Access Gateway POSTing additional characters to the back end Web server after authentication to IDP causing application errors

  • 7018493
  • 16-Jan-2017
  • 27-Feb-2017


NetIQ Access Manager 4.3 Service
NetIQ Access Manager 4.3 Appliance
NetIQ Self Service Password Reset
Any third party application which sends a POST to a protected resource that needs to be redirected to NAM IDP to authenticate


When the initial request coming into an AG uses the POST method and must be redirected to the IDP server to authenticate, the incoming POST data must be saved so that it can be subsequently sent to back end Web server after the authentication is complete. With NAM 4.3, the POST data saved is not done correctly and more data than expected is sent to back end Web server.

In this specific case, Self Service Password Reset (SSPR) is protected with NetIQ Access Manager (NAM). The contract assigned to this protected resource is configured with "Login Redirect URL" as below:

But, this could potentially be any third party application too.

After authenticating at Identity Provider (IDP), the Access Gateway (AG) redirects to SSPR (or the specified third party application) as per the above 'Login Redirect URL' but with an additional character at the end which could be seen from the fiddler trace as below:

GET /sspr/private/CommandServlet?processAction=checkExpire&

SSPR (or any third party application) performs check on "forwardURL" and if it sees invalid characters in this URL, it would throw error as below:

2016-12-09T14:00:19Z, ERROR, filter.SessionFilter, {541} 5075 ERROR_REDIRECT_ILLEGAL (unable to parse url: Illegal character in path at index 52:^ ?) []


Fixed in 4.3.1.


The POSTed data includes & which causes the calculation of the amount of data saved to be invalid (and include a larger amount of data). The content-length header increases by this number of bytes and the extra bytes are taken from the stack.

Bug Number