BadUrlChars does not block URL contains "//".

Article Id: 195026

Status: Published

Updated On: 14-07-2020 09:38

Products:

CA Single Sign On Secure Proxy Server (SiteMinder) , CA Single Sign On Agents (SiteMinder) , CA Single Sign On Federation (SiteMinder) , CA Single Sign On SOA Security Manager (SiteMinder) , SITEMINDER

Issue/Introduction:

BadUrlChars parameter in ACO has "//" by default.
But it does not block URL contains "//".

Cause:

BadURLChars will work on the URL received by webagent from webserver.
If the URL contains "//" then webagent will block.

Observerations from IIS and Apache:
IIS:
User entered http://server1.broadcom.net:80/error//dummy.html, url received by WA is http://server1..broadcom.net:80/error/dummy.html.
IIS is truncating an extra /. since the URL received by WA does not contain // url is not blocked.

Apache:
Here the URL is send as it is , so the URL contains // and is blocked.

Environment:

Component : SITEMINDER -WEB AGENT

Resolution:

Basically WA is working as expected. The difference is in the functionality of webservers.