Access Gateway problems handling HTTP OPTIONS method

  • 7010588
  • 08-Aug-2012
  • 08-Aug-2012

Environment

NetIQ Access Manager 3.2
Access Gateway Appliance accelerating back end applications
Back end application using AJAX calls

Situation

Customer has an application that is split between different servers in the same domain e.g. app1.acme.com, app2.acme.com. For the most part, access to the Application works fine after the user has authenticated.

One piece of functionality that is problematic seems to be related to AJAX. The requests are apparently from the "Access Control for Cross-Site Requests" draft spec - http://www.w3.org/TR/2008/WD-access-control-20080912.

 From analysis of the client HTTP headers, it was noted that the request did NOT include the NAM session cookie (option to  make the protected resource public if needed exists). The real problem is that the AG appears NOT to respond to the request.

Using Firefox and a header capture tool, the request looks like:

-------------------------

(Request-Line)   OPTIONS /Services/Client/User/TabsClient.svc/CreateCustomUserTab HTTP/1.1
Host       qa-services.acme.net
User-Agent         Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept   text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language             en-gb,en;q=0.5
Accept-Encoding              gzip, deflate
Connection         keep-alive
Origin    http://qa-standard.acme.net
Access-Control-Request-Method               POST
Access-Control-Request-Headers               content-type
Pragma no-cache
Cache-Control    no-cache
-------------------------------

Resolution

 Depending on the browser type, the following two solutions exist:

- With Firefox, the client component that issues the AJAX request does not share session cookies and so it can't work through NAM unless the resource is turned into a public URL access ie. no authentication

 - Again, with Firefox, the client component does not like the internal cert that was being sent by the Access Gateway - once the cert was imported into the Firefox trusted root list, it was then able to propagate the request

- With IE, the OPTIONS command doesn't get used when invoking the functionality but it ONLY works if the target site is in the Intranet zone.

Additional Information

A quick test to verify that the Access Gateway Appliance (AGA) can handle this type of request can be done with curl. Running the following curl command on one host and pointing it to the AGA public resource confirms that the AGA supports the OPTIONS method

Looking at the error_log (when enabled in debug mode) shows the request gets sent to the Web server

 [Tue Aug 07 16:59:42 2012] [info] AM#504600000 AMDEVICEID#ag-45B6586EB94FC2A7: AMAUTHID#: AMEVENTID#32071: Requ: OPTIONS https://neilag32app-vm.lab.novell.com/formfill.php
  service:nam32vm-pxy-srvc (147.2.16.135:35268->147.2.34.116:443)
[Tue Aug 07 16:59:42 2012] [info] AM#504600100 AMDEVICEID#ag-45B6586EB94FC2A7: AMAUTHID#: AMEVENTID#32071: Public URL
[Tue Aug 07 16:59:42 2012] [info] AM#504600000 AMDEVICEID#ag-45B6586EB94FC2A7: AMAUTHID#: AMEVENTID#32071: matched PR:root-pr
[Tue Aug 07 16:59:42 2012] [info] AMEVENTID#32071: Cache miss
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy_balancer.c(46): proxy: BALANCER: canonicalising URL //bal_nam32vm-pxy-srvc/formfill.php
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy_balancer.c(280): proxy: BALANCER: Found value (null) for stickysession ZNPCQ003-31353600
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy_balancer.c(1020): proxy: Entering byrequests for BALANCER (balancer://bal_nam32vm-pxy-srvc)
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy_balancer.c(1063): proxy: byrequests selected worker "http://147.2.16.154" : busy 0 : lbstatus 1
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy_balancer.c(589): proxy: BALANCER (balancer://bal_nam32vm-pxy-srvc) worker (http://147.2.16.154) rewritten to http://147.2.16.154/formfill.php
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy.c(1024): Running scheme balancer handler (attempt 0)
[Tue Aug 07 16:59:42 2012] [info] AM#504600000 AMDEVICEID#ag-45B6586EB94FC2A7: AMAUTHID#: AMEVENTID#32071: balancer cookie is ZNPCQ003-31353600=a1b14cc2; Path=/; Domain
=.lab.novell.com
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy_http.c(2109): proxy: HTTP: serving URL http://147.2.16.154/formfill.php
[Tue Aug 07 16:59:42 2012] [debug] proxy_util.c(2024): proxy: HTTP: has acquired connection for (147.2.16.154)
[Tue Aug 07 16:59:42 2012] [debug] proxy_util.c(2080): proxy: connecting http://147.2.16.154/formfill.php to 147.2.16.154:80
[Tue Aug 07 16:59:42 2012] [debug] proxy_util.c(2206): proxy: connected /formfill.php to 147.2.16.154:80
[Tue Aug 07 16:59:42 2012] [info] proxy: HTTP: fam 2 socket created to connect to 147.2.16.154
[Tue Aug 07 16:59:42 2012] [info] proxy: HTTP: connection complete to 147.2.16.154:80 (147.2.16.154)
[Tue Aug 07 16:59:42 2012] [info] AMEVENTID#32071: connected from 147.2.34.116:48319 to 147.2.16.154:80
[Tue Aug 07 16:59:42 2012] [info] AMEVENTID#32071: sending request to webserver
[Tue Aug 07 16:59:42 2012] [info] AMEVENTID#32071: received response from server
[Tue Aug 07 16:59:42 2012] [info] AMEVENTID#32071: received status 404 from server
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy_http.c(1875): proxy: start body send
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy_http.c(1979): proxy: end body send
[Tue Aug 07 16:59:42 2012] [debug] proxy_util.c(2042): proxy: HTTP: has released connection for (147.2.16.154)
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy_balancer.c(630): proxy_balancer_post_request for (balancer://bal_nam32vm-pxy-srvc)
[Tue Aug 07 16:59:42 2012] [warn] AM#304600001 AMDEVICEID#ag-45B6586EB94FC2A7: AMAUTHID#: AMEVENTID#32071: status:404 OPTIONS https://
neilag32app-vm.lab.novell.com/formfil
l.php <03000300000000000000000000000000ca59cdc4> X-Mag: <45B6586EB94FC2A7;ca59cdc4;32071;usrLkup->0;makeuser;root-pr;publicURL->0;nam32vm-pxy-srvc;default;SH;FP2->1;WS=
a1b14cc2;default;FP4->35;> [147.2.16.135:35268->147.2.34.116:443]service:nam32vm-pxy-srvc (96:0) -

The HTTP headers look like the following, so all good.

  mag32app-vm httpd: Sending to webserver for ID:32071:96: OPTIONS /formfill.php HTTP/1.1
Aug  7 16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96: Host: ncsles10.lab.novell.com
Aug  7 16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96: User-Agent: curl/7.19.0 (x86_64-suse-linux-gnu) libcurl/7.19.0 OpenSSL/0.9.8h zlib/1.2.3 libidn
/1.10
Aug  7 16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96: Accept: */*
Aug  7 16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96: Via: 1.1 neilag32app-vm.lab.novell.com (Access Gateway-ag-45B6586EB94FC2A7-32071)
Aug  7 16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96: X-Forwarded-For: 147.2.16.135
Aug  7 16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96: X-Forwarded-Host: ncsles10.lab.novell.com
Aug  7 16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96: X-Forwarded-Server: neilag32app-vm.lab.novell.com
Aug  7 16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96: Connection: Keep-Alive
Aug  7 16:59:42 mag32app-vm httpd: received from webserver for ID:32071:96:Date: Tue, 07 Aug 2012 15:12:52 GMT
Aug  7 16:59:42 mag32app-vm httpd: received from webserver for ID:32071:96:Server: Apache/2.2.3 (Linux/SUSE)
Aug  7 16:59:42 mag32app-vm httpd: received from webserver for ID:32071:96:Vary: accept-language,accept-charset
Aug  7 16:59:42 mag32app-vm httpd: received from webserver for ID:32071:96:Accept-Ranges: bytes
Aug  7 16:59:42 mag32app-vm httpd: received from webserver for ID:32071:96:Keep-Alive: timeout=15, max=100
Aug  7 16:59:42 mag32app-vm httpd: received from webserver for ID:32071:96:Connection: Keep-Alive
Aug  7 16:59:42 mag32app-vm httpd: received from webserver for ID:32071:96:Transfer-Encoding: chunked
Aug  7 16:59:42 mag32app-vm httpd: received from webserver for ID:32071:96:Content-Type: text/html; charset=iso-8859-1
Aug  7 16:59:42 mag32app-vm httpd: received from webserver for ID:32071:96:Content-Language: en

Feedback service temporarily unavailable. For content questions or problems, please contact Support.