000023248 - RSA Cleartrust 5.5.3 - Leading and trailing spaces in userids  setting header and cookies incorrectly

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023248
Applies ToRSA ClearTrust 5.5.3
BASIC Forms login
IssueLogging in with leading and trailing spaces in userids when userid in database has none, sets header and cookies incorrectly

The customer observed that users could authenticate with leading or trailing  spaces in the username.  For example, a user could authenticate as both "user"  and " user ". This led to incorrect usernames in the cookie, exported  headers, logs and ClearTrust Agent cache.


  User id in datastore is "testuser1"  
 
If leading and trailing spaces added it will still successfully authenticate and incorrectly sets the cookie,headers, cache and log files with spaces in userid. 
 
If user logs in as "   testuser1   "    closes browser and then logs in as  "testuser1"  you get a cache miss
============================================================================
<Debug> - User:     testuser1       <Info> - Result map: SC_USER_ID\n    testuser1     \nSC_IS_V
<Debug> - URI: /cleartrust/ct_logon.asp, User:     testuser1   HTTP_CT_REMOTE_USER:    testuser1      ct-remote-user:     testuser1      
============================================================================
<Debug> - User: testuser1  <Info> - Result map: SC_USER_ID\ntestuser1\nSC_IS_VALID\ntrue\nSC_END_USE
<Debug> - URI: /cleartrust/ct_logon.asp, User: testuser1
<Debug> - Cache miss for check access: Demosite/httpheaders.asp/testuser1 HTTP_CT_REMOTE_USER:testuser1 ct-remote-user: testuser1
============================================================================
 
If the valid ID is "testuser1" then "testuser1!" is not valid.
 
By the same logic "   testuser1  " should not be valid either.
Cause

Authentication server was being passed the userid with spaces and stripping the leading and trailing spaces before authentication. Agent meanwhile has already saved the userid with spaces for header and caching causing mismatch.  

Resolution

This issue is resolved in ClearTrust server Hotfix 5.5.3.105. Contact RSA Customer Support to request this hot fix, or request the latest hotfix level which is cumulative and contains fixes from previous fix levels.

Issue resolved in aserver component of cleartrust.jar file.  Aserver will not strip leading and trailing spaces before authentication which should lead to access denied. (assuming real user id in database does not have leading/trailing spaces.)

Notes

ADMINGUI  allows you to enter userids with trailing or leading spaces but actually creates a user without the leading or trailing space in Active Directory and SunOne Directory Service. 

LDAP does not allow leading and trailing spaces in userid . SQL will allow them.

Legacy Article IDa32970

Attachments

    Outcomes