Troubleshooting Tridion Access Management
This section explains ways to resolve problems with Tridion Access Management and applications secured through it.
Firewall blocks Access Management
Some firewall applications include configurable rules for the following two types of security exploits, which when enabled, block Access Management:
- User agent header rules block requests that do not include a user agent header. This rule is not security related, but typically is used for statistical analysis, such as to track which browsers and clients use a certain web service.
- Local File Inclusion (LFI) rules inspect for the presence of Local File Inclusion (LFI) exploits in query arguments, and look for things like path traversal attempts (such as ../../).
- Remote File Inclusion (RFI) rules inspect the values of query parameters and block requests that they interpret to be RFI (Remote File Inclusion) exploits (patterns such as ://).
Among such firewall applications to have such rules is the AWS firewall (WAF), which enables the LFI and RFI rules by default.
When using a firewall that has any of these rules, you need to disable them in the firewall application for Access Management. It is important to note that disabling these checks has no impact on the security of Access Management. In the case of the LFI and RFI rules, the URLs that Access Management passes are for redirection purposes only, and thus the Access Management application itself is not vulnerable to the LFI and FI exploits.