ratclma Absent Member.
Absent Member.
1001 views

Issue with CommandServlet


Alex,
Thanks for input. I have it working now but I had to remove
forwardURL=<RETURN_URL> from the command servlet url as SSPR reported a
5075 error and the SSPR log showed similar to below, so maybe that
doesn't work with CommandServlet?
2016-02-05T09:53:40Z, ERROR, filter.SessionFilter, {4r} 5075
ERROR_REDIRECT_ILLEGAL (unable to parse url: Illegal character in path
at index 0: <RETURN_URL>) [xx.xxx.xxx.xx]
2016-02-05T09:53:40Z, ERROR, http.PwmRequest, {4r} 5075
ERROR_REDIRECT_ILLEGAL (unable to parse url: Illegal character in path
at index 0: <RETURN_URL>) [xx.xxx.xxx.xx]
If I set the Login Redirect URL setting to just:
https://some.company.biz.biz/sspr/pr...on=checkExpire the it will work
and if usere is in warning period they'll be shown warning screen with
Skip option and Skip takes them to where they were going, if the
password is expired or just about to they get the Expired password page
where they're required to set the new password. If they have plenty of
time left they are redirected to where they were going. So that's all
good.

However, we have 3 different domain urls https://some.company.biz,
https://some.other.biz and https://some.third.biz (the apps behind these
urls are located in the same place its just we brand the pages
differently). We've created separate reverse proxies for the 3 company
urls. As SSPR is protected by NAM and the application URL in the config
needs to be a FQDN url whereas before it could be a relative path, how
do I achieve the following:
application URL=https://some.company.biz but user works for one of the
other companys in the group and so accesses https://some.other.biz
I can configure the contract for https://some.other.biz to have a Login
Return
URL=https://some.company.biz.biz/sspr/private/CommandServlet?processAction=checkExpire
but that will mean he will need to login again as SSPR will not be using
the contract for https://some.other.biz
I tried configuring a proxy service and protected resource for SSPR on
the https://some.other.biz reverse proxy and provide Login Return
URL=https://some.other.biz/sspr/private/CommandServlet?processAction=checkExpirebut
that just leads to a 5075 error as below
2016-02-05T07:48:29Z, ERROR, filter.SessionFilter, {4n} 5075
ERROR_REDIRECT_ILLEGAL (https://some.other.biz is not a match for any
configured redirect whitelist, see setting: Settings ? Security ? Web
Security ? Redirect Whitelist) [xx.xxx.xxx.xx]
So do I need to add a whitelist entry or have I done something wrong?
Thanks
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=55315

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Issue with CommandServlet

ratclma wrote:

>
> Alex,
> Thanks for input. I have it working now but I had to remove
> forwardURL=<RETURN_URL> from the command servlet url as SSPR reported
> a 5075 error and the SSPR log showed similar to below, so maybe that
> doesn't work with CommandServlet?
> 2016-02-05T09:53:40Z, ERROR, filter.SessionFilter, {4r} 5075
> ERROR_REDIRECT_ILLEGAL (unable to parse url: Illegal character in
> path at index 0: <RETURN_URL>) [xx.xxx.xxx.xx]
> 2016-02-05T09:53:40Z, ERROR, http.PwmRequest, {4r} 5075
> ERROR_REDIRECT_ILLEGAL (unable to parse url: Illegal character in
> path at index 0: <RETURN_URL>) [xx.xxx.xxx.xx]
> If I set the Login Redirect URL setting to just:
> https://some.company.biz.biz/sspr/pr...on=checkExpire the it will work
> and if usere is in warning period they'll be shown warning screen with
> Skip option and Skip takes them to where they were going, if the
> password is expired or just about to they get the Expired password
> page where they're required to set the new password. If they have
> plenty of time left they are redirected to where they were going. So
> that's all good.
>
> However, we have 3 different domain urls https://some.company.biz,
> https://some.other.biz and https://some.third.biz (the apps behind
> these urls are located in the same place its just we brand the pages
> differently). We've created separate reverse proxies for the 3 company
> urls. As SSPR is protected by NAM and the application URL in the
> config needs to be a FQDN url whereas before it could be a relative
> path, how do I achieve the following:
> application URL=https://some.company.biz but user works for one of the
> other companys in the group and so accesses https://some.other.biz
> I can configure the contract for https://some.other.biz to have a
> Login Return
>

URL=https://some.company.biz.biz/sspr/private/CommandServlet?processAction=checkExpire
> but that will mean he will need to login again as SSPR will not be
> using the contract for https://some.other.biz


It should be possible to configure this the way you want.

Are you using different contracts in different places or the same
contract overall?

Are you using realms or have you configured the trust all contracts
with same level option?

> I tried configuring a proxy service and protected resource for SSPR on
> the https://some.other.biz reverse proxy and provide Login Return
>

URL=https://some.other.biz/sspr/private/CommandServlet?processAction=checkExpirebut
> that just leads to a 5075 error as below
> 2016-02-05T07:48:29Z, ERROR, filter.SessionFilter, {4n} 5075
> ERROR_REDIRECT_ILLEGAL (https://some.other.biz is not a match for any
> configured redirect whitelist, see setting: Settings ? Security ? Web
> Security ? Redirect Whitelist) [xx.xxx.xxx.xx]
> So do I need to add a whitelist entry or have I done something wrong?
> Thanks


I always recommend that you should create a whitelist entry, this
supports a regular expression so it should be simple enough to create a
single whitelist for all your domains. This is a safer and more secure
configuration.

0 Likes
ratclma Absent Member.
Absent Member.

Re: Issue with CommandServlet


Alex McHugh;264996 Wrote:
> ratclma wrote:
>
> >
> > Alex,
> > Thanks for input. I have it working now but I had to remove
> > forwardURL=<RETURN_URL> from the command servlet url as SSPR reported
> > a 5075 error and the SSPR log showed similar to below, so maybe that
> > doesn't work with CommandServlet?
> > 2016-02-05T09:53:40Z, ERROR, filter.SessionFilter, {4r} 5075
> > ERROR_REDIRECT_ILLEGAL (unable to parse url: Illegal character in
> > path at index 0: <RETURN_URL>) [xx.xxx.xxx.xx]
> > 2016-02-05T09:53:40Z, ERROR, http.PwmRequest, {4r} 5075
> > ERROR_REDIRECT_ILLEGAL (unable to parse url: Illegal character in
> > path at index 0: <RETURN_URL>) [xx.xxx.xxx.xx]
> > If I set the Login Redirect URL setting to just:
> > https://some.company.biz.biz/sspr/pr...on=checkExpire the it will

> work
> > and if usere is in warning period they'll be shown warning screen

> with
> > Skip option and Skip takes them to where they were going, if the
> > password is expired or just about to they get the Expired password
> > page where they're required to set the new password. If they have
> > plenty of time left they are redirected to where they were going. So
> > that's all good.
> >
> > However, we have 3 different domain urls https://some.company.biz,
> > https://some.other.biz and https://some.third.biz (the apps behind
> > these urls are located in the same place its just we brand the pages
> > differently). We've created separate reverse proxies for the 3

> company
> > urls. As SSPR is protected by NAM and the application URL in the
> > config needs to be a FQDN url whereas before it could be a relative
> > path, how do I achieve the following:
> > application URL=https://some.company.biz but user works for one of

> the
> > other companys in the group and so accesses https://some.other.biz
> > I can configure the contract for https://some.other.biz to have a
> > Login Return
> >

> URL=https://some.company.biz.biz/sspr/private/CommandServlet?processAction=checkExpire
> > but that will mean he will need to login again as SSPR will not be
> > using the contract for https://some.other.biz

>
> It should be possible to configure this the way you want.
>
> Are you using different contracts in different places or the same
> contract overall?
>
> Are you using realms or have you configured the trust all contracts
> with same level option?
>
> > I tried configuring a proxy service and protected resource for SSPR

> on
> > the https://some.other.biz reverse proxy and provide Login Return
> >

> URL=https://some.other.biz/sspr/private/CommandServlet?processAction=checkExpirebut
> > that just leads to a 5075 error as below
> > 2016-02-05T07:48:29Z, ERROR, filter.SessionFilter, {4n} 5075
> > ERROR_REDIRECT_ILLEGAL (https://some.other.biz is not a match for any
> > configured redirect whitelist, see setting: Settings ? Security ? Web
> > Security ? Redirect Whitelist) [xx.xxx.xxx.xx]
> > So do I need to add a whitelist entry or have I done something wrong?
> > Thanks

>
> I always recommend that you should create a whitelist entry, this
> supports a regular expression so it should be simple enough to create a
> single whitelist for all your domains. This is a safer and more secure
> configuration.


Alex,

Thanks for your tip, I added a whitelist entry for the identity server
url https://login.some.company.biz/nidp/idff/sso which resolved the 5075
errors. Should I also include whitelist entries for the 3 domains
https://some.company.biz, https://some.other.biz and
https://some.third.biz ?
Thanks
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=55315

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.