When running CA Access Gateway (SPS), when browser submits an URL with
the Delete action, the request fails and the browser shows error :
500 Internal server errors
A network traces shows that the CA Access Gateway (SPS) removes the
body of the DELETE request and sends it to the backend Application.
The CA Access Gateway (SPS) Agent receives the body and passing it to
the CA Access Gateway (SPS) HttpClient. But the SPS HttpClient doesn't
send the body.
c:\> curl -v -k -H "Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..o-J0jaaRlp8C9nwc.
HHvSE6eA0J55gWIgXCMlUJkGnVHLbqDDFsh8tLQhHNlKxwAQrIl34lmwIConh4VfxhEI0KsfoWe8CRwu0DCOSh0mox6tEXa
PECRUXe57_sZHI3eYHGyPS4ULmWtRWxC0T9uLmJZr77InIGRngnoGKDJUZvOmMBKCO-xzxy_ZWgm9aLr62SNe6qc-YCZqjk
P-cmneNEgEpJej_VubW0aPCtzLY-0PE9LbN5LjGeQUuQLM1QejZWJgR5Lq9FVbB4S_fKxhBoLhd6GTBa7YtLtlOOtXEntzk
HyfGuHkbNfpOqm9ryAU6l0LvLJKiAb2Rgl_Sa39uRmh0zzarsKnU3vWRYz2UBCMjh2Ch44bIZOmaeYY-1g9fKbPp1F5YfMP
qMcskvGaU9qp8tLpER8WpBprFzzZXXjHQMNnICjUXo5XEdDZjN5A5UiD9IIb1XWH51qJFXT2C53-LzNPD76mFVLRDV-6XdX
qDzDfO3dK3tGUItJdE9Lskdp3hAR0-6YN2dWzYma8CVDPj9dSyU_5CAvHrwGABSlX1Mu7RkXRCtA3.wQoiwWXQi5VTZctQe
ErYGQ" -H "Content-Type: application/json; charset=UTF-8"
-X DELETE --data @params.json https://sps.training.com/ca/api/sso/services/policy/v1/SmAgents -v
> Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..o-J0jaaRlp8C9nwc.HHvSE6eA0J55gWIg
XCMlUJkGnVHLbqDDFsh8tLQhHNlKxwAQrIl34lmwIConh4VfxhEI0KsfoWe8CRwu0DCOSh0mox6tEXaPECRUXe57_sZHI3eY
HGyPS4ULmWtRWxC0T9uLmJZr77InIGRngnoGKDJUZvOmMBKCO-xzxy_ZWgm9aLr62SNe6qc-YCZqjkP-cmneNEgEpJej_Vub
W0aPCtzLY-0PE9LbN5LjGeQUuQLM1QejZWJgR5Lq9FVbB4S_fKxhBoLhd6GTBa7YtLtlOOtXEntzkHyfGuHkbNfpOqm9ryAU
6l0LvLJKiAb2Rgl_Sa39uRmh0zzarsKnU3vWRYz2UBCMjh2Ch44bIZOmaeYY-1g9fKbPp1F5YfMPqMcskvGaU9qp8tLpER8W
pBprFzzZXXjHQMNnICjUXo5XEdDZjN5A5UiD9IIb1XWH51qJFXT2C53-LzNPD76mFVLRDV-6XdXqDzDfO3dK3tGUItJdE9Ls
kdp3hAR0-6YN2dWzYma8CVDPj9dSyU_5CAvHrwGABSlX1Mu7RkXRCtA3.wQoiwWXQi5VTZctQeErYGQ
> Content-Type: application/json; charset=UTF-8
> Content-Length: 362
>
- upload completely sent off: 362 out of 362 bytes
sps.training.com.trace
[08/23/2021][09:57:13][2477][140635420641024][6e45c8de-bd893385-aa28d4f4-7205b038-53a1d072-20d]
[Noodle::service][Method is: DELETE Content length is: 362]
[08/23/2021][09:57:13][2477][140635420641024][6e45c8de-bd893385-aa28d4f4-7205b038-53a1d072-20d]
[addRequestHeaders][Need to preseve Proxy HOST Header.Sending Proxy Host to the backend web server]
[08/23/2021][09:57:13][2477][140635420641024][6e45c8de-bd893385-aa28d4f4-7205b038-53a1d072-20d]
[execute][Got protocol version HTTP]
[08/23/2021][09:57:13][2477][140635420641024][6e45c8de-bd893385-aa28d4f4-7205b038-53a1d072-20d]
[execute][Sending request to backend = ps.training.com:8443
url = https://ps.training.com:8443/ca/api/sso/services/policy/v1/SmAgents]
httpclient0.log :
Aug 23, 2021 9:57:13 AM org.apache.http.headers sendRequestHeader
FINE: >> authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..o-J0jaaRlp8C9nwc.HHvSE6eA0
J55gWIgXCMlUJkGnVHLbqDDFsh8tLQhHNlKxwAQrIl34lmwIConh4VfxhEI0KsfoWe8CRwu0DCOSh0mox6tEXaPEC
RUXe57_sZHI3eYHGyPS4ULmWtRWxC0T9uLmJZr77InIGRngnoGKDJUZvOmMBKCO-xzxy_ZWgm9aLr62SNe6qc-YCZ
qjkP-cmneNEgEpJej_VubW0aPCtzLY-0PE9LbN5LjGeQUuQLM1QejZWJgR5Lq9FVbB4S_fKxhBoLhd6GTBa7YtLtl
OOtXEntzkHyfGuHkbNfpOqm9ryAU6l0LvLJKiAb2Rgl_Sa39uRmh0zzarsKnU3vWRYz2UBCMjh2Ch44bIZOmaeYY-
1g9fKbPp1F5YfMPqMcskvGaU9qp8tLpER8WpBprFzzZXXjHQMNnICjUXo5XEdDZjN5A5UiD9IIb1XWH51qJFXT2C5
3-LzNPD76mFVLRDV-6XdXqDzDfO3dK3tGUItJdE9Lskdp3hAR0-6YN2dWzYma8CVDPj9dSyU_5CAvHrwGABSlX1Mu
7RkXRCtA3.wQoiwWXQi5VTZctQeErYGQ
Aug 23, 2021 9:57:13 AM org.apache.http.headers sendRequestHeader
FINE: >> content-length: 0
On AdminUI :
smrestservices.log
[2021-08-23 09:57:13][ERROR][RestServlet:com.ca.siteminder.sdk.restservlet.RestServlet.doLog(RestServlet.java:134)]
[REQUEST_HEADER: {authorization=Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..o-J0jaaRlp8C9nwc.H
HvSE6eA0J55gWIgXCMlUJkGnVHLbqDDFsh8tLQhHNlKxwAQrIl34lmwIConh4VfxhEI0KsfoWe8CRwu0DCOSh0mox6tEXaPECR
UXe57_sZHI3eYHGyPS4ULmWtRWxC0T9uLmJZr77InIGRngnoGKDJUZvOmMBKCO-xzxy_ZWgm9aLr62SNe6qc-YCZqjkP-cmneN
EgEpJej_VubW0aPCtzLY-0PE9LbN5LjGeQUuQLM1QejZWJgR5Lq9FVbB4S_fKxhBoLhd6GTBa7YtLtlOOtXEntzkHyfGuHkbNf
pOqm9ryAU6l0LvLJKiAb2Rgl_Sa39uRmh0zzarsKnU3vWRYz2UBCMjh2Ch44bIZOmaeYY-1g9fKbPp1F5YfMPqMcskvGaU9qp8
tLpER8WpBprFzzZXXjHQMNnICjUXo5XEdDZjN5A5UiD9IIb1XWH51qJFXT2C53-LzNPD76mFVLRDV-6XdXqDzDfO3dK3tGUItJ
dE9Lskdp3hAR0-6YN2dWzYma8CVDPj9dSyU_5CAvHrwGABSlX1Mu7RkXRCtA3.wQoiwWXQi5VTZctQeErYGQ,
content-length=0, SM_USERDN=, SM_AUTHTYPE=Not Protected, SM_SDOMAIN=.training.com,
Connection=Keep-Alive, SM_TRANSACTIONID=6e45c8de-bd893385-aa28d4f4-7205b038-53a1d072-20d,
content-type=application/json; charset=UTF-8, Host=ps.training.com:8443, SM_USER=, accept=*/*,
user-agent=curl/7.55.1}]
[2021-08-23 09:57:13][ERROR][RestServlet:com.ca.siteminder.sdk.restservlet.RestServlet.doLog(RestServlet.java:135)]
[REQUEST_BODY: ]
CA Access Gateway (SPS) 12.8SP5 on RedHat 8
The product behaves as expected.
The REST spec says the GET and DELETE requests SHOULD *not* have body.
The id of the object should be part of the url as mentioned by the
father of REST Roy Fielding (1)(2)(3).
As such GET or DELETE body are absolutely forbidden to have any impact
whatsoever on the processing or interpretation of the request.
(1)
Re: GET / DELETE request bodies
From: Roy T. Fielding <[email protected]>
They have no semantics in the sense that a body cannot change the
meaning of a received request. They are absolutely forbidden to
have any impact whatsoever on the processing or interpretation of
the request aside from the necessity to read and discard the bytes
received in order to maintain the message framing. The only reason
we didn't forbid sending a body is because that would lead to lazy
implementations assuming no body would be sent.
https://lists.w3.org/Archives/Public/ietf-http-wg/2020JanMar/0123.html
(2)
4.3.5. DELETE
A payload within a DELETE request message has no defined semantics;
sending a payload body on a DELETE request might cause some existing
implementations to reject the request.
https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.5
(3)
Roy Fielding
One of the principal authors of the HTTP specification and the
originator of the Representational State Transfer (REST)
architectural style.
https://en.wikipedia.org/wiki/Roy_Fielding