My Oracle Support Banner

Logout Redirect Fails When Containing '@' Or Other Special Characters (Doc ID 2036821.1)

Last updated on SEPTEMBER 06, 2018

Applies to:

Oracle Access Manager - Version 11.1.2.2.2 and later
Information in this document applies to any platform.

Symptoms

When a Logout Redirect URL or end_url parameter is used which contains an '@' sign, the user is redirected to the default OAM logout page, rather than to the expected end_url. Here's an example:

https://oamserver.oracle.com/oam/server/logout?end_url=https://applicationserver.oracle.com/server.pt?testparam=test@oracle.com

<Sep 4, 2018 12:55:55 PM EDT> <Warning> <ExampleApplication:IntrusionDetector> <BEA-000000> <[SECURITY FAILURE Anonymous:null@unknown -> /ExampleApplication/IntrusionDetector] Invalid input: context=successurl, type(RELATIVE_URL)=^\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\:\'\/\\\+=&amp;%\$#_]*)?$, input=/oam/server/logout?successurl=https://applicationserver.oracle.com/server.pt?testparam=test@oracle.com
org.owasp.esapi.errors.ValidationException: successurl: Invalid input. Please conform to regex ^\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\:\'\/\\\+=&amp;%\$#_]*)?$ with a maximum length of 2048
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144)
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160)
at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:213)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:185)
at oracle.security.am.common.utilities.esapi.impl.ESAPIImpl.getValidInput(ESAPIImpl.java:183)
at oracle.security.am.common.utilities.esapi.ESAPIWrapper.getValidInput(ESAPIWrapper.java:108)
at oracle.security.am.common.utilities.css.XSSFilter.sanitizeURLInput(XSSFilter.java:290)
at oracle.security.am.pbl.transport.http.HTTPTransportHandler.getParameterValues(HTTPTransportHandler.java:346)
at oracle.security.am.pbl.transport.TransportContext.getParameterValue(TransportContext.java:137)
at oracle.security.am.pbl.protocol.plugin.oam.DirectAuthenticationRequestHandler.doProcess(DirectAuthenticationRequestHandler.java:113)
at oracle.security.am.pbl.protocol.plugin.oam.DirectAuthenticationRequestHandler.process(DirectAuthenticationRequestHandler.java:84)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:139)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:108)
at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:222)
at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java:178)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)


Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.