How to read OAM ObSSOCookie through java script

We have a shindig application protected by OAM 11g using an Apache 10g WebGate. Please refer my previous post on how to protect Apache Shindig application using OAM 11g.

It is very common to pass on user attributes in authorization actions as headers or cookies. However we have a requirement to get the ObSSOCookie that was created by OAM after authentication.

Well, there are cons of reading the OAM cookie and not advicable too – we will take this topic in some other post.

We have written simple java script logic to read the cookies from headers and except OAM cookie all other cookies are fetchable. So I have used the following solution to overcome this:

  1. Login to OAM console.
  2. Goto OAM Agents, click on Form Based authentication scheme. We are using Form login.
  3. Specify the parameter ssoCookie=disablehttponly in Challenge Parameter as shown below.
  4. Apply the changes.

By default the OAM 10g or 11g secures the OAM cookie in authentication scheme – hence the value for parameter is set as ssoCookie=httponly by default. This means OAM does not allow to read the OAM cookie using java script which is ideal in secured environment. In less secure environment, it is set to ssoCookie=disablehttponly.

Then we are able to read the OAM Cookies from the headers using java script.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

1 comments
Alaa says January 12, 2014

I have question regarding passing user attributes in authorization actions as header.

After defining the resource, protecting it, and setting the responses (as header), What should I do to read theses responses in Apache server??

As application by oam server, we need to know the identity of the user to do further actions. By now, the application can’t know who the user are?

many thanks.

Reply
Add Your Reply