Reading HTTP Headers set by Oracle Access Manager.

As we know the significance of setting headers to return to the target application after authentication and authorization by the Oracle Access Manager, we must also be aware of which browsers are supported to test this and watch for header variables.

So far I was under the impression that we can see the HTTP Headers using the IE HTTP Headers Tool to read the header variables set by OAM, but it was proved to be wrong.

All you can see with IE Http Headers are Cookies, Redirection URLs etc.,

To try that, you can download the IE HTTP Headers tool here (ieHTTPHeadersSetup.exe).

By using this, you can inspect stuff like what happens internally when you access a protected resource and what is the URL constructed & where the redirection happens etc.,

This is very useful for testing purpose. You may also look IE Watch tool. I have tested it personally in Mozilla where we have Live HTTP Headers available as an add-on plugin and this is also not showing the headers.

In case of IE browser, having said that you will not be able to view headers in IE headers tool, still you can use below syntax code to fetch headers in the target application.String userid = request.getHeader(“HTTP_REMOTE_USERID”);

HTTP_REMOTE_USERID is the header variable defined in Authorization actions. Here, I am returning the userid of a user from OAM, you can return any other variables as you wish.

I would summarize like this:

Though you are not able to view headers using IE HTTP Headers tool, you can use the above code to fetch the headers in the target application. This is applicable irrespective of Authentication scheme used as Basic Over LDAP or Form Based Authentication.

    These are my personal opinions and does not reflect the views of Oracle.

    About the Author Mahendra

    I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

    Leave a Comment:

    2 comments
    purva says May 3, 2013

    Hi,

    How can we verify the “session” policy responses created by OAM?

    Thanks,
    Purva

    Reply
    Alaa says January 11, 2014

    It seems I missed something.
    I already created a protected resource policy, added responses (simple header variable : $user.userid), and apply the changes.

    I installed “live HTTP headers” on the client machine to view the the header on FireFox.
    Then called the protected resource.

    Returning back to “live HTTP headers” and investigate all the output, unfortunately, there was no “HTTP_OAM_USERID” shown in the list.

    What I did miss here??
    Should I do more configuration to Webgate or something??

    Thanks

    Reply
    Add Your Reply