|Applies To||RSA Access Manager Agent 4.8 For Sun Java Webserver 7.0|
Sun Java System Web Server 7.0
|Issue||Access Manager Basic Authentication fails for SunOne reverse proxy failover.|
The Agent log at DEBUG level shows the following events:
2013-09-09 11:38:09 -0400 -  - <Info> - Request headers did not return a cookie
2013-09-09 11:38:09 -0400 -  - <Info> - Result map: RETURN_CODE\nINVALID_USER\nAUTHENTICATION_RESULT\nINVALID_PASSWORD
Authentication works correctly when all backend application servers are up, but when in failover mode when posting basic authentication headers to the RSA Access Manager agent the initial authentication request succeeds but the browser is redirected to the logon screen.
|Cause||When a failover occurs the initial http response object has a return code of 303 redirect. The initial http request containing the Basic Authentication headers is processed correctly and the agent authenticates the user and sets the CTSESSION cookie. The agent then resets the basic auth headers with the password set to null The 303 redirect causes the Sun Java Web Server to generate a second http request object that is parsed by the agent. This is an internal redirect and the client is not involved in this request and so this second http request object does not contain a CTSESSION cookie. Since the client browser did not replay this session cookie back with the second request, RSA Access Manger interprets this as an unauthenticated request. The second http request does however contain an http basic authentication header. The Sun Java Web Server attempts to authenticate the user using this header, but because the password in the revised header is now null the authentication fails. RSA Access Manager logs this authentication failure and then attempts to redirect the client to the RSA Access Manager logon screen.|
|Resolution||Set the following setting in the webagent.conf file to false. This prevents RSA Access Manager from resetting the basic authentication header between the first request and the 303 redirect. This allows the second authentication to succeed. |
# This either allows or blocks the setting of the basic authorization
# header 'Authorization:'.This parameter can be set to false in places
# where the Authorization header set by Agent is not required.
# By default,this would be set to True.
# Allowed Values:
# True Sets the HTTP basic authorzation header with values.
# False The HTTP Basic Authorization header will not be set.
|Workaround||The Sun One Java Web Server is configured as a reverse proxy with failover defined for the backend application servers. |
<If $path =~ '/servlet' or $path =~ '\.jsp'>
<If not $restarted>
NameTrans fn="map" name="reverse-proxy" from="/" to="http:"
NameTrans fn="map" name="reverse-proxy-alt" from="/" to="http:"
Route fn="set-origin-server" server="<back-end-server>"
# If back end server is not available, restart the request
<If $code =~ 504>
Error fn="restart" uri="$uri"
Route fn="set-origin-server" server="<alternate-back-end-server>"
Service fn="proxy-retrieve" method="*"
|Legacy Article ID||a62467|