Symantec Access Management

Expand all | Collapse all

CA SPS Error Redirect Response

  • 1.  CA SPS Error Redirect Response

    Posted 02-17-2016 12:39 PM

    Hi,

     

    I have one JSP1 that I protect with User Directory 1.

     

    Second JSP2 is protected using User Directory 2.

     

    The web agent I'm using is the SPS.

     

    User launches browser and accesses JSP1 and enters userDirectory1 credentials and successfully gets to JSP1.

    In the same browser, he now attempts to access JSP2. I get a web agent failed to process error.

     

    Below is the excerpt from the trace logs.

     

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][AuthorizeUser][User 'cn=****,ou=Users,o=test1adnc' is not authorized by Policy Server.]

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][ProcessResponses][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][CSmHttpPlugin::ProcessResponses][Processing Authorization responses.]

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][CSmHttpPlugin::ProcessResponses][Removing HTTP cache request headers.]

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][ProcessResponses][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][ProcessResponses][Calling SM_WAF_SPS_PLUGIN->ProcessResponses.]

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][ProcessResponses][SM_WAF_SPS_PLUGIN->ProcessResponses returned SmNoAction.]

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][ProcessRequest][AuthorizationManager returned SmNo or SmNoAction, calling ChallengeManager.]

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][Tomcat5SerializedAgentData::doResponse][HTTP Status Code = 403]

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][Tomcat5SerializedAgentData.doError][Response message not present; Returning SmFailure]

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][ProxyValve::invoke][The agent Failed to process the request with a returncode of 5Returning internal server error to the client]

    [02/17/2016][12:25:38][1528][704][16ffe63a-457d41d4-f9c2ccf5-831fc919-23e2bdb4-b8b9][ErrorPageImpl::displayMessage][Custom Error Pages : Custom message is not an URL. If URL is specified then it might not be in proper format. Considering it as plain text message.]

     

    It processes the SMSEssion cookie, but then the user is not authorized for JSP2 since he logged in using User Directory 1 credentials.

     

    Shouldn't the agent ideally respond with a login page challenge? From the trace logs it seems as though you can set a URL response for this error. Anybody know if that is possible? How can I get the agent to re challege the user in this case?

     

    Regards,

    Anand.



  • 2.  Re: CA SPS Error Redirect Response

    Posted 02-17-2016 04:12 PM

    Update :

     

    I also set a onAccessReject Redirect response on Failed Authorization rule on the realms and this never gets triggered.

     

    I only keep getting the Web Agent error and the same kind of messages in the agent trace logs. Any insight is deeply appreciated!

     

    Anand.



  • 3.  Re: CA SPS Error Redirect Response

    Posted 02-17-2016 04:44 PM

    You might want to split the second question into its own thread.   

     

    Regarding the first problem, A Fiddler Trace might be helpful.

     

    Regarding the second question, do you have the Allow Rule and the Failed Authorization Rule in the same Policy?  I would create two Policies:

     

    Domain: Domain1

    Realm: Realm1

     

    Policy 1:   AllowPolicy

    Rule: AllowRule 

    Users: Defined Users

     

    Policy 2: OnAccessReject-Policy

    Rule: OnAccessReject-Rule

    Reponse: OnAccessReject-Redirect Response

    Users: ALL



  • 4.  Re: CA SPS Error Redirect Response

    Posted 02-17-2016 04:51 PM

    Hi LAVST01

     

    They are in 1 policy. The allow policy and deny policy both allow all users. In that case does it make sense to split them?


    Regards,

     

     

    Anand.



  • 5.  Re: CA SPS Error Redirect Response

    Posted 06-19-2017 08:40 AM

    Hi Anand,

     

    I am also facing similar issue and getting similar error in logs, are you able to resolve it ?

     

    Please let me know what solution you applied.

     

    Regards

    Prashant