An error code is sent to a Cams web agent to give additional context about
an error that has occurred within a Cams web agent. The error code is displayed
both on the configured Cams error page and in the cams-webagent.log
file. Table 1 shows the error codes in numerical order and classified by:
| Code |
Description |
| 5000 |
Authentication failed
The Cams web agent attempted to authenticate a user but the request failed
due to an unknown error. The Cams web agent trace log and/or a Cams policy
server trace log for the associated security domain should contain additional
information.
|
| 5001 |
Could not find the authentication service
The Cams client does not have a required authentication service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
| 5002 |
Invalid HTTP method for authentication
Cams web agents only support POST requests for authentication requests.
A non-POST HTTP request was received by a Cams web agent for the URI configured
for user authentication.
|
| 5003 |
Query parameter cams_security_domain
is invalid
An authentication request was received by a Cams web agent, but the required
cams_security_domain parameter
is missing, empty or invalid. A dynamic login page that does not correctly
use the Cams cams_security_domain
provided to it by a Cams web agent may be the cause.
NOTE: The login page should receive this value
as a query parameter and store it in a hidden field named cams_security_domain.
When the associated HTML form is posted during authentication, this parameter
will be sent with the authentication request.
|
| 5004 |
Query parameter cams_login_config
is invalid
An authentication request was received by a Cams web agent, but the required
cams_login_config parameter is
missing, empty or invalid. A dynamic login page that does not correctly
use the Cams cams_login_config
provided to it by a Cams web agent may be the cause.
NOTE: The login page should receive this value
as a query parameter and store it in a hidden field named cams_login_config.
When the associated HTML form is posted during authentication, this parameter
will be sent with the authentication request.
|
| 5005 |
The access control rule protecting the Cams login page is invalid
The Cams policy server denied access to the login page because the access
control policy requires authentication. Authentication cannot occur unless
the login page is presented to the user, without authentication. For example,
the following access-control-policy.xml
would cause this error to display:
...
<permission desc="Cams login, error and denied pages" actions="">
<resource-pattern id="*://*:*/cams/*"/>
<acr-ref id="require authentication"/>
</permission>
...
<auth-acr id="cams administrator rule">
<role-constraint>
<role-name>everyone</role-name>
</role-constraint>
</auth-acr>
...
In this case, if the Cams login page URL is:
https://www.myhost.com/cams/login.jsp
the access control policy will deny access unless the user is authenticated.
The Cams web agent will attempt to redirect the user's browser to the
login page, but access will once again be denied by the access control
policy. To avoid infinite redirection, the Cams web agents detects this
case. To fix the problem, either grant access to the Cams login page or
limit access to it using a rule that does not require authentication,
such as an IP address rule.
|
| 5006 |
Could not determine the security domain name
An AUTOLOGIN cookie is being removed because the name value is malformed.
Specifically, it does not contain a security domain name field.
|
| 5100 |
Access control failed
The Cams web agent attempted to execute an access control check, but
it failed due to an unknown error. The Cams web agent trace log and/or
a Cams policy server trace log for the associated security domain should
contain additional information.
|
| 5101 |
Could not find the access control service
The Cams client does not have a required access control service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
| 5102 |
Invalid resource request type
The Cams web agent made an access control request for an unknown resource
type. Cams web agents only make access control requests for resources
of type cams or http.
|
| 5103 |
Access to the denied page was denied
The user was redirected to the Cams web agent access
denied page, but was denied access to the page. The access control
policy should unconditionally grant access to the denied
page.
|
| 5104 |
Access to the error page was denied
The user was redirected to the Cams web agent error
page, but was denied access to the page. The access control policy should
unconditionally grant access to the error
page.
|
| 5105 |
Unknown access control response
An unknown access control response status code was received from the Cams
policy server. |
| 5200 |
Session access failed
The Cams web agent's attempt to access an authenticated user's session
failed due to an error in the Cams session access service.
|
| 5201 |
Could not find the session access service
The Cams client does not have a required session-access service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
| 5202 |
General transport error
An error occurred when the Cams web agent attempted to communicate with
the Cams policy server.
|
| 5300 |
Session control failed
The Cams web agent's attempt to logout the user failed due to an error
in the Cams session control service.
|
| 5301 |
Could not find the session control service
The Cams client does not have a required session-control service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
| 5302 |
Could not logout user because session id is invalid
The Cams web agent received a logout request, but no session identifier
was provided. The user may have attempted to logout when not currently
logged in or the logout page did not specify a valid cams_security_domain
query parameter.
|
| 5303 |
Query parameter cams_security_domain
is invalid
The Cams web agent received a cams_security_domain
query parameter value that was invalid, or empty. A misconfigured login
page that either contains a bad hard-coded security domain name or if
a dynamic web page does not properly store the security domain name passed
to it by a Cams web agent may be the cause.
|
| 5304 |
A possible session hijacking attempt occurred: expected hash value does
not match
An session hijacking attempt was detected and thwarted or a possible
Cams web agent misconfiguration resulted in what appeared to be a session
hijacking attempt. If not an actual session hijacking attempt, inconsistent
configuration of session hijacking values for different Cams web agents
may be the cause. Confirm that the following properties have the same
values for all Cams agents:
- cams.session.hijacking.protection.enable
- cams.session.hijacking.protection.algorithm
- cams.session.hijacking.protection.salt
|
| 5305 |
Session hijacking misconfiguration
Session hijacking protection is not enabled for this Cams web agent,
but appears to be enabled for another Cams web agent in the same Cams
cluster. Confirm that the following properties have the same values for
all Cams web agents:
- cams.session.hijacking.protection.enable
- cams.session.hijacking.protection.algorithm
- cams.session.hijacking.protection.salt
|
| 5306 |
Session hijacking misconfiguration
Session hijacking protection is enabled for this Cams web agent agent,
but appears not to be enabled for another Cams web agent in the same Cams
cluster. Confirm that the following properties have the same values for
all Cams web agents:
- cams.session.hijacking.protection.enable
- cams.session.hijacking.protection.algorithm
- cams.session.hijacking.protection.salt
|
| 5400 |
Multiple redirect obligations
The Cams web agent was sent more than one redirect obligation by the
Cams policy server for a single access control response. To avoid situations
where the Cams web agent would need to decide which redirect to send to
the browser, the Cams web agent rejects access control responses that
include more than one obligation redirect. Check the access control policy
to correct the rule that is sending a multiple redirect obligation.
|
| 5401 |
Obligation not supported
The Cams web agent was sent an obligation that is not supported. Check
the release notes to verify the obligation support level for this Cams
web agent.
|
| 5402 |
Missing obligation attribute value
The Cams web agent was sent an HTTP redirect obligation but did not specify
the URL for the redirect.
|
| 5405 |
Internal obligation attribute value handling error
An internal Cams web agent error occurred while attempting to handle
an obligation attribute value. A pointer was NULL when not expected.
|