000016231 - Access Manager Basic Authentication fails for SunOne reverse proxy failover.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016231
Applies ToRSA Access Manager Agent 4.8 For Sun Java Webserver 7.0
Sun Java System Web Server 7.0
IssueAccess Manager Basic Authentication fails for SunOne reverse proxy failover.
The Agent log at DEBUG level shows the following events:
2013-09-09 11:38:09 -0400 - [67] - <Info> - Request headers did not return a cookie
2013-09-09 11:38:09 -0400 - [67] - <Info> - Result map: RETURN_CODE\nINVALID_USER\nAUTHENTICATION_RESULT\nINVALID_PASSWORD

Authentication works correctly when all backend application servers are up, but when in failover mode when posting basic authentication headers to the RSA Access Manager agent the initial authentication request succeeds but the browser is redirected to the logon screen.
CauseWhen a failover occurs the initial http response object has a return code of 303 redirect.  The initial http request containing the Basic Authentication headers is processed correctly and the agent authenticates the user and sets the CTSESSION cookie. The agent then resets the basic auth headers with the password set to null  The 303 redirect causes the Sun Java Web Server to generate a second http request object that is parsed by the agent.  This is an internal redirect and the client is not involved in this request and so this second http request object does not contain a CTSESSION cookie.  Since the client browser did not replay this session cookie back with the second request, RSA Access Manger interprets this as an unauthenticated request.   The second http request does however contain an http basic authentication header.   The Sun Java Web Server attempts to authenticate the user using this header, but because the password in the revised header is now null the authentication fails.  RSA Access Manager logs this authentication failure and then attempts to redirect the client to the RSA Access Manager logon screen.  
ResolutionSet the following setting in the webagent.conf file to false.  This prevents RSA Access Manager from resetting the basic authentication header between the first request and the 303 redirect.  This allows the second authentication to succeed.
# This either allows or blocks the setting of the basic authorization
# header 'Authorization:'.This parameter can be set to false in places
# where the Authorization header set by Agent is not required.
# By default,this would be set to True.
# Allowed Values:
# True     Sets the HTTP basic authorzation header with values.
# False    The HTTP Basic Authorization header will not be set.
WorkaroundThe Sun One Java Web Server is configured as a reverse proxy with failover defined for the backend application servers.
<Object name="default">
<If $path  =~ '/servlet' or $path =~ '\.jsp'>
<If  not $restarted>
NameTrans fn="map" name="reverse-proxy"  from="/" to="http:"
<If $restarted>
NameTrans fn="map" name="reverse-proxy-alt"  from="/" to="http:"
<Object name="reverse-proxy">
Route fn="set-origin-server" server="<back-end-server>"
# If back end server is not available, restart the request
<If $code =~ 504>
Error fn="restart" uri="$uri"
<Object name="reverse-proxy-alt">
Route fn="set-origin-server" server="<alternate-back-end-server>"
<Object ppath="http:*">
Service fn="proxy-retrieve" method="*"
Legacy Article IDa62467