Symantec Access Management

Hi,

Recently we observed a very strange issue. This started after we upgraded SPS from R12.52 SP1 CR1 to R12.52 SP1 CR04 and the Policy Server from R12.52 SP1 to R12.6. I understand that Policy Server has no role in the custom error pages of SPS.

Now, we have in

1. server.conf - custom error pages enabled 'yes'

2. Under /Tomcat/properties - both SPSErrorMessages.properties and WebServerErrorMessages.properties are defined with the custom path of the pages. Files have proper permission.

3. Respective custom pages are in place with proper permission to the files.

4. Pages are in ignoreurl filter.

After upgrade, custom error pages redirection is working fine except for request falling under /affwebservices.

e.g. https://www.example.com/affwebservices/public/saml2authnrequest?ProviderID=abcd, upon accessing this URL, where Provider ID - abcd is not existing, returns an expected error page.

But that error page is the default error page instead of the custom one.

This default Error page is as - "HTTP Status 400 - Bad Request. The request had bad syntax or incorrect parameters."

This shouldn't come because we already have a custom error page defined for HTTP 400 under WebServerErrorMessages.properties.

I read somewhere in the CA community that for request /affwebservices, there is a different configuration, under web.xml, etc.

But this used to absolutely work fine before the upgrade, with no special config for /affwebservices in web.xml or httpd.conf.

The only config we had was the above 3 which I have mentioned. I have also compared the before/after upgrade files and there was no such configuration before.

In the logs I can see that this message was called " [ErrorPageImpl::displayMessage][Custom Error Pages : Redirecting to the specified URL.]", before upgrade and now it is not coming.

Any idea why there is a change in this behaviour after the upgrade ?

Any thing new in CR04 which we are missing ?

Custom Error page redirection log, Before Upgrade:
[ProxyValve::invoke][ProxyValve.invoke() Setting HTTP status to 200 allowing this request to proceeed. Return Code from HLA = 4]
[Tomcat5serializedAgentData::setStatus()][Setting response status = 200]
[ProxyValve::invoke][The agent finished processing the request.]
[ErrorPageImpl::displayMessage][Custom Error Pages : Redirecting to the specified URL.]
[ProxyValve::invoke][Leaving the agent.]

Default Error page redirection log, After Upgrade:
[ProxyValve::invoke][ProxyValve.invoke() Setting HTTP status to 200 allowing this request to proceeed. Return Code from HLA = 0]
[Tomcat5serializedAgentData.setStatus][Setting response status = 200]
[ProxyValve::invoke][The agent finished processing the request.]
[ProxyValve::processRedirect][Cookieless Federation is disabled. Returning without any processing.]
[ProxyValve::invoke][Leaving the agent.]

Note: In both the cases custom error pages were enabled.

Regards,

Anurag

Configure the Custom Error Pages Settings - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

Below is a fresh install I performed.  I know it contains the default values but maybe there is a syntax error somewhere.

Also you can open up a support ticket as it could be a bug.