Environment
Novell Access Manager 3.1.4 Access Gateway Service
Novell Access Manager 3.1.4 IR1 Access Gateway Service
Novell Access Manager 3.2 Access Gateway Service
Novell Access Manager 3.2 IR1 Access Gateway Service
Novell Access Manager 3.1.4 IR1 Access Gateway Service
Novell Access Manager 3.2 Access Gateway Service
Novell Access Manager 3.2 IR1 Access Gateway Service
Situation
- Protected Resource configured for Form Based Authentication
- Injection Policy configured to inject a given users UID as Query Parameter "uid=[userid]"
- Browser client sends a request which already includes URL Query String parameters set by the protected web application server like: "Menuid=uid"
- Access Gateway Service corrupts the existing query string parameter to: "meuid=User&uid=admin"
- This will only happen if the name of the query string parameter is part (subset) of an existing Query string parameter name. In this case "uid" is part of "Menuid"
- Running the same policy with an Linux Access Gateway works just fine
Resolution
This issue has been addressed to engineering