Access Gateway Service rewriting URLs that should not be rewritten

  • 7008686
  • 02-Jun-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux based Access Gateway Service
Novell Access Manager 3.1 Support Pack 3 applied
Migrating from iChain 2.3

Situation

Access Manager installed in a test environment and working fine - users could authenticate to the Identity server and access protected resources on the Linux based Access Gateway Service (AGS). One particular application that existed in production was being accelerated by iChain 2.3 with the goal of migrating to Access Manager. When adding this application to the test environment, users would see broken links instead of the application main page.

Viewing the HTML source content of the broken page via the browser, we could see that certain links were being incorrectly rewritten

<frame id="ab_launch" frameborder="0"
src="/ibi_apps/Controller?WORP_REQUEST_TYPE=WORP_LAUNCH_CGI&amp;IBIMR_action=MR_RUN_FEX&amp;IBIMR
_domain=mich%2Fmich.htm&amp;IBIMR_folder=%23dashboardsq4&amp;IBIMR_fex=http%3A%2F%2Fncsles11.lab.novell.com%2Fibi_apps%2FWFServlet%3FIBIF_
ex%3Dlaunch_dashboard1%26IBIAPP_app%3Dmsp_pilot%26IBIF_wfdescribe%3DOFF&amp;IBIMR_sub_action=MR_STD_REPORT&amp;IBIMR_flags=url,createdo
n=1279650330280,createdby=Default+Administrator+%28admin%29,lastmodby=Default+Administrator+%28admin%29&amp;IBIMR_proxy_id=&amp;WORP_MP
V=aa_mpv&amp;IBIMR_random=-833630130094879576&amp;" name="ab_launch"
title="ab_launchContent Block Frame" scrolling="auto">
The link with the "=http" behind the query string should not have been rewritten, which was causing the application to break. The value expected by the web server was the web server IP address (147.2.16.154) and not the published DNS name (ncsles11.lab.novell.com) that we had rewritten the link to. iChain had not rewritten these links. Tests with the Linux Access Gateway also showed that these URLs were not being rewritten.

Resolution

Apply Access Manager SP3 IR2 patch (build 3.1.3-292) or greater.

The issue here is that the AGS is rewriting links that match "=http://" or "=https://", which it should not be doing (not about rewriting query string parameters).