BadUrlChars does not block URL contains "//".

book

Article ID: 195026

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

BadUrlChars parameter in ACO has "//" by default.
But it does not block URL contains "//".

Cause

BadURLChars will work on the URL received by webagent from webserver.
If the URL contains "//" then webagent will block.

Observerations from IIS and Apache:
IIS:
User entered http://server1.broadcom.net:80/error//dummy.html, url received by WA is http://server1..broadcom.net:80/error/dummy.html.
IIS is truncating an extra /. since the URL received by WA does not contain // url is not blocked.

Apache:
Here the URL is send as it is , so the URL contains // and is blocked.

Environment

Component : SITEMINDER -WEB AGENT

Resolution

Basically WA is working as expected. The difference is in the functionality of webservers.

Feedback

thumb_up Yes

thumb_down No