000020438 - iPlanet Web server does not protect resources properly with RSA ClearTrust Agent 4.0

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020438
Applies ToSun ONE Web Server 6.0
obj.conf
RSA ClearTrust Agent 4.0 for Sun ONE Web Server 6.0
IssueiPlanet Web server does not protect resources properly with RSA ClearTrust Agent 4.0
CauseThe order of entries in the obj.conf file are critical when protecting an iPlanet Web server with ClearTrust Agents. The 'AuthTrans' through 'Error fn' entries added by ClearTrust must appear at the top of the Object section for properly securing a protected resource. If a custom application is installed that adds entries to the Object section but does not add the ClearTrust entries as the first ones in the Object section, the resource may bypass the ClearTrust Authentication. For example, some Siebel Web applications do place their own entries before ClearTrust.
ResolutionTo correct this issue, move the ClearTrust entries to the top of the section. For example:

Before:

<Object name=default>
NameTrans fn=document-root root="$docroot"
PathCheck fn=nt-uri-clean
PathCheck fn=find-index index-names="index.html,home.html"
ObjectType fn=type-by-extension
ObjectType fn=force-type type=text/plain
Service method=(GET|HEAD|POST) type=*~magnus-internal/* fn=send-file
AddLog fn=flex-log name="access"
AuthTrans fn="ct-pre-process"
AuthTrans fn="basic-auth" auth-type="basic" userdb="none" userfn="ct-nsapi-user"
AuthTrans fn="ct-ssi-auth"
AuthTrans fn="ct-auth" realm="CT"
NameTrans fn="ct-check-redirect"
PathCheck fn="ct-nsapi-check-auth"
PathCheck fn="ct-post-process"
Error fn="ct-post-process"
</Object>

After:

<Object name=default>
AuthTrans fn="ct-pre-process"
AuthTrans fn="basic-auth" auth-type="basic" userdb="none" userfn="ct-nsapi-user"
AuthTrans fn="ct-ssi-auth"
AuthTrans fn="ct-auth" realm="CT"
NameTrans fn="ct-check-redirect"
PathCheck fn="ct-nsapi-check-auth"
PathCheck fn="ct-post-process"
Error fn="ct-post-process"
NameTrans fn=document-root root="$docroot"
PathCheck fn=nt-uri-clean
PathCheck fn=find-index index-names="index.html,home.html"
ObjectType fn=type-by-extension
ObjectType fn=force-type type=text/plain
Service method=(GET|HEAD|POST) type=*~magnus-internal/* fn=send-file
AddLog fn=flex-log name="access"
</Object>
Legacy Article IDa22518

Attachments

    Outcomes