on Jun 14, 2016Article Content
| Article Number | 000032536 |
| Applies To | RSA Product Set: RSA Identity Governance & Lifecycle RSA Version/Condition: 7.0.0 |
| Issue | When attempting to View, Download or Delete an existing Aveksa Statistics Report (ASR) (Admin > System > Diagnostics tab), the options fail with: Request Error The request could not be handled  The aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) reports the following security exception: 02/09/2016 14:56:45.574 ERROR (default task-59) [com.aveksa.gui.core.MainManager] 10.XXX.X.XX invalid request: https://hostname:port/aveksa/main?ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel=0&Action=New&SYSTEM_REPORT_NAME=DEV+SYSTEM+ 1_Aveksa_Statistics_Report.20160208.130639 02/09/2016 14:56:45.583 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 152 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminExceptionEvent] notificationObjectId = 2611 notificationObjectType = AdminException] 02/09/2016 14:56:45.659 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 153 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminNotificationEvent] notificationObjectId = 2611 notificationObjectType = AdminException] 02/09/2016 14:56:48.142 ERROR (default task-60) [com.aveksa.gui.core.GuiFramework] Unsafe characters detected in URL parameters. Possible XSS attack.: Login ID: abc123 Request: https://hostname:port/aveksa/main? ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639 ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639 Invalid string: SYSTEM_REPORT_NAME com.aveksa.server.core.SecurityException: Unsafe characters detected in URL parameters. Possible XSS attack. Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.) |
| Cause | This is a known issue reported in engineering tickets ACM-55821 and ACM-61116. RSA Identity Governance & Lifecycle 7.0 has additional protection against cross-site scripting (XSS) attacks as compared to previous versions. Because of this, special characters such as spaces are no longer allowed in the report name of the ASR. This issue occurs if you are on RSA Identity Governance & Lifecycle 7.0 or higher and have an Environment Name defined with special characters such as spaces. Environment Names are defined by going to Admin > System > Settings tab > Edit > Environment > Name field. The default name of the ASR has no special characters. However, when an Environment Name is set for the system, the Environment Name is prefixed to the ASR name. If the Environment Name has special characters, than the ASR name has special characters and this failure occurs. In the following example, the Environment Name has spaces: .  Previously the Environment Name was VCD. Note in the example below, one report name has spaces (DEV SYSTEM 1) and one report does not (VCD). The report with spaces in the report name cannot be viewed, downloaded or deleted.  |
| Resolution | This issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:
|
| Workaround | As a workaround, ensure the Environment Name has no special characters and generate a new ASR.
|