Gateway cannot handle multi values header in Internet Explorer

book

Article ID: 129133

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

We have an issue where Internet Explorer is sending multiple values header in separate lines, in which the API Gateway is not able to handle it correctly.

For example, this is how the response headers are handled and presented to Gateway, when the request is sent via an IE browser:

Request

OPTIONS https://<host_name>/openid/connect/v1/userinfo HTTP/1.1 
Accept-Encoding: gzip,deflate 
Access-Control-Request-Headers: accept, authorization 
Origin: <source>
Access-Control-Request-Method: GET 
Host: <host_name>
Connection: Keep-Alive 
User-Agent: Apache-HttpClient/4.1.1 (java 1.5) 


Response: 

HTTP/1.1 204 No Content 
Server: Apache-Coyote/1.1 
Access-Control-Allow-Headers: accept 
Access-Control-Allow-Headers: authorization 

Access-Control-Allow-Credentials: true 
Access-Control-Allow-Origin: <source>
Access-Control-Allow-Methods: POST, GET 
Content-Encoding: gzip 
Date: Fri, 08 Mar 2019 01:36:46 GMT

Cause

This is a known issue which has been fixed in API Gateway 9.3 release:

DE211590 - Corrected an issue where Internet Explorer was unable to handle multiple headers resulting from Ajax calls to the Gateway. This was resolved by adding a new cluster-wide property. See Process CORS Request Assertion for more information.
 

Environment

Layer7 API Gateway 9.1, 9.2

Resolution

In pre-9.3 release, you can work around the issue by using the Manage Transport Properties/Header assertion.

Taking the above response header as example:

1. Using the Manage Transport Properties/Headers assertion, you can retrieve the value(s) of the 'Access-Control-Allow-Headers' header using context variable '${response.http.headervalues.Access-Control-Allow-Headers}'

2. Select the "Add or Replace" option to replace the retrieved values into a header of the same name, which can be defined in the "Property/Header Name" field. 

3. This will combine all the values retrieved from the original header and set it to the new header.

For example:

<Please see attached file for image>

User-added image


The new response header will look similar to this:

HTTP/1.1 204 No Content 
Server: Apache-Coyote/1.1 
Access-Control-Allow-Headers: accept , authorization 
Access-Control-Allow-Credentials: true 
Access-Control-Allow-Origin: <source>
Access-Control-Allow-Methods: POST, GET 
Content-Encoding: gzip 
Date: Fri, 08 Mar 2019 01:36:46 GMT

Additional Information

More details at Transport Layer Context Variables:
 
${<target>.http.headerValues.<name>}

Returns a list of all the values for the specified header <name>, in the format:

[value1, value2, ... , valuen]

For requests, this variable may be useful while investigating audit details, email issues, etc. For example, you are communicating with a service on an IIS server that has NTLM enabled. There are two WWW-Authenticate headers, with the values NTLM and Negotiate. Using the ${request.http.header.www-authenticate} variable will return only the NTLM value. Using ${request.http.headerValues.www-authenticate} instead will return the literal string [NTLM, Negotiate].

For responses, this variable is useful for documentation purposes, to enumerate the contents of a header.


 

Attachments

1558688947768000129133_sktwi1f5rjvs16frv.png get_app