Require Xpath Credentials - Not working when we pass special characters CA API Gateway


Article ID: 130988


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway


API Gateway version --> 9.4 CA SSO 12.8

Configured the API gateway to use Authenticate against ca sso for authentication and authorization.
The policy only fails when special characters are included in username or password 

Simplified steps to reproduce: Policy 
Set Context variables for username and password: username=A10,   password=fi&erwall
Set Context variables for creds message XML format

<Please see attached file for image>

Context XML

Set XPath Credentials Properties

<Please see attached file for image>

XPath properties
Policy will fail when username or password contain a special character at the XPath assertion (&, <,  >, '', ')



Component: APIGTW


Inorder for this to work with specific characters need to escape as below,

XPath expression


<Please see attached file for image>

XML excaped characters

Suggest using regular expression to check the username and password for specific characters then handle each one with the proper escape character before passing on to authentication 

Additional Information

The issue is not with the product it is an XML limitation 

I have played around with this a bit and also checked on our internal documentation. 

"Require XPath credentials" assertion has the limitations on XML 

If you test the data in any XPath tester, you would see, that the & for example will need to be escaped with amp; 

You could use the "Evaluate Regular Expression" and replace the & in the password with &amp;

XML Input


XPath expression


Errors with 

Unable to perform XPath operation. The reference to entity "rewall" must end with the ';' delimiter. You most likely forgot to escape '&' into '&amp;'

Attached sample policy sample-policy.xml

The following flow

IsProtect to SSO

Set context variable username and password that contains special character “&”

Evaluate Regular Expression  fi&rewall change it to fi&amp;rewall, save to context variable password1

Set context variable “creds”








$creds Authenticate Against CA Single Sign-On


1571928019666__sample-policy.xml get_app
1558687401913000130988_sktwi1f5rjvs16f9j.png get_app
1558687399988000130988_sktwi1f5rjvs16f9i.png get_app
1558687396988000130988_sktwi1f5rjvs16f9h.png get_app