Header variables not set in IE browser: Oracle Access Manager

Hi all,

This post will cover an important caveat of Oracle Access Manager with Form Based authentication when there are multiple web servers in your architecture resulting into multiple redirections.

Lets say the architecture has components WebServer1, WebServer2, WebServer3 and Oracle Access Manager.

Lets assume WebServer1 is used as reverse proxy server, WebServer2 is where a web application is deployed and WebServer3 is where the form login page is residing.

Ideally in a real time project, we would place form login page in a centralized location. (Please write your queries in comments if you want to know why this?)

Here, the OAM WebGates will be installed on WebServer1(Reverse Proxy server) and WebServer3 (Form login page resides here). (Also, the form action will be protected by Anonymous Authentication Scheme) . Lets assume, the application deployed in WebServer2 is protected in OAM by a policy domain with resource host identifier as Reverse Proxy WebServer1 (not WebServer2 ****** This is important to remember).

Generally, you will add Header variables to return to the protected application in Authorization & Authentication Actions.  (I will cover the caveats with Authentication Actions in a separate post). This means, the authorization actions gets executed after the Authorization is performed by OAM.

In this case, when the user access the protected application through Proxy server WebServer1,  the webgate intercepts and redirects to WebServer3 displaying the form login page. User enters the credentials and lets assume OAM authenticates it and authorization actions are executed. Now the WebGate on WebServer3 will redirect to the WebServer1 with the cookie created and header variables set.

The WebServer1 will inturn redirect it to the WebServer2 where the actual resource is located.

Hence, you can observe multiple re-directions happening and there is a possibility of headers being lost when it finally reaches the protected application.

Workaround: 

This is just a temporary workaround to overcome this issue.

In general you would have passed the header variable as shown below.

HeaderType                       HeaderName                         HeaderAttribute
HeaderVar                          HTTP_REMOTE_UID                uid
You will need to define a Cookie instead of HeaderVar in Authorization Actions as shown below.

HeaderType                       HeaderName                         HeaderAttribute

Cookie                                  HTTP_REMOTE_UID                uid

You can observe the uid value as a cookie instead of header variable and this will be persistent in session regardless of multiple re-directions.
You will also need to modify your protected application to fetch the UID from a cookie instead of header variable.

Please check the post for the code you need to embed in protected application to fetch cookie and security loopholes of this approach.

Helpful Docs:

Metalink Note: 403280.1

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

6 comments
» Fetch userid from custom cookie from HTTP session: Oracle Access Manager Online Apps DBA: One Stop Shop for Apps DBA’s says July 14, 2010

[…] Manager Posted in July 14th, 2010 byMahendra in idm, oam  Print This Post Please refer the post for more details why do we need to fetch the userid attribute value from a Cookie instead of Header […]

Reply
Shilu says July 15, 2010

One issue I see in this implementation is the target app should validate the source before accepting the cookie if not there could be a security breach.

Reply
Mahendra says July 15, 2010

Hi Shilu,

Please refer the post that describes the loopholes of this approach.

http://onlineappsdba.com/index.php/2010/07/14/fetch-userid-from-custom-cookie-from-http-session-oracle-access-manager/

I have already pointed the pitfall of this.

Reply
prashant says July 29, 2010

Hi Mahendra,

I am sending action type as propertyname through OAM. But how to retrive the value from custom TAI connector which we developed for websphere. Is there any class or function. Can you please help me to resolve this issue.

Thanks and Regards,
Prashant

Reply
Mahendra says July 29, 2010

Prashant,

AFAIK, we can send action type as either HeaderVar or Cookie in OAM actions. When you say property name, is it either of those?

Mahendra.

Reply
jj says June 12, 2013

Hi Mahendra,
You have mentioned about “caveats with Authentication Actions” , in a separate post.
Can you please provide with the link for the post.Need to know the caveats.

Thanks.

Reply
Add Your Reply