We are using a login.fcc with the following directive:
We then use $$targetenc$$ to obtain the value of the target.
With Test URL #1: https://hostname.com/index.jsp?test=1
The value of $$targetenc$$ is HTTPS%3A%2F%2Fhostname.com%2Findex.jsp%3Ftest%3D1 as expected.
With Test URL #2: https://hostname.com/index.jsp?test=1&test1=2
The value of $$targetenc$$ is DATA BLOCKED
Seems there is an issue with urlencode when the target contains an ampersand, which can be quite common.
Web Server is Apache 2.2 on RHEL 6.x with R12.52 agent.
Policy Server is R12.6,
Have we looked at the ACO settings BadURLChars, BadQueryChars, BadFormChars, BadCssChars ? I'd assume one of these, most probably the BadFormChars would be doing this (refer the default list and is it enabled). But worth while to check against the other Parameters as well. Did you see anything reported in Web Agent Trace log, to see which parameter it'd be ?
How BadURLChars, BadQueryChars and BadFormChars se - CA Knowledge
Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
Thank you for the reply Hubert.
Strangely, the ACO parameter BadFormChars is commented out. I figured that meant disabled.
It was this: #BadFormChars <,>,&,%22
Changed it to this: BadFormChars <,>,%22
Now the Test URL#2 works!!!
The understanding of BadFormChars being disabled by default is correct. My suggestion was just to identify what was blocking the functional aspect. Now that we know, what was blocking the functional aspect and that it does not align with the documentation of the intended behavior - I'd recommend raising a Support Case and seek clarification as to is a Doc Bug OR a product bug ? In order to save retyping everything, have this communities link added in the Case.
I have a CA Support case opened already, will provide them with the link to this thread. Thanks again.