000035084 - RSA Adaptive Authentication (on premise) - BackOffice is displaying authenticated space without logging in

Document created by RSA Customer Support Employee on May 23, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035084
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Back Office Applications
RSA Version/Condition: 7.1 P5
 
IssueCustomer recently figured out that appending any character at the end of the BackOffice URL is displaying the authenticated space content without logging in. 
For example: 
https://rsabo.bankname.net/backoffice/login.jsp{
https://rsabo.bankname.net/backoffice/login.jsp'
Customer believes that it is inappropriate to display the authenticated space content without logging in. 
 
ResolutionWorkaround to resolve the issue

1. Stop the server. Delete the temp folder.
2. Go to \webapps\backoffice\WEB-INF\classes\configs\fe\bo_base directory.
3. Open web-security-configuration.xml for editing
4. Replace <intercept-url pattern="/login.jsp*" filters="none" /> with <intercept-url pattern="/login.jsp" filters="none" /> probably at line 13.
5. Save the file.
6. Restart the server.
Permanent fix available in Adaptive Authentication (on Premise) 7.3 P3 and later.

Attachments

    Outcomes