Access Manager IDP server doubles CORS header after getting swicthed to another IDP cluster node

Document ID:7024493
Creation Date:22-Mar-2020
Modified Date:22-Mar-2020
- Micro Focus Products:
  Access Manager (NAM)

Environment

Access Manager 4.4.x

Access Manager 4.5.x

Situation

Access Manager 4.5.1 IDP cluster behind a Layer 4 Switch
CORS header have been enabled from with the "/opt/novell/nids/lib/webapp/WEB-INF/web.xml"
Flow:

user runs a login to IDP cluster node "IDPA"
user sends another request to the IDP server and gets switch by the L4 to cluster node "IDPB"
IDPB does not have any existing user session information
based on the "UrnNovellNidpClusterMemberId" cookie IDPB sends a "proxy" request to IDPA in order to retrieve the user session information
IDPB response to browser with the requested web object adding the CORS header doubled:

GET https://idpa.kgast.nam.com:8443/nidp/portal?locale=en_US HTTP/1.1
Host: idpa.kgast.nam.com:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,de;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://idpa.kgast.nam.com:8443/nidp/app?sid=0
DNT: 1
Connection: keep-alive
Cookie: JSESSIONID=AE8005B6A29F2D57B9E7C38B99CFA008; UrnNovellNidpClusterMemberId=~03~06~7Bdd~19~19~1A~7E~7D~7C~06; JSESSIONID=4837761005D907BF691D17A517923815
Upgrade-Insecure-Requests: 1
HTTP/1.1 200
via-ESP: null,NIDPLOGGING.600105004 session33-D9F7507C905C00A2050E1F1969E7ABCD, null,NIDPLOGGING.600105004 session33-D9F7507C905C00A2050E1F1969E7ABCD,NIDPLOGGING.600105006 session22-D9F7507C905C00A2050E1F1969E7ABCD, null,NIDPLOGGING.600105004 session33-D9F7507C905C00A2050E1F1969E7ABCD,NIDPLOGGING.500105001 session44-D9F7507C905C00A2050E1F1969E7ABCD, null,NIDPLOGGING.600105004 session33-D9F7507C905C00A2050E1F1969E7ABCD,NIDPLOGGING.600105007 session55-D9F7507C905C00A2050E1F1969E7ABCD
Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials, Access-Control-Allow-Origin,Access-Control-Allow-Credentials
Server: IDPA
Access-Control-Allow-Origin: *, *
Content-Disposition: attachment
Content-Encoding: gzip
Date: Sun, 22 Mar 2020 10:25:21 GMT
Set-Cookie: JSESSIONID=BDD02CB56482C21C4C305935293EB1BC; Path=/nidp/; Secure; HttpOnly
Content-Type: application/json;charset=utf-8
Content-Length: 577

This caused the browser error: "XMLHttpRequest blocked by CORS policy"

Resolution

make sure the complete CORS headers section including the "CorsFilterController" filter gets un-commented

<filter>
    <filter-name>CorsFilterController</filter-name>
    <filter-class>com.novell.nidp.servlets.filters.CorsFilterController</filter-class>
</filter>
<filter-mapping>
    <filter-name>CorsFilterController</filter-name>
    <url-pattern>*</url-pattern>
</filter-mapping>

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
    </init-param>
    <init-param>
        <param-name>cors.exposed.headers</param-name>
        <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>*</url-pattern>
</filter-mapping>

Cause

The Access Manager IDP "CorsFilterController" filter had not been enabled / un-commented. This filter is required to make sure headers do not get added again due the situation and IDP to IDP proxy request is required.

<!-- login snippet related cors -->
<!-- Note: Do not modify the default wildcard in the url-pattern. This is needed by the portal to function properly. -->
<!--
<filter>
  <filter-name>CorsFilterController</filter-name>
  <filter-class>com.novell.nidp.servlets.filters.CorsFilterController</filter-class>
</filter>
<filter-mapping>
    <filter-name>CorsFilterController</filter-name>
    <url-pattern>*</url-pattern>
</filter-mapping>
-->

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
     <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
</filter>

<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>*</url-pattern>
</filter-mapping>

Additional Information

The Access Manager IDP server provides and requires an extra Tomcat Filter which makes sure CORS headers will not get doubled

<filter>
  <filter-name>CorsFilterController</filter-name>
  <filter-class>com.novell.nidp.servlets.filters.CorsFilterController</filter-class>
</filter>
<filter-mapping>
    <filter-name>CorsFilterController</filter-name>
    <url-pattern>*</url-pattern>
</filter-mapping>

Additional Information about the Tomcat CORS filter setting can be reviewed at the Container Provided Filters documentation for Tomcat