000016773 - RSA Access Manager returns different results when using mixed case usernames

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016773
Applies ToRSA Access Manager 6.1.4 (SP4)
RSA Access Manager 6.2  (AxM)
Oracle SQL Server 
Microsoft SQL Server
IssueRSA Access Manager returns different results when using mixed case usernames
A Runtime API call to get user properties may return different results depending on the case of the username passed in the authenticate call.  The aserver may incorrectly return a previously cached result. 
The aserver debug output shows an upper case (or a mixed case) value for U.NAME in the following query.  The query should use a normalized lower case value.
13:07:09:711 [*] [pool-14-thread-1] - getUser:SQL <SELECT U.CONFIG_ADMIN,U.AUDIT_ADMIN,U.DESCRIPTION,U.INACTIVE_DATE,U.BEGIN_DATE,U.CREATION_DATE,U.DN,U.EMAIL,U.LAST_NAME,U.FIRST_NAME,U.NAME,U.ADMIN_LOCKOUT,U.SUPER_HELP_DESK,U.SUPER_USER,U.PUBLIC_STATE,U.ADMIN_GROUP_ID,U.ID,P.FAILED_COUNT,P.LOCKOUT_EXPIRATION,P.EXPIRATION_DATE,P.PASSWORD_CREATION_DATE,P.LAST_RESET,P.EXPIRATION_STATUS,P.OVERRIDE_POLICY,P.DCP_PASSWORD,P.PASSWORD,PR.PROPERTY_DEF_ID,PR.BOOLEAN_VALUE,PR.DATE_VALUE,PR.FLOAT_VALUE,PR.INT_VALUE, PR.STRING_VALUE FROM PASSWORD P JOIN USERS U ON U.ID=P.USER_ID LEFT OUTER JOIN USER_PROPERTY PR ON U.ID=PR.USER_ID WHERE  (U.NAME = 'TESTUSER')  ORDER BY NAME >

User properties are not being flushed correctly from the cache resulting in old values being returned. 
CauseThis issue may occur when an SQL datastore is used and a mixed case username with different case is used on subsequent authentication requests.  This issue persists for 5 minutes until the cache TTL expires. The following example demonstrates the failure.
  1. Authenticate with the username TESTUSER.
  2. Observe that a user property of TESTUSER has a value of "old value".
  3. Authenticate with the user testuser.
  4. Observe that a user property for testuser has a value of "old value".
  5. Change the user property of TESTUSER to "new value".  This will generate a cache flush event for TESTUSER.
  6. Authenticate with a username of TESTUSER.
  7. Note that the value of the user property is correctly stated as "new value".
  8. Authenticate with a username of testuser.
  9. Note that the value of the user property is incorrectly stated as "old value".
This issue occurs because in some instances the DN value is not normalized before creating the cache entry. 
Resolution
This issue has been resolved in hotfix 6.2.0.10 for RSA Access Manager 6.2.  Contact RSA Customer Support and request this hotfix or the latest cumulative hotfix for your platform. 

This issue has been resolved in hotfix 6.1.4.19 for RSA Access Manger 6.1.4 (SP4).  Contact RSA Customer Support and request this hotfix or the latest cumulative hotfix for your platform. 
Legacy Article IDa63061

Attachments

    Outcomes