protecting Apache URLs ending in '/' with non-standard DirectoryIndex
I'm using Apache agent 2.2 for Acces Manager 7. My Apache version is 1.3.33. I have a DirectoryIndex line in my httpd.conf like so:
DirectoryIndex index.cgi index.html
So when I request the URL <http://server.edu/subdir/> I should get <http://server.edu/subdir/index.cgi>.
My problem is when URLs like this are protected by Access Manager. I have an inverted notenforced_list, which contains http://server.edu/subdir*. So only stuff in subdir should be controlled by AM. I want all 3 of these URLs to give the same results:
http://server.edu/subdir
http://server.edu/subdir/
http://server.edu/subdir/index.cgi
The first and third URLs work as expected; the second one (with a trailing '/') doesn't work. If I change my notenforced_list to read http://server.edu/subdir/*, then only the third (complete) URL works.
By looking at the agent logs in debug mode, it appears that AM is first looking at policy for http://server.edu/. That test passes, since that URL is part of the (inverted) notenforced_list.
Then the agent goes on to check the /subdir URL -- but it tacks on index.html:
2006-04-20 14:06:58.144Debug 10883:252998 PolicyAgent: get_request_url(): Returning request URL http://server.edu/subdir/index.html.
Then it goes on to say that it will enforce policy on this URL, which is correct, but it's referring to index.html, not index.cgi. I'm never prompted for authentication, I just get a browser error that says the page cannot be displayed. If I ask explicitly for http://server.edu/subdir/index.cgi, everything works as expected -- I'm redirected to the AM server and prompted to authenticate, then redirected back to the URL I originally requested.
Am I missing something here? Has anyone else tried to protect URLs ending in '/' with a non-standard name?
[1870 byte] By [
plt667] at [2007-11-26 6:39:31]
# 1
Can you post the part of agent磗 debug log (with mode set to all:5) when you setnotenforcedlist is set to http://server.edu/subdir* and when you request http://server.edu/subdir/-Bernhard
# 2
Here is the log extract. You can see pretty clearly that it just tacks on 'index.html' to the end of the original URL, when it gets to the 2nd phase of the policy evaluation (after checking for root-level policy). Thanks for taking a look!
2006-04-20 14:06:58.141MaxDebug 10883:252998 PolicyAgent: get_request_url(): Host: server.edu
2006-04-20 14:06:58.142MaxDebug 10883:252998 PolicyAgent: get_request_url(): Port is 443.
2006-04-20 14:06:58.142Debug 10883:252998 PolicyAgent: get_request_url(): Returning request URL https://server.edu:443/subdir/.
2006-04-20 14:06:58.142 Warning 10883:252998 PolicyAgent: get_method_num(): Apache request method number did not match method string. Setting method number to match method string GET.
2006-04-20 14:06:58.142Debug 10883:252998 PolicyAgent: am_web_is_access_allowed(): url 'https://server.edu:443/subdir/' path_info '/'.
2006-04-20 14:06:58.142MaxDebug 10883:252998 PolicyAgent: am_web_is_access_allowed(): processing url https://server.edu:443/.
2006-04-20 14:06:58.142MaxDebug 10883:252998 PolicyAgent: FqdnHandler::isValidFqdnResource() Resource => https://server.edu:443/, is valid => true
2006-04-20 14:06:58.142Debug 10883:252998 PolicyAgent: am_web_is_access_allowed(): client_ip xxx.xxx.xxx.xxx not found in client ip not enforced list
2006-04-20 14:06:58.142MaxDebug 10883:252998 AM_POLICY_SERVICE: am_policy_compare_urls(): compare usePatterns=true returned 3
2006-04-20 14:06:58.142MaxDebug 10883:252998 AM_POLICY_SERVICE: am_policy_compare_urls(): compare usePatterns=true returned 3
2006-04-20 14:06:58.143MaxDebug 10883:252998 AM_POLICY_SERVICE: am_policy_compare_urls(): compare usePatterns=true returned 3
2006-04-20 14:06:58.143MaxDebug 10883:252998 AM_POLICY_SERVICE: am_policy_compare_urls(): compare usePatterns=true returned 3
2006-04-20 14:06:58.143MaxDebug 10883:252998 AM_POLICY_SERVICE: am_policy_compare_urls(): compare usePatterns=true returned 3
2006-04-20 14:06:58.143Debug 10883:252998 PolicyAgent: in_not_enforced_list: not enforced list is reversed, only matches will be enforced.
2006-04-20 14:06:58.143Debug 10883:252998 PolicyAgent: in_not_enforced_list: allowing access to https://server.edu:443/
2006-04-20 14:06:58.143Debug 10883:252998 PolicyAgent: am_web_get_parameter_value(): Param Name = iPlanetDirectoryPro, & Param Value = NULL, status not found
2006-04-20 14:06:58.143Debug 10883:252998 PolicyAgent: am_web_is_access_allowed(): remote user set to unauthenticated user (null)
2006-04-20 14:06:58.143Info 10883:252998 PolicyAgent: am_web_is_access_allowed()(https://server.edu:443/, GET) returning status: success.
2006-04-20 14:06:58.143Info 10883:252998 PolicyAgent: process_request(): Access check for URL https://server.edu:443/subdir/ returned success.
2006-04-20 14:06:58.143Debug 10883:252998 PolicyAgent: set_user(): user set to
2006-04-20 14:06:58.143Debug 10883:252998 PolicyAgent: am_web_is_logout_url(https://server.edu:443/subdir/): normalized URL https://server.edu:443/subdir/.
2006-04-20 14:06:58.143Debug 10883:252998 PolicyAgent: set_user_attributes(): set user attributes option set to none.
2006-04-20 14:06:58.144Debug 10883:252998 PolicyAgent: process_access_success(): returned AM_WEB_RESULT_OK.
2006-04-20 14:06:58.144Debug 10883:252998 PolicyAgent: process_request(): returning web result AM_WEB_RESULT_OK, data []
2006-04-20 14:06:58.144Debug 10883:252998 PolicyAgent: am_web_process_request(): Rendering web result AM_WEB_RESULT_OK
2006-04-20 14:06:58.144Debug 10883:252998 PolicyAgent: am_web_process_request(): render result function returned AM_SUCCESS.
2006-04-20 14:06:58.144MaxDebug 10883:252998 PolicyAgent: get_request_url(): Host: server.edu
2006-04-20 14:06:58.144MaxDebug 10883:252998 PolicyAgent: get_request_url(): Port is 443.
2006-04-20 14:06:58.144Debug 10883:252998 PolicyAgent: get_request_url(): Returning request URL https://server.edu:443/subdir/index.html.
2006-04-20 14:06:58.144 Warning 10883:252998 PolicyAgent: get_method_num(): Apache request method number did not match method string. Setting method number to match method string GET.
2006-04-20 14:06:58.144Debug 10883:252998 PolicyAgent: am_web_is_access_allowed(): url 'https://server.edu:443/subdir/index.html' path_info ''.
2006-04-20 14:06:58.145MaxDebug 10883:252998 PolicyAgent: am_web_is_access_allowed(): processing url https://server.edu:443/subdir/index.html.
2006-04-20 14:06:58.145MaxDebug 10883:252998 PolicyAgent: FqdnHandler::isValidFqdnResource() Resource => https://server.edu:443/subdir/index.html, is valid => true
2006-04-20 14:06:58.145Debug 10883:252998 PolicyAgent: am_web_is_access_allowed(): client_ip xxx.xxx.xxx.xxx not found in client ip not enforced list
2006-04-20 14:06:58.145MaxDebug 10883:252998 AM_POLICY_SERVICE: am_policy_compare_urls(): compare usePatterns=true returned 3
2006-04-20 14:06:58.145MaxDebug 10883:252998 AM_POLICY_SERVICE: am_policy_compare_urls(): compare usePatterns=true returned 3
2006-04-20 14:06:58.145MaxDebug 10883:252998 AM_POLICY_SERVICE: am_policy_compare_urls(): compare usePatterns=true returned 4
2006-04-20 14:06:58.145Debug 10883:252998 PolicyAgent: in_not_enforced_list(https://server.edu:443/subdir/index.html): matched 'https://server.edu:443/subdir/*' entry in not-enforced list
2006-04-20 14:06:58.145Debug 10883:252998 PolicyAgent: in_not_enforced_list: not enforced list is reversed, only matches will be enforced.
2006-04-20 14:06:58.145Debug 10883:252998 PolicyAgent: in_not_enforced_list: enforcing access control for https://server.edu:443/subdir/index.html
2006-04-20 14:06:58.146Debug 10883:252998 PolicyAgent: am_web_get_parameter_value(): Param Name = iPlanetDirectoryPro, & Param Value = NULL, status not found
2006-04-20 14:06:58.146Debug 10883:252998 PolicyAgent: am_web_is_access_allowed()(https://server.edu:443/subdir/index.html,GET): no sso token, setting status to invalid session.
2006-04-20 14:06:58.146Debug 10883:252998 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource https://server.edu:443/subdir/index.html.
2006-04-20 14:06:58.146Info 10883:252998 PolicyAgent: am_web_is_access_allowed()(https://server.edu:443/subdir/index.html, GET) returning status: invalid session.
2006-04-20 14:06:58.146Info 10883:252998 PolicyAgent: process_request(): Access check for URL https://server.edu:443/subdir/index.html returned invalid session.
2006-04-20 14:06:58.146MaxDebug 10883:252998 PolicyAgent: am_web_get_url_to_redirect(): goto URL is https://server.edu:443/subdir/index.html
2006-04-20 14:06:58.146MaxDebug 10883:252998 PolicyAgent: find_active_login_server(): Trying server: https://access-manager-server.edu:443/amserver/UI/Login
2006-04-20 14:06:58.149Debug 10883:252998 PolicyAgent: process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [https://access-manager-server.edu:443/amserver/UI/Login?goto=https%3A%2F%2Fser ver.edu%3A443%2Fsubdir%2Findex.html].
2006-04-20 14:06:58.149Debug 10883:252998 PolicyAgent: process_access_redirect(): returning web result AM_WEB_RESULT_REDIRECT.
2006-04-20 14:06:58.149Debug 10883:252998 PolicyAgent: process_request(): returning web result AM_WEB_RESULT_REDIRECT, data [https://access-manager-server.edu:443/amserver/UI/Login?goto=https%3A%2F%2Fser ver.edu%3A443%2Fsubdir%2Findex.html]
2006-04-20 14:06:58.149Debug 10883:252998 PolicyAgent: am_web_process_request(): Rendering web result AM_WEB_RESULT_REDIRECT
2006-04-20 14:06:58.150Debug 10883:252998 PolicyAgent: am_web_process_request(): render result function returned AM_SUCCESS.
# 3
Can you also post AMAgent.properties used for this debug log.Something looks strange in the log maybe this comes from using a top-level DNS domain (.edu).Is the FQDN 'server.edu' really the one you're using or have you changed it in the log?-Bernhard
# 4
Yes, I replaced the real server name with server.edu. Didn't want to invite unwanted attention to my real server name since I'm just getting started and I'm not confident that things are locked down sufficiently to advertise.
Likewise, below I've changed the name of my real Access Manager servers to amserver1.edu and amserver2.edu. I can email you the actual files privately if you think it would help. Here are all the non-comment lines from AMAgent.properties:
com.sun.am.cookie.name = iPlanetDirectoryPro
com.sun.am.naming.url = https://amserver1.edu:443/amserver/namingservice https://amserver2.edu:443/amserver/namingservice
com.sun.am.policy.am.login.url = https://amserver1.edu:443/amserver/UI/Login https://amserver2.edu:443/amserver/UI/Login
com.sun.am.policy.agents.config.local.log.file = /var/opt/SUNWam/agents/debug/_usr_local_apache_conf/amAgent
com.sun.am.policy.agents.config.local.log.rotate = false
com.sun.am.policy.agents.config.remote.log = amAuthLog.server.edu.80
com.sun.am.log.level = all:1
com.sun.am.policy.am.username = serveragent
com.sun.am.policy.am.password = xxxxxxxxxxxxxxxxxxxxxxxxx
com.sun.am.sslcert.dir = /usr/local/apache/conf/cert
com.sun.am.certdb.prefix =
com.sun.am.trust_server_certs = false
com.sun.am.notification.enable = false
com.sun.am.notification.url = http://server.edu:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
com.sun.am.policy.am.url_comparison.case_ignore = true
com.sun.am.policy.am.polling.interval=3
com.sun.am.policy.am.userid.param=UserToken
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
com.sun.am.policy.agents.config.session.attribute.map=
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
com.sun.am.policy.agents.config.response.attribute.map=
com.sun.am.policy.am.lb.cookie.name = GX_jst
com.sun.am.load_balancer.enable = false
com.sun.am.policy.agents.config.version=2.2
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
com.sun.am.policy.agents.config.agenturi.prefix = https://server.edu:443/amagent
com.sun.am.policy.agents.config.locale = en_US
com.sun.am.policy.agents.config.instance.name = unused
com.sun.am.policy.agents.config.do_sso_only = false
com.sun.am.policy.agents.config.accessdenied.url =
com.sun.am.policy.agents.config.fqdn.check.enable = true
com.sun.am.policy.agents.config.fqdn.default = server.edu
com.sun.am.policy.agents.config.fqdn.map =
com.sun.am.policy.agents.config.cookie.reset.enable=false
com.sun.am.policy.agents.config.cookie.reset.list=
com.sun.am.policy.agents.config.cookie.domain.list=
com.sun.am.policy.agents.config.anonymous_user=anonymous
com.sun.am.policy.agents.config.anonymous_user.enable=false
com.sun.am.policy.agents.config.notenforced_list = http://server.edu/subdir* https://server.edu/subdir*
com.sun.am.policy.agents.config.notenforced_list.invert = true
com.sun.am.policy.agents.config.notenforced_client_ip_list =
com.sun.am.policy.agents.config.postdata.preserve.enable = false
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
com.sun.am.policy.agents.config.cdsso.enable=false
com.sun.am.policy.agents.config.cdcservlet.url =
com.sun.am.policy.agents.config.client_ip_validation.enable = false
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
com.sun.am.policy.agents.config.logout.url=
com.sun.am.policy.agents.config.logout.cookie.reset.list =
com.sun.am.policy.am.fetch_from_root_resource = true
com.sun.am.policy.agents.config.get_client_host_name = true
com.sun.am.policy.agents.config.convert_mbyte.enable = false
com.sun.am.policy.agents.config.ignore_path_info = false
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
com.sun.am.policy.agents.config.override_notification.url =
com.sun.am.policy.agents.config.connection_timeout =
com.sun.am.receive_timeout = 0
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = /var/opt/SUNWam/agents/debug/_usr_local_apache_conf/amAuthFilter
