Require Xpath Credentials - Not working when we pass special characters CA API Gateway

book

Article ID: 130988

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

API Gateway version --> 9.4 CA SSO 12.8

Configured the API gateway to use Authenticate against ca sso for authentication and authorization.
The policy only fails when special characters are included in username or password 

Simplified steps to reproduce: Policy 
Set Context variables for username and password: username=A10,   password=fi&erwall
Set Context variables for creds message XML format
 

<Please see attached file for image>

Context XML

Set XPath Credentials Properties

<Please see attached file for image>

XPath properties
 
Policy will fail when username or password contain a special character at the XPath assertion (&, <,  >, '', ')


 

Environment

Release:
Component: APIGTW

Resolution

Inorder for this to work with specific characters need to escape as below,
 
<creds>
<username>A10</username>
<password>fi&amp;rewall</password>
</creds>


XPath expression
/creds/password
Element='<password>fi&amp;rewall</password>'


 


<Please see attached file for image>

XML excaped characters



Suggest using regular expression to check the username and password for specific characters then handle each one with the proper escape character before passing on to authentication 
 

Additional Information

The issue is not with the product it is an XML limitation 


I have played around with this a bit and also checked on our internal documentation. 

"Require XPath credentials" assertion has the limitations on XML 


If you test the data in any XPath tester, you would see, that the & for example will need to be escaped with amp; 


You could use the "Evaluate Regular Expression" and replace the & in the password with &amp;


https://www.freeformatter.com/xpath-tester.html


XML Input

<creds>
<username>A10</username>
<password>fi&rewall</password>
</creds>


XPath expression

/creds/password

Errors with 

Unable to perform XPath operation. The reference to entity "rewall" must end with the ';' delimiter. You most likely forgot to escape '&' into '&amp;'



Attached sample policy sample-policy.xml


The following flow


IsProtect to SSO

Set context variable username and password that contains special character “&”

Evaluate Regular Expression  fi&rewall change it to fi&amp;rewall, save to context variable password1

Set context variable “creds”

<creds>

<username>${username}</username>

<password>${password1}</password>

</creds>

XPath

/creds/username

/creds/password

$creds Authenticate Against CA Single Sign-On







Attachments

1571928019666__sample-policy.xml get_app
1558687401913000130988_sktwi1f5rjvs16f9j.png get_app
1558687399988000130988_sktwi1f5rjvs16f9i.png get_app
1558687396988000130988_sktwi1f5rjvs16f9h.png get_app