Symantec Access Management

  • Private Community

  • 1.  Double-quoted SMSESSION value

    Posted Sep 06, 2016 12:42 PM

    Hi all,
    I implemented SAML 2 Federation (HTTP-POST binding) between two SiteMinder instances; one acting as IdP and the other acting as SP.
    At the IdP side FWS services are implemented using CA SPS, while at the SP side they are implemented using IIS web server, Apache Tomcat, CA Web Agent and CA Web Agent Option Pack.


    When the client is redirected to the Assertion Consumer Service URL with a valid assertion, the Service Provider "validates" the asserion and generates the SMSESSION cookie.
    Now the problem is that the Tomcat (the saml2assertionconsumer at the SP side) double-quote the SMSESSION cookie value and when the client try to GET a protected resource at the SP side the agent is not able to decode the SMSESSION. Indeed I found the following error in the web agent log file:

    Unable to decode SWSESSION cookie.

    I look around on the web in order to find the cause of this behaviour and finally I found that the couse is Apache Tomcat application server.
    Here some details about

     

    Source: https://tomcat.apache.org/migration-7.html#Cookies

    If a cookie value or path contain characters that have to be quoted (per RFC2109 specification), the cookie will be automatically converted from "version 0" cookie into "version 1" cookie before sending it to the client and those values will be surrounded by double quotes. What characters need quoting is controlled by several System properties such as org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR. It is known that Internet Explorer has problem processing "version 1" cookies. (Bug 57872).

     

    Source: https://tomcat.apache.org/tomcat-6.0-doc/config/systemprops.html#Specification

    org.apache.catalina. STRICT_SERVLET_COMPLIANCE system property
    If not specified, the default value of false will be used.
    [...]
    cookies will be parsed strictly, by default v0 cookies will not work with any invalid characters.
    If set to false, any v0 cookie with invalid character will be switched to a v1 cookie and the value will be quoted.
    [...]

     

    Does any web agent or siteminder configuration exist in order to change this behaviour (do not quote SMSESSION cookie value)?

     

    Thanks in advance,
    Daniele



  • 2.  Re: Double-quoted SMSESSION value
    Best Answer

    Broadcom Employee
    Posted Sep 06, 2016 04:09 PM

    Hi Daniele,

     

    The problem you observed is affecting Tomcat only, thus there has not been an universal agent settings to mitigate it.  However, the problem can be resolved from Tomcat side configuration change by adding parameters to catalina.sh.

     

    See In Tomcat environment, SMSESSION cookie is not decode by WebAgent. 

    Thanks,

     

    Hongxu



  • 3.  Re: Double-quoted SMSESSION value

    Posted Sep 07, 2016 06:48 AM

    Hi Hongxu,

    first of all thanks for your reply and your suggestion; adding the stated parameter to the Tomcat startup script the SMSESSION cookie value is not set with double-quote.

     

    Anybody knows Tomcat versions affected by the behaviour described?

     

    Thanks,

    Daniele



  • 4.  Re: Double-quoted SMSESSION value

    Posted Feb 26, 2018 01:13 PM

    Hi Hongxu,

    We are having the exact same issue in our Cloud environment. We are running Tomcat 8.x with moneta boot (spring boot wrapper) ver 1.5.2-RELEASE.

     

    JAVA_OPTS="$JAVA_OPTS -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true"
    JAVA_OPTS="$JAVA_OPTS -Dorg.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE=true"

     

    Unfortunately the issue didn't resolve. Any other suggestions regarding the issue. Thanks in advance.

     

    ~Praveen