|Applies To||RSA ClearTrust 5.5.3|
BASIC Forms login
|Issue||Logging in with leading and trailing spaces in userids when userid in database has none, sets header and cookies incorrectly|
The customer observed that users could authenticate with leading or trailing spaces in the username. For example, a user could authenticate as both "user" and " user ". This led to incorrect usernames in the cookie, exported headers, logs and ClearTrust Agent cache.
User id in datastore is "testuser1"
Authentication server was being passed the userid with spaces and stripping the leading and trailing spaces before authentication. Agent meanwhile has already saved the userid with spaces for header and caching causing mismatch.
This issue is resolved in ClearTrust server Hotfix 188.8.131.52. Contact RSA Customer Support to request this hot fix, or request the latest hotfix level which is cumulative and contains fixes from previous fix levels.
Issue resolved in aserver component of cleartrust.jar file. Aserver will not strip leading and trailing spaces before authentication which should lead to access denied. (assuming real user id in database does not have leading/trailing spaces.)
ADMINGUI allows you to enter userids with trailing or leading spaces but actually creates a user without the leading or trailing space in Active Directory and SunOne Directory Service.
LDAP does not allow leading and trailing spaces in userid . SQL will allow them.
|Legacy Article ID||a32970|