Occasionally getting error 500 - An exception occurred processing [redirectjsp/redirect.jsp] at line [105]
search cancel

Occasionally getting error 500 - An exception occurred processing [redirectjsp/redirect.jsp] at line [105]

book

Article ID: 242187

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

During federation transaction,  occasionally user gets a 500 error when performing a SP initiated login into a federated app in which SIteminder is the IDP.  

The following error shows up in the nohup log:

May 16, 2022 12:11:39 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [jsp] in context with path [/affwebservices] threw exception [An exception occurred processing [redirectjsp/redirect.jsp] at line [105]

102:    //System.out.println(referer + "?" + queryString);
103:
104:    //redirect the user back to PORTALURL with all the query params
105:    response.sendRedirect(URLDecoder.decode(referer, "UTF-8") + "?" + queryString );
106: }
107: %>

Stacktrace:] with root cause
java.net.URISyntaxException: Illegal character in path at index 27: u7iBOJvliiRx2bwFUY5mtqF/Wzu MhgLRrlRdwwDAc1oYo4yaZiba...........?SMASSERTIONREF=QUERY&SAMLRequest=fZJbj9sgEIX%2...........jOk%2Bxvrz6%2Fx9c%2FwM%3D&SAMLTRANSACTIONID=<Transaction ID>
    at java.net.URI$Parser.fail(URI.java:2847)
    at java.net.URI$Parser.checkChars(URI.java:3020)
    at java.net.URI$Parser.parseHierarchical(URI.java:3104)
    at java.net.URI$Parser.parse(URI.java:3062)
    at java.net.URI.<init>(URI.java:588)
    at com.netegrity.affiliateminder.webservices.c.sendRedirect(fedfws_obfsc:53)
    at org.apache.jsp.redirectjsp.redirect_jsp._jspService(redirect_jsp.java:229)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:477)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)

Environment

Release : 12.8.05

Component : SITEMINDER SECURE PROXY SERVER

Cause

The exact error reported in FWS log is:

java.net.URISyntaxException: Illegal character in path at index 27: u7iBOJvliiRx2bwFUY5mtqF/Wzu  MhgLRrlRdwwDAc1oYo4yaZiba....

Noticed the number 27 character was left as an empty space.

The web browser trace .har file reviewed that the exact pot should be where + sign or (%2B) resides inside SMPORTALURL value.

Original SMPORTALURL value is:

SMPORTALURL=u7iBOJvliiRx2bwFUY5mtqF/Wzu+MhgLRrlRdwwDAc1oYo4yaZiba...

By looking at redirect.jsp, + sign actually is reserved character in the jsp code.

Redirect.jsp is choking on + sign (%2B), since this character does not happen all the time, hence user only sees the error at sometimes.

Resolution

The resolution is to Use Secure URL redirect instead, so SMPORTALURL value is protected.

In order to make use of "Secure URL", partnership should have been configured using the Authentication URL as "https://<FQDN>/affwebservices/secure/secureredirect" instead of "https://<FQDN>/affwebservices/redirectjsp/redirect.jsp". With secureredirect, the issue will not occur.

Configuration change in the partnership is needed, and its associated domain access protection policy.

Use Secure URL (check box)
This setting instructs the single sign-on service to encrypt only the SMPORTALURL query parameter. An encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website. The SMPORTALURL is appended to the Authentication URL before the browser redirects the user to establish a session. After the user is authenticated, the browser directs the user back to the destination specified in the SMPORTALURL query parameter.

If you select the User Secure URL check box, complete the following steps:

Set the Authentication URL field to the following URL: http(s)://idp_server:port/affwebservices/secure/secureredirect

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-idp.html

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-idp.html