SecurID® Governance & Lifecycle Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.
Article Number
000032536
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.0
RSA Version/Condition: 7.0.0
Issue
When attempting to View, Download or Delete an existing Aveksa Statistics Report (ASR) (Admin > System > Diagnostics tab), the options fail with:
Image description
Image description
The aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) reports the following security exception:
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
Image descriptionRequest Error
The request could not be handled
The request could not be handled
Image descriptionThe aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) reports the following security exception:
02/09/2016 14:56:45.574 ERROR (default task-59) [com.aveksa.gui.core.MainManager] 10.XXX.X.XX invalid request:
https://hostname:port/aveksa/main?ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel=0&Action=New&SYSTEM_REPORT_NAME=DEV+SYSTEM+ 1_Aveksa_Statistics_Report.20160208.130639
02/09/2016 14:56:45.583 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 152 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminExceptionEvent] notificationObjectId = 2611 notificationObjectType = AdminException]
02/09/2016 14:56:45.659 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 153 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminNotificationEvent] notificationObjectId = 2611 notificationObjectType = AdminException]
02/09/2016 14:56:48.142 ERROR (default task-60) [com.aveksa.gui.core.GuiFramework] Unsafe characters detected in URL parameters. Possible XSS attack.:
Login ID: abc123
Request: https://hostname:port/aveksa/main?
ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639
ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639
Invalid string: SYSTEM_REPORT_NAME
com.aveksa.server.core.SecurityException: Unsafe characters detected in URL parameters. Possible XSS attack.
https://hostname:port/aveksa/main?ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel=0&Action=New&SYSTEM_REPORT_NAME=DEV+SYSTEM+ 1_Aveksa_Statistics_Report.20160208.130639
02/09/2016 14:56:45.583 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 152 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminExceptionEvent] notificationObjectId = 2611 notificationObjectType = AdminException]
02/09/2016 14:56:45.659 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 153 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminNotificationEvent] notificationObjectId = 2611 notificationObjectType = AdminException]
02/09/2016 14:56:48.142 ERROR (default task-60) [com.aveksa.gui.core.GuiFramework] Unsafe characters detected in URL parameters. Possible XSS attack.:
Login ID: abc123
Request: https://hostname:port/aveksa/main?
ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639
ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639
Invalid string: SYSTEM_REPORT_NAME
com.aveksa.server.core.SecurityException: Unsafe characters detected in URL parameters. Possible XSS attack.
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
Cause
This is a known issue reported in engineering tickets ACM-55821 and ACM-61116.
RSA Identity Governance & Lifecycle 7.0 has additional protection against cross-site scripting (XSS) attacks as compared to previous versions. Because of this, special characters such as spaces are no longer allowed in the report name of the ASR.
This issue occurs if you are on RSA Identity Governance & Lifecycle 7.0 or higher and have an Environment Name defined with special characters such as spaces. Environment Names are defined by going to Admin > System > Settings tab > Edit > Environment > Name field. The default name of the ASR has no special characters. However, when an Environment Name is set for the system, the Environment Name is prefixed to the ASR name. If the Environment Name has special characters, than the ASR name has special characters and this failure occurs.
In the following example, the Environment Name has spaces: .
Image description
Previously the Environment Name was VCD. Note in the example below, one report name has spaces (DEV SYSTEM 1) and one report does not (VCD). The report with spaces in the report name cannot be viewed, downloaded or deleted.
Image description
RSA Identity Governance & Lifecycle 7.0 has additional protection against cross-site scripting (XSS) attacks as compared to previous versions. Because of this, special characters such as spaces are no longer allowed in the report name of the ASR.
This issue occurs if you are on RSA Identity Governance & Lifecycle 7.0 or higher and have an Environment Name defined with special characters such as spaces. Environment Names are defined by going to Admin > System > Settings tab > Edit > Environment > Name field. The default name of the ASR has no special characters. However, when an Environment Name is set for the system, the Environment Name is prefixed to the ASR name. If the Environment Name has special characters, than the ASR name has special characters and this failure occurs.
In the following example, the Environment Name has spaces: .
Image descriptionPreviously the Environment Name was VCD. Note in the example below, one report name has spaces (DEV SYSTEM 1) and one report does not (VCD). The report with spaces in the report name cannot be viewed, downloaded or deleted.
Image descriptionResolution
This issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:
- RSA Identity Governance & Lifecycle 7.0.0 P02
- RSA Identity Governance & Lifecycle 7.0.1
Workaround
As a workaround, ensure the Environment Name has no special characters and generate a new ASR.
- Modify/remove the Environment Name.
- In the user interface go to Admin > System > Settings tab.
- Choose Edit > Scroll down to Environment.
- Modify the Name to remove special characters or delete the contents of the Name field.
- Generate a new ASR.
- In the user interface go to Admin > System > Diagnostics tab > Create Report.
- Once the report has completed, try to View, Download, or Delete the report.
In this article
