BadUrlChars :: Reverse Proxy

book

Article ID: 51257

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

I have an environment with a Reverse Proxy and backend server running both Web Agents. I face a strange problem as when a GET request is done to Web Server and there is a space in the URI.
The Web Agent on Reverse Proxy gives the error:

URL contains BadUrlChars:
/web/site/document%20%20v1.xls

But I have nothing to block %20 in BadUrlChars :

//,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25

Solution:

From 6.0.4 version of Web Agent, proxied and non-proxied requests have been segregated.

In case of proxied request, the Web Agent don't decode the URL. In this case, the unparsed URL is return by the GetUrl function. In case of URL containing %20, the unparsed URI containing the encoded character is returned back (/web/site/document%20v1.xls). As this URL contains %25 (encoded form of % character) as described in your configuration, the Web Agent reject the URL.

In case of non proxied request, the URL is decoded as (/web/site/document v1.xls) and returned by the GetUrl function.

This string is then checked for valid characters as per the Bad URL Char list. Web Agent works fine without any error as neither % nor %20 are detected in the URL.

This changes have been motivated by fix 52884:

Fixed issue with Apache's handling of '%' character when Apache is used as a reverse proxy for Outlook Web Access. This affects the re-architected Apache agent only.

As for security concerns, you need to run Web Agent on your Backend Server that will then block undesired URL chars.

Note that the BadUrlChars are url-encoded.

Environment

Release:
Component: SMAPC