Viewing, Downloading or Deleting an existing ASR fails with 'The request could not be handled' error in RSA Identity Governance & Lifecycle
Originally Published: 2016-02-10
Article Number
Applies To
RSA Version/Condition: 7.0.0
Issue
Request Error
The request could not be handled
The request could not be handled
The aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) reports the following security exception:
02/09/2016 14:56:45.574 ERROR (default task-59) [com.aveksa.gui.core.MainManager] 10.XXX.X.XX invalid request:
https://hostname:port/aveksa/main?ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel=0&Action=New&SYSTEM_REPORT_NAME=DEV+SYSTEM+ 1_Aveksa_Statistics_Report.20160208.130639
02/09/2016 14:56:45.583 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 152 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminExceptionEvent] notificationObjectId = 2611 notificationObjectType = AdminException]
02/09/2016 14:56:45.659 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 153 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminNotificationEvent] notificationObjectId = 2611 notificationObjectType = AdminException]
02/09/2016 14:56:48.142 ERROR (default task-60) [com.aveksa.gui.core.GuiFramework] Unsafe characters detected in URL parameters. Possible XSS attack.:
Login ID: abc123
Request: https://hostname:port/aveksa/main?
ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639
ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639
Invalid string: SYSTEM_REPORT_NAME
com.aveksa.server.core.SecurityException: Unsafe characters detected in URL parameters. Possible XSS attack.
https://hostname:port/aveksa/main?ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel=0&Action=New&SYSTEM_REPORT_NAME=DEV+SYSTEM+ 1_Aveksa_Statistics_Report.20160208.130639
02/09/2016 14:56:45.583 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 152 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminExceptionEvent] notificationObjectId = 2611 notificationObjectType = AdminException]
02/09/2016 14:56:45.659 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 153 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminNotificationEvent] notificationObjectId = 2611 notificationObjectType = AdminException]
02/09/2016 14:56:48.142 ERROR (default task-60) [com.aveksa.gui.core.GuiFramework] Unsafe characters detected in URL parameters. Possible XSS attack.:
Login ID: abc123
Request: https://hostname:port/aveksa/main?
ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639
ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639
Invalid string: SYSTEM_REPORT_NAME
com.aveksa.server.core.SecurityException: Unsafe characters detected in URL parameters. Possible XSS attack.
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
Cause
RSA Identity Governance & Lifecycle 7.0 has additional protection against cross-site scripting (XSS) attacks as compared to previous versions. Because of this, special characters such as spaces are no longer allowed in the report name of the ASR.
This issue occurs if you are on RSA Identity Governance & Lifecycle 7.0 or higher and have an Environment Name defined with special characters such as spaces. Environment Names are defined by going to Admin > System > Settings tab > Edit > Environment > Name field. The default name of the ASR has no special characters. However, when an Environment Name is set for the system, the Environment Name is prefixed to the ASR name. If the Environment Name has special characters, than the ASR name has special characters and this failure occurs.
In the following example, the Environment Name has spaces: .
Previously the Environment Name was VCD. Note in the example below, one report name has spaces (DEV SYSTEM 1) and one report does not (VCD). The report with spaces in the report name cannot be viewed, downloaded or deleted.
Resolution
- RSA Identity Governance & Lifecycle 7.0.0 P02
- RSA Identity Governance & Lifecycle 7.0.1
Workaround
- Modify/remove the Environment Name.
- In the user interface go to Admin > System > Settings tab.
- Choose Edit > Scroll down to Environment.
- Modify the Name to remove special characters or delete the contents of the Name field.
- Generate a new ASR.
- In the user interface go to Admin > System > Diagnostics tab > Create Report.
- Once the report has completed, try to View, Download, or Delete the report.
