numerous HTTP OPTIONS method requests in Jetty log

Losen, Stephen C (scl) scl at virginia.edu
Fri Apr 5 08:11:13 EDT 2019 

Hi folks,

Our security folks want to enable ASM (Application Security) on the F5 BigIP in front of our IDP nodes. We are in the process of whitelisting normal traffic that ASM deems suspicious.  ASM is flagging numerous HTTP OPTIONS method requests. Does anyone know why a browser makes such a request?

I see something strange in our Jetty web logs. Occasionally I see dozens of OPTIONS requests from the same client IP to /idp/profile/SAML2/Redirect/SSO each with a different SAMLRequest which indicates that the browser is bouncing between the application and the IDP.  The IDP returns 403 to the OPTIONS request and apparently the browser goes back to the application, gets a new SAMLRequest, and sends another OPTIONS request to the IDP. However, looping does not always happen, some clients send only one or two OPTIONS requests and also send GET requests that result in successful logins. Most clients do not send any OPTIONS requests.

>From our Jetty access.log here is the looping behavior:

172.28.39.113 - - [04/Apr/2019:00:08:15 -0400] "OPTIONS /idp/profile/SAML2/Redirect/SSO?SAMLRequest=jZLBbsIwEER%2FJfKdOA6hTSyCROFQJFoiQnvopXKShVgydup1aPv3DYSqcEGVfFrPzuw%2Be4xirxo%2BbV2t1%2FDRAjrva6808tNFSlqruREokWuxB%2BSu5Pn0aclDP%2BCNNc6URhFvigjWSaNnRmO7B5uDPcgSXtbLlNTONcgptfIgtBaDxlgnlF83pX%2BQdie1FD5ULc1rWRRGgat9REOPMSHNVvmGePNuLqnFMeHPDzu9rBpfOrw26oq0m20rFZxd1lBJC6Wjeb4i3mKekvcCojCO2ZCNkpiF7D7Zbks2jCCpiqhg7K6TIbaw0OiEdikJA5YMgqg7myDiQczZ6I142RnBg9SV1LvbvIpehPxxs8kG%2FWavYPG0VScgk%2FGROj8F24t3uG0rfuGTyX9Rj%2BlFUJ%2Fa8OfOeTHPjJLltzdVynzOLAgHKWGETvqW668y%2BQE%3D&RelayState=ss%3Amem%3A0def8677eedd31afda1965f434f4ee23c99bac4092565ea6efe84ef0b27f42ce HTTP/1.1" 403 0 "https://rivanna-portal.hpc.virginia.edu/pun/sys/dashboard/batch_connect/sessions" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"

172.28.39.113 - - [04/Apr/2019:00:08:26 -0400] "OPTIONS /idp/profile/SAML2/Redirect/SSO?SAMLRequest=jZJRb4IwFIX%2FCum7FNEpNELC9GEmbhJhe9jLUtoqTUrLeovb%2Fv1QXDZfzJI%2B3Z57zr1fuwDaqJZknav1Trx3Apz32SgN5HyRoM5qYihIIJo2AohjpMgeNyT0A9Ja4wwzCnkZgLBOGr00GrpG2ELYo2TiebdJUO1cCwRjK49UazpqjXVU%2BXXL%2FKO0B6kl9QXvcFHLqjJKuNoHMPgUE%2BJ8W5TIW%2FVzSU1PCb9%2B0Oslb33p4NqoL%2BJ%2Btr1U4uKyE1xawRwuii3y1qsEvXE2DtiM30XBrGLTMeOTeRxHk3k451G1j%2BJeBtCJtQZHtUtQGIzjUTDtTxlMSRCRcPaKvPyC4F5qLvXhNq9qEAF5KMt8NGz2Iiyct%2BoFKF2cqJNzsP3zDrdt6Q98lP4X9QL%2FCRpSW%2FLUO69XuVGSfXmZUuZjaQV1IkFjhNOh5fqrpN8%3D&RelayState=ss%3Amem%3A7a2deadbb7d084b0520766d0195c947e5330c2240b7eaf0ad7b5cdbe7ff34521 HTTP/1.1" 403 0 "https://rivanna-portal.hpc.virginia.edu/pun/sys/dashboard/batch_connect/sessions" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"

172.28.39.113 - - [04/Apr/2019:00:08:37 -0400] "OPTIONS /idp/profile/SAML2/Redirect/SSO?SAMLRequest=jZLNbsIwEIRfJfKdOBB%2BUotESuFQJNoiQnvopXKchVgydup1aPv2NYSqcEGVfFrPzux%2B9hT5XjUsb12t1%2FDRArrga680stNFSlqrmeEokWm%2BB2ROsCJ%2FXLJBGLHGGmeEUSTIEcE6afTMaGz3YAuwByngZb1MSe1cg4xSKw9ca95rjHVchXUjwoO0O6klD6FqaVHLsjQKXB0iGnqMGdDVc7EhwdzPJTU%2FJvz5odfLqgmlw2sjX6R%2Btq1UcHZZQyUtCEeL4pkEi3lK3qvxNtluISnjOOqPqn4iRjCJk3g8FuWwEqWXIbaw0Oi4dikZRP27XjT0ZxMNWZSwePJGgtUZwb3UldS727zKToTsYbNZ9brNXsHiaSsvINn0SJ2dgu3FO9y25b%2FwSfZf1FN6EdSlNuzJOy%2FmK6Ok%2BA5ypcznzAJ3kJI%2BoVnXcv1Vsh8%3D&RelayState=ss%3Amem%3Aafa022d55e005b36548a657f6d00ad289fd5224774c4321a829d6eea2592f2a8 HTTP/1.1" 403 0 "https://rivanna-portal.hpc.virginia.edu/pun/sys/dashboard/batch_connect/sessions" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"

... dozens more follow for this client

The SAML requests in this loop come from the same SP and other clients show successful logins to this SP, so I don't think the SP has a problem. I see looping for other SPs. Looks like a browser issue.

This is mostly a curiosity question to help us decide how to configure ASM.

Steve Losen
ITS - Enterprise Infrastructure
University of Virginia
scl at virginia.edu    434-924-0640

More information about the users mailing list