Configure SPS to allow Encoded Slashes in URI

book

Article ID: 36834

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Title: Configure SPS to allow Encoded Slashes in URI 

Issue

SPS 12.52 SP1 returningHTTP 400 Bad Request error message Whenever a URL that has %2F which is the hex code for / is submitted to it.

Example of URL  

GET http://sps.smlab.com/test/transpolar/PageSets('%2FUI2%2FFiori2LaunchpadHome')?$expand=Pages/PageChipInstances/Chip/ChipBags/ChipProperties HTTP/1.1

 

Resolution

Both Apache and Tomcat intentionally reject URIs with an encoded slash (%2F for / and %5C for \) to prevent possible security vulnerabilities such as CVE-2007-0450 and CVE-2007-0450 related attacks.

To Instruct Apache / Tomcat within SPS to process the URI ,please follow the below Steps 

 

**** Step 1 --> Apache 

 

Please modify httpd.conf file found under \CA\secure-proxy\httpd\conf and include the below 

 

1) AllowEncodedSlashes NoDecode 

2) JkOptions +ForwardURICompatUnparsed

 

The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on accordant systems) to be used in the path info.

a) With the default value, Off, such URLs are refused with a 404 (Not found) error.

b) With the value On, such URLs are accepted, and encoded slashes are decoded like all other encoded characters.

c) With the value NoDecode, such URLs are accepted, but encoded slashes are not decoded but left in their encoded state.

 

Setting the JKOptions to ForwardURICompatUnparsed: forwarded URI will be unparsed.

 

 

**** Step 2 --> Tomcat 

 

To Instruct Tomcat to allow the encoded slash ,please Edit the \CA\secure-proxy\proxy-engine\conf\SmSpsProxyEngine.properties and add the below to the JAVA_OPTIONS

Add the below to your NETE_SPS_PROXYENGINE_CMD 

 

1) -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true 

2) -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true

 

Example 

 

NETE_SPS_PROXYENGINE_CMD="%NETE_SPS_JAVA_HOME%\bin\java.exe" -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true -Dfile.encoding=UTF-8 -Djavax.net.debug=all -Xms512m -Xmx1024m -XX:MaxPermSize=256M -Dcatalina.base="%NETE_SPS_TOMCAT_HOME%" -Dcatalina.home="%NETE_SPS_TOMCAT_HOME%" -Djava.endorsed.dirs="%NETE_SPS_TOMCAT_HOME%\endorsed" -Djava.io.tmpdir="%NETE_SPS_TOMCAT_HOME%\temp" -DHTTPClient.log.mask=0 -DHTTPClient.Modules="HTTPClient.RetryModule|org.tigris.noodle.NoodleCookieModule|HTTPClient.DefaultModule" -Dlogger.properties="%NETE_SPS_TOMCAT_HOME%/properties/logger.properties" -DSM_AGENT_LOG_CONFIG="%STS_AGENT_LOG_CONFIG_FILE%" -classpath "%NETE_SPS_TOMCAT_HOME%\bin\proxybootstrap.jar;%NETE_SPS_TOMCAT_HOME%\properties;%NETE_SPS_JAVA_HOME%\lib\tools.jar;%NETE_SPS_TOMCAT_HOME%\bin\bootstrap.jar;%NETE_SPS_ROOT%\resources;%NETE_SPS_ROOT%\agentframework\java\cryptoj.jar" com.netegrity.proxy.ProxyBootstrap -config "%NETE_SPS_ROOT%/proxy-engine/conf/server.conf"

 

**** Step 3  --> Restart your SPS services for the changes to be applied

Environment

Release:
Component: SMSPS