search cancel

Regarding Status Code Changing Post Upgrade to 12.8 SP6a

book

Article ID: 240934

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Siteminder Access Gateway r12.8.5 and higher

==================================
REQUEST: GET https://webapp1.smlab1.com/trans/jwt_auth/Token.cfc?method=authenticate&[email protected]

RESPONSE: HTTP/1.1 200 200
Server: Apache/2.4.53 (Win64) OpenSSL/1.0.2zd-fips mod_jk/1.2.48

-----------------------------------
REQUEST: GET https://webapp1.smlab1.com/favicon.ico

RESPONSE: HTTP/1.1 302 302

Server: Apache/2.4.53 (Win64) OpenSSL/1.0.2zd-fips mod_jk/1.2.48
Location: https://agent1.smlab1.com/arcotafm/login.jsp?TYPE=33554433&REALMOID=06-46944564-afe4-444d-ace6-088d3f73ac6a&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ZqGp3E0yyu37JNot4RShQsloBFSOJ9VgGJKHC3eHTgQMWlJ6IOxl1%2bdjFDex0oOU&TARGET=-SM-https%3a%2f%2webapp1%2smlab1%2ecom%2ffavicon%2eico



Siteminder Access Gateway r12.8.4 and Lower


==================================
REQUEST: GET https://webapp1.smlab1.com/trans/jwt_auth/Token.cfc?method=authenticate&[email protected]

RESPONSE: HTTP/1.1 200 OK
Server: Apache/2.4.53 (Win64) OpenSSL/1.0.2za-fips mod_jk/1.2.48

-----------------------------------
REQUEST: GET https://webapp1.smlab1.com/favicon.ico

RESPONSE: HTTP/1.1 302 Found
Server: Apache/2.4.53 (Win64) OpenSSL/1.0.2za-fips mod_jk/1.2.48
Location: https://agent1.smlab1.com/arcotafm/login.jsp?TYPE=33554433&REALMOID=06-46944564-afe4-444d-ace6-088d3f73ac6a&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ZqGp3E0yyu37JNot4RShQsloBFSOJ9VgGJKHC3eHTgQMWlJ6IOxl1%2bdjFDex0oOU&TARGET=-SM-https%3a%2f%2webapp1%2smlab1%2ecom%2ffavicon%2eico
==================================

Notice that in older versions, the r12.8.4 and older the Response Code and Response Phrase are sent, while in r12.8.5 and newer, the Response Code is simply sent twice.

<= r12.8.4: "302 Found"

>= r12.8.5: "302 302"

Cause

This is a result of the Tomcat Server on Access Gateway r12.8.5 and higher being upgraded to Tomcat 9.0.x.  The previous version of Tomcat bundled with Siteminder Access Gateway r12.8.4 and older was Tomcat 7.0.x.

Environment

Release : 12.8.5 and higher

Component : SITEMINDER SECURE PROXY SERVER

Resolution

Since the response is being sent by Apache Tomcat and not by the Siteminder Web Agent, Siteminder has no control over how Apache Tomcat interprets the RFC.

Processing the entire response status and phrase rather than just the response status code is not considered 'best practices'.  Please refer to RFC 7230 Section 9.3:

-----------------------------
[RFC7230 9.3]

...


"Recipients ought to carefully limit the extent to which they process other protocol elements, including (but not limited to) request methods, response status phrases, header field-names, numeric values, and body chunks.  Failure to limit such processing can result in buffer overflows, arithmetic overflows, or increased vulnerability to denial-of-service attacks."
-----------------------------

If you have a third party application processing HTTP Responses, process the response code and avoid processing the response phrase.

Additional Information

https://datatracker.ietf.org/doc/rfc7230/