How to protect Apache Shindig application using Oracle Access Manager 11g

Apache shindig is one of the famous gadget applications used accross various social sites. The technology used in the backend for this shindig application is XML/JS/CSS/HTML. The front end application page will be html and gadgets are available in the format of XML embedded in html.

The shindig application URL looks like http://host:port/ShindigApp/index.htm. The Shindig application is deployed in Tomcat front ended by Apache Server. We installed a OAM 10g WebGate on Apache server and protected the above URL. Upon accessing the application it is redirecting to page where it shows “404 page not found”. It is imperative that in OAM 11g, webgates have DenyOnNotProtected value set to true by default there by all unprotected URLs will be denied with access.

So I have used headers tool to find more specifics.

The Apache Shindig application calls js URL internally while loading the application. The URL looks like

../gadgets/js/shindig-container?:rpc.js?c=1&debug=1

The Shindig is loading the rpc.js which is not present in the shindig application – so I can’t make it out where exactly it is picking up. Upon googling I found that this is normal behavior of shindig while loading gadgets.

So I have specified this URL as resource and save the resource. Since the URL has ../ the policy manager got corrupted and console was showing null entries for all policies.

I am petrified with this. Atlast we have recovered the policy manager back to working state by some sql scripts – this is a topic for another day.

So the choice to unprotecting shindig URLs is faded out. So I have tried setting DenyOnNotProtected flag to false and reconfigured webgate and I am able to access the OAM protected shindig application well.

Hope this is useful.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

1 comments
» How to pass OAM ObSSOCookie in OAM authorization actions Online Apps DBA: One Stop Shop for Apps DBA’s says May 4, 2012

[…] We have a shindig application protected by OAM 11g using an Apache 10g WebGate. Please refer my previous post on how to protect Apache Shindig application using OAM […]

Reply
Add Your Reply

Not found