HomeBlogsclewis's blog

Request URI xxx targeted by xxx not found in allowed delegator list

Thu, 2008-04-10 15:56 — clewis
0
No votes yet

We recently reinstalled our TEST Luminis environment at version IV.0.2. I spent some time configuring it today and noticed I was getting this error in cp.log:

[2008-04-10 13:32:19,808] [ERROR](RefererFilter.java:416) {http-80-Processor23} [com.pipeline.web.RefererFilter]: "Request URI /cp/alert/as targeted by 192.168.XX.XX not found in allowed delegator list. Rejecting request from Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 user-agent.

Strange thing though, I only got this message when running Firefox. With IE6 or Safari3, it worked fine. When I tried to access the Admin page, I got more of the same error (Firefox only again):

[2008-04-10 13:32:24,184] [ERROR](RefererFilter.java:416) {http-443-Processor23} [com.pipeline.web.RefererFilter]: "Request URI /jsp/admin/AdminTopnav.jsp targeted by 192.168.59.52 not found in allowed delegator list. Rejecting request from Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 user-agent.
This was repeated for /jsp/admin/menu.jsp and /cp/user/body

I found defect 3FEQC6 on the Sungard customer support center and followed those directions, which involved adding another line to the RefererFilter.properties file and recompiling cp.jar. This resolved the first error, but not the others (when I try to access the admin screen).

Another thing that confuses me -- this does not happen in production, which is at the same Luminis version. For now, I'll just us IE or Safari when I need to access the admin items.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Thu, 2008-04-10 21:00 — wjdennen

Similar

We ran into something similar (same error) and SunGard told us to set:

configman -s com.pipeline.web.RefererFilter.enabled false

Thu, 2008-04-10 22:49 — clewis

com.pipeline.web.RefererFilter.enabled false

Thanks for the info.

com.pipeline.web.RefererFilter.enabled was not set when I checked our environment. I went ahead and set it to false, restarted, and still get the same behavior.

Sat, 2008-04-12 00:15 — bsimpson

Same story here

We ran into this issue in production when a user would try to access the portal. The message we received in the logs was the same above, but it would occur when clicking on an SSO icon.

After doing some research, the allowed delegator list looks to be part of the attempt Sungard made to reduce the risk of cross site scripting. As requests are made, the "white list" is checked before the request is served.

There is a configuration option to disable the XSS security features, but what it is escapes at the moment. The post above does look very familiar however.

Sun, 2008-04-13 06:15 — yaziz

work around

We had similar issue, and get the following workaround from Sungard Support:

(1) get the last value set for the unenforcedURI list count:
configman -g dispatch.policy.host.unEnforcedURI.count

(2) set dispatch.policy.host.unEnforcedURI.count=[last count from step 1+ 1].
For example if the result from (1) “configman -g dispatch.policy.host.unEnforcedURI.count” is 39, then you would set the following:
configman -s dispatch.policy.host.unEnforcedURI.count 40

(3) Add the URL from the error in your cp.log file to your dispatch.policy.
Note:The URLs that are added should be relative to the app context (meaning, they are all relative to /cp, and so none of them will start with "/cp". An * at the end of the URL will capture any similar looking paths - the * is treated as a wildcard.
configman –s dispatch.policy.host.unEnforcedURI.

E.g. The error above shows this URL: '/cp/home/login/auth' hence you would set it like this:
configman –s dispatch.policy.host.unEnforcedURI.40 /home/login/auth*

I hope that would solve your problem as it resolved ours, and we keep using this procedure whenver that error comes again.

Yasser