Access Gateway Authorization Policy evaluation fails when ampersand & (unescaped) included in URL passed in

  • 7011673
  • 22-Jan-2013
  • 29-Apr-2013


NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Access gateway Appliance and Service


Access Gateway Appliance configured to accelerate Kronos application. The protected resource assigned to the Kronos application has an authorization policy enabled . This Authorization policy simply checks if the URL being processed is, and if it does redirects the user to a logout page.

When the user hits this protected resource with any URL that includes an ambersand '&' character, the"Access forbidden! - Policy Evaluation Failed." message is displayed on the browser.

Looking at the catalina log file on the Access Gateway serve, the following exception is displayed:

 <amLogEntry> 2012-07-18T18:16:14Z VERBOSE NIDS Application: AM#501101020: AMDEVICEID#esp-03811F2A412FD0A0: NXPESID#23107:  <?xml version="1.0" encoding="UTF-8"?><Evaluate PolicyId="2107N44P-M24N-M22L-7L60-415526P36MN2" Verbose="on"><ContextDataElement Enum="2506" Value=""/></Evaluate></amLogEntry>
<amLogEntry> 2012-07-18T18:16:14Z DEBUG NIDS Application: Method: BaseHandler.handleSOAPMessage Thread: ajp-bio-/ Attempting to handle SOAP MEssage! Exception message: "The reference to entity "JRE" must end with the ';' delimiter."    
y, Line: 583, Method: getSOAPDocument    
y, Line: 56, Method: handleSOAPMessage    
y, Line: 512, Method: handleRequest    
y, Line: 2573, Method: myDoGet   
y, Line: 1004, Method: doGet    
y, Line: 1710, Method: doPost, Line: 641, Method: service, Line: 722, Method: service

Getting more info re the XML request itself, a LAN trace was taken on TCP 9009 with tcpdump and see the following decoded output shown

AES128-SHA...@1E57FE4D39028FCF862F5C54073AE58685A826D4C06826DB90A046EEDFD17F21.... ..AJP_REMOTE_PORT...6933...4....<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""><SOAP-ENV:Body><NXPES Id="23108"><Evaluate Verbose="on" PolicyId="2107N44P-M24N-M22L-7L60-415526P36MN2"><ContextDataElement Value="" Enum="2506"/></Evaluate></NXPES></SOAP-ENV:Body></SOAP-ENV:Envelope>
AB.......OK......JJSESSIONID=5487B4D8981A3D5AD6DE178716027D4B; Path=/nesp/; Secure; HttpOnly...Pragma...No-cache..<SOAP-ENV:Envelope xmlns:SOAP-ENV=""><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Client</faultcode><faultstring>The reference to entity "JRE" must end with the ';' delimiter.</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>.AB....

We pass in the value of"" but the Policy evaluator fails with "The reference to entity "JRE" must end with the ';' delimiter." message.

If we generate a request without the &, all works fine.
If we generate the request with the ambersand escaped, it works fine eg.


Fixed with 3.2 Support Pack 1.