for.
Feedback
Yes
No
Powered by
