CA Access Gateway (SPS) remove body content from the HTTP DELETE Method

book

Article ID: 223501

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running CA Access Gateway (SPS), when browser submits an URL with
the Delete action, the request fails and the browser shows error :

     500 Internal server errors

A network traces shows that the CA Access Gateway (SPS) removes the
body of the DELETE request and sends it to the backend Application.

 

Cause

 

The CA Access Gateway (SPS) Agent receives the body and passing it to
the CA Access Gateway (SPS) HttpClient. But the SPS HttpClient doesn't
send the body.

c:\> curl -v -k -H "Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..o-J0jaaRlp8C9nwc.
     HHvSE6eA0J55gWIgXCMlUJkGnVHLbqDDFsh8tLQhHNlKxwAQrIl34lmwIConh4VfxhEI0KsfoWe8CRwu0DCOSh0mox6tEXa
     PECRUXe57_sZHI3eYHGyPS4ULmWtRWxC0T9uLmJZr77InIGRngnoGKDJUZvOmMBKCO-xzxy_ZWgm9aLr62SNe6qc-YCZqjk
     P-cmneNEgEpJej_VubW0aPCtzLY-0PE9LbN5LjGeQUuQLM1QejZWJgR5Lq9FVbB4S_fKxhBoLhd6GTBa7YtLtlOOtXEntzk
     HyfGuHkbNfpOqm9ryAU6l0LvLJKiAb2Rgl_Sa39uRmh0zzarsKnU3vWRYz2UBCMjh2Ch44bIZOmaeYY-1g9fKbPp1F5YfMP
     qMcskvGaU9qp8tLpER8WpBprFzzZXXjHQMNnICjUXo5XEdDZjN5A5UiD9IIb1XWH51qJFXT2C53-LzNPD76mFVLRDV-6XdX
     qDzDfO3dK3tGUItJdE9Lskdp3hAR0-6YN2dWzYma8CVDPj9dSyU_5CAvHrwGABSlX1Mu7RkXRCtA3.wQoiwWXQi5VTZctQe
     ErYGQ" -H "Content-Type: application/json; charset=UTF-8" 
     -X DELETE --data @params.json https://sps.training.com/ca/api/sso/services/policy/v1/SmAgents -v

  > Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..o-J0jaaRlp8C9nwc.HHvSE6eA0J55gWIg
    XCMlUJkGnVHLbqDDFsh8tLQhHNlKxwAQrIl34lmwIConh4VfxhEI0KsfoWe8CRwu0DCOSh0mox6tEXaPECRUXe57_sZHI3eY
    HGyPS4ULmWtRWxC0T9uLmJZr77InIGRngnoGKDJUZvOmMBKCO-xzxy_ZWgm9aLr62SNe6qc-YCZqjkP-cmneNEgEpJej_Vub
    W0aPCtzLY-0PE9LbN5LjGeQUuQLM1QejZWJgR5Lq9FVbB4S_fKxhBoLhd6GTBa7YtLtlOOtXEntzkHyfGuHkbNfpOqm9ryAU
    6l0LvLJKiAb2Rgl_Sa39uRmh0zzarsKnU3vWRYz2UBCMjh2Ch44bIZOmaeYY-1g9fKbPp1F5YfMPqMcskvGaU9qp8tLpER8W
    pBprFzzZXXjHQMNnICjUXo5XEdDZjN5A5UiD9IIb1XWH51qJFXT2C53-LzNPD76mFVLRDV-6XdXqDzDfO3dK3tGUItJdE9Ls
    kdp3hAR0-6YN2dWzYma8CVDPj9dSyU_5CAvHrwGABSlX1Mu7RkXRCtA3.wQoiwWXQi5VTZctQeErYGQ

  > Content-Type: application/json; charset=UTF-8
  > Content-Length: 362
  >
  - upload completely sent off: 362 out of 362 bytes

sps.training.com.trace

  [08/23/2021][09:57:13][2477][140635420641024][6e45c8de-bd893385-aa28d4f4-7205b038-53a1d072-20d]
  [Noodle::service][Method is: DELETE Content length is: 362]

  [08/23/2021][09:57:13][2477][140635420641024][6e45c8de-bd893385-aa28d4f4-7205b038-53a1d072-20d]
  [addRequestHeaders][Need to preseve Proxy HOST Header.Sending Proxy Host to the backend web server]

  [08/23/2021][09:57:13][2477][140635420641024][6e45c8de-bd893385-aa28d4f4-7205b038-53a1d072-20d]
  [execute][Got protocol version HTTP]

  [08/23/2021][09:57:13][2477][140635420641024][6e45c8de-bd893385-aa28d4f4-7205b038-53a1d072-20d]
  [execute][Sending request to backend = ps.training.com:8443 
  url = https://ps.training.com:8443/ca/api/sso/services/policy/v1/SmAgents]

httpclient0.log :

  Aug 23, 2021 9:57:13 AM org.apache.http.headers sendRequestHeader

  FINE: >> authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..o-J0jaaRlp8C9nwc.HHvSE6eA0
           J55gWIgXCMlUJkGnVHLbqDDFsh8tLQhHNlKxwAQrIl34lmwIConh4VfxhEI0KsfoWe8CRwu0DCOSh0mox6tEXaPEC
           RUXe57_sZHI3eYHGyPS4ULmWtRWxC0T9uLmJZr77InIGRngnoGKDJUZvOmMBKCO-xzxy_ZWgm9aLr62SNe6qc-YCZ
           qjkP-cmneNEgEpJej_VubW0aPCtzLY-0PE9LbN5LjGeQUuQLM1QejZWJgR5Lq9FVbB4S_fKxhBoLhd6GTBa7YtLtl
           OOtXEntzkHyfGuHkbNfpOqm9ryAU6l0LvLJKiAb2Rgl_Sa39uRmh0zzarsKnU3vWRYz2UBCMjh2Ch44bIZOmaeYY-
           1g9fKbPp1F5YfMPqMcskvGaU9qp8tLpER8WpBprFzzZXXjHQMNnICjUXo5XEdDZjN5A5UiD9IIb1XWH51qJFXT2C5
           3-LzNPD76mFVLRDV-6XdXqDzDfO3dK3tGUItJdE9Lskdp3hAR0-6YN2dWzYma8CVDPj9dSyU_5CAvHrwGABSlX1Mu
           7RkXRCtA3.wQoiwWXQi5VTZctQeErYGQ

  Aug 23, 2021 9:57:13 AM org.apache.http.headers sendRequestHeader

  FINE: >> content-length: 0

On AdminUI : 

smrestservices.log

  [2021-08-23 09:57:13][ERROR][RestServlet:com.ca.siteminder.sdk.restservlet.RestServlet.doLog(RestServlet.java:134)]
  [REQUEST_HEADER: {authorization=Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..o-J0jaaRlp8C9nwc.H
  HvSE6eA0J55gWIgXCMlUJkGnVHLbqDDFsh8tLQhHNlKxwAQrIl34lmwIConh4VfxhEI0KsfoWe8CRwu0DCOSh0mox6tEXaPECR
  UXe57_sZHI3eYHGyPS4ULmWtRWxC0T9uLmJZr77InIGRngnoGKDJUZvOmMBKCO-xzxy_ZWgm9aLr62SNe6qc-YCZqjkP-cmneN
  EgEpJej_VubW0aPCtzLY-0PE9LbN5LjGeQUuQLM1QejZWJgR5Lq9FVbB4S_fKxhBoLhd6GTBa7YtLtlOOtXEntzkHyfGuHkbNf
  pOqm9ryAU6l0LvLJKiAb2Rgl_Sa39uRmh0zzarsKnU3vWRYz2UBCMjh2Ch44bIZOmaeYY-1g9fKbPp1F5YfMPqMcskvGaU9qp8
  tLpER8WpBprFzzZXXjHQMNnICjUXo5XEdDZjN5A5UiD9IIb1XWH51qJFXT2C53-LzNPD76mFVLRDV-6XdXqDzDfO3dK3tGUItJ
  dE9Lskdp3hAR0-6YN2dWzYma8CVDPj9dSyU_5CAvHrwGABSlX1Mu7RkXRCtA3.wQoiwWXQi5VTZctQeErYGQ, 
  content-length=0, SM_USERDN=, SM_AUTHTYPE=Not Protected, SM_SDOMAIN=.training.com, 
  Connection=Keep-Alive, SM_TRANSACTIONID=6e45c8de-bd893385-aa28d4f4-7205b038-53a1d072-20d, 
  content-type=application/json; charset=UTF-8, Host=ps.training.com:8443, SM_USER=, accept=*/*, 
  user-agent=curl/7.55.1}]

  [2021-08-23 09:57:13][ERROR][RestServlet:com.ca.siteminder.sdk.restservlet.RestServlet.doLog(RestServlet.java:135)]
  [REQUEST_BODY: ]


 

Environment

 

CA Access Gateway (SPS) 12.8SP5 on RedHat 8

 

Resolution

 

The product behaves as expected.

The REST spec says the GET and DELETE requests SHOULD *not* have body.
The id of the object should be part of the url as mentioned by the
father of REST Roy Fielding (1)(2)(3).

As such GET or DELETE body are absolutely forbidden to have any impact
whatsoever on the processing or interpretation of the request.

 

Additional Information

 

(1)

    Re: GET / DELETE request bodies

      From: Roy T. Fielding <[email protected]>

      They have no semantics in the sense that a body cannot change the
      meaning of a received request. They are absolutely forbidden to
      have any impact whatsoever on the processing or interpretation of
      the request aside from the necessity to read and discard the bytes
      received in order to maintain the message framing. The only reason
      we didn't forbid sending a body is because that would lead to lazy
      implementations assuming no body would be sent.

    https://lists.w3.org/Archives/Public/ietf-http-wg/2020JanMar/0123.html

(2)

    4.3.5.  DELETE

       A payload within a DELETE request message has no defined semantics;
       sending a payload body on a DELETE request might cause some existing
       implementations to reject the request.

    https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.5

(3)

    Roy Fielding

      One of the principal authors of the HTTP specification and the
      originator of the Representational State Transfer (REST)
      architectural style.

    https://en.wikipedia.org/wiki/Roy_Fielding