Access Gateway is stripping out the data in the BODY during a HTTP DELETE call
search cancel

Access Gateway is stripping out the data in the BODY during a HTTP DELETE call

book

Article ID: 436858

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Access Gateway is stripping out the data in the BODY during a HTTP proxy DELETE call and back end application is throwing a 500 status code.

A HTTP DELETE call with no body is working as expected. HTTP POST with BODY works too.

The request BODY is in JSON.

e.g.

{
  "parameter1": "value1",
  "parameter2": "value2"
}

Environment

OS: Windows 2019 

Access Gateway server version : 12.9.000.3079

Cause

[mm/dd/yyyy][hh/mm/ss][hh/mm/ss.004][16976][25504][#########-#########-#########-f5910879-4da][SmProxyRules.processRules][Dispatching to service FORWARD with url https://my.example.com:443/api/path]
[mm/dd/yyyy][hh/mm/ss][hh/mm/ss.004][16976][25504][#########-#########-#########-f5910879-4da][Noodle::service][Method is: DELETE Content length is: 23]
[mm/dd/yyyy][hh/mm/ss][hh/mm/ss.005][16976][25504][#########-#########-#########-f5910879-4da][addRequestHeaders][Need to preseve Proxy HOST Header. Sending Proxy Host to the backend web server]
[mm/dd/yyyy][hh/mm/ss][hh/mm/ss.005][16976][25504][#########-#########-#########-f5910879-4da][execute][Got protocol version HTTP/1.1]
[mm/dd/yyyy][hh/mm/ss][hh/mm/ss.005][16976][25504][#########-#########-#########-f5910879-4da][execute][Sending request to backend = my.example.com:443 url = https://my.example.com:443/api/path]
[mm/dd/yyyy][hh/mm/ss][hh/mm/ss.957][16976][25504][#########-#########-#########-f5910879-4da][execute][Response status code from backend webserver is 500]

Despite the above agent trace log appears to show BODY Content length is: 23, from httpclient.log, the HTTP DELETE BODY was never sent.

Several 3rd party sites indicate Apache HTTP server typically ignores the body of a DELETE request by default. 

There is no configuration option to alter this default access gateway behavior. 

Resolution

A temporary fix is available for 12.9.000.3079 version access gateway, applicable to both windows and Red Hat Linux.

One may apply the temporary fix from this KD attachment.

However, the fix is NOT going to be included in version 12.9.1 or any later versions. According to RFC 9110, while a DELETE request can physically contain a body, it has no defined semantics and may cause servers to reject the request, potentially creating a request smuggling vulnerability. Therefore, clients should not send content in a DELETE request, as intermediaries may block it and the practice is considered unreliable.

Attachments

proxyhttpclient.zip get_app
Powered by Wolken Software