Hi all,
This post will cover an important caveat of Oracle Access Manager with Form Based authentication when there are multiple web servers in your architecture resulting into multiple redirections.
Lets say the architecture has components WebServer1, WebServer2, WebServer3 and Oracle Access Manager.
Lets assume WebServer1 is used as reverse proxy server, WebServer2 is where a web application is deployed and WebServer3 is where the form login page is residing.
Ideally in a real time project, we would place form login page in a centralized location. (Please write your queries in comments if you want to know why this?)
Here, the OAM WebGates will be installed on WebServer1(Reverse Proxy server) and WebServer3 (Form login page resides here). (Also, the form action will be protected by Anonymous Authentication Scheme) . Lets assume, the application deployed in WebServer2 is protected in OAM by a policy domain with resource host identifier as Reverse Proxy WebServer1 (not WebServer2 ****** This is important to remember).
Generally, you will add Header variables to return to the protected application in Authorization & Authentication Actions. (I will cover the caveats with Authentication Actions in a separate post). This means, the authorization actions gets executed after the Authorization is performed by OAM.
In this case, when the user access the protected application through Proxy server WebServer1, the webgate intercepts and redirects to WebServer3 displaying the form login page. User enters the credentials and lets assume OAM authenticates it and authorization actions are executed. Now the WebGate on WebServer3 will redirect to the WebServer1 with the cookie created and header variables set.
The WebServer1 will inturn redirect it to the WebServer2 where the actual resource is located.
Hence, you can observe multiple re-directions happening and there is a possibility of headers being lost when it finally reaches the protected application.
Workaround:
This is just a temporary workaround to overcome this issue.
In general you would have passed the header variable as shown below.
HeaderType HeaderName HeaderAttribute
HeaderVar HTTP_REMOTE_UID uid
You will need to define a Cookie instead of HeaderVar in Authorization Actions as shown below.
HeaderType HeaderName HeaderAttribute
Cookie HTTP_REMOTE_UID uid
You can observe the uid value as a cookie instead of header variable and this will be persistent in session regardless of multiple re-directions.
You will also need to modify your protected application to fetch the UID from a cookie instead of header variable.
Please check the post for the code you need to embed in protected application to fetch cookie and security loopholes of this approach.
Helpful Docs:
Metalink Note: 403280.1
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com