000029522 - AxM Agent denies access for requests with HTTP method of OPTIONS

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029522
Applies ToRSA Product Set: ClearTrust
RSA Product/Service Type: Access Manager Agent for Apache
RSA Version/Condition: 5.0
Platform: Linux
Platform (Other): null
O/S Version: null
Product Name: null
Product Description: null
IssueWhen the RSA Access Manager agent is configured for non forms based basic authentication (cleartrust.agent.form_based_enabled=False) the agent authenticates the user by intercepting the http basic authentication headers in the request object.  If the request object does not contain the basic authentication headers the RSA Access Manger agent will direct the web server to issue an http 401 authentication request. 
It is common for automated clients to submit the basic authentication credential along with the request, for instance when making a request to a webservice.   Some clients (FireFox) will send an http method OPTIONS verb before the real request in order to determine the web server options. Since http basic authentication headers are not typically sent with the OPTIONS verb this request will fail.  This may cause the automated client to fail to make the subsequent GET request for the content. 

TasksIt is possible to use the rules.xml file to allow access to requests that use the http OPTIONS verb as the method.   In the webagent.conf file enable the rules.xml file using the parameter cleartrust.agent.rules_file.   In the rules.xml file create a rule that allows access for all requests with the method OPTIONS. For example:
        <argument type="Method" expression="OPTIONS" />
        <action type="HTTP" argument="200" />
This rule bypasses the agent authentication and authorization for any requests where the http method is OPTIONS by issuing an http 200 allow.