Friday, January 16, 2015

OAM 11.1.2.2.0 Custom Login Form

Good afternoon to everyone,

Today I share fresh finding and hope it'd help you t save time and keep your mind (I've almost lost mine). 
It costs me couple days of hard harvesting and log analysis, I had  to create a simple application to check session status. 

After successful Oracle OAM and Tivoli Access Manager (TAM) integration (I'm going to post it sometimes) developement team faced next challenge. Due security reasons we have no access to TAM server so federation works only for external clients.  To provide access for both teams I used new OAM 11.1.2.2.0 feature - Advanced Authentication Policy Rules.  We decided to separate authentication schemes by browser type.  So if user's accessing protected resource with Google Chrome browser OAM uses local form-based authentication scheme otherwise request will be redirected to federation plug (TAM SSO). 
Screenshot below shows advanced rule edit form. 


Simple but effective way to build two factor or more sophisticated resource protection schemes. Detailed description and samples could be found in OAM documentation here.
So far so good,identity federation works, advanced rules works like a charm, custom forms appears and works as expected but result is very well known to everyone who deals with OAM/Webgates.


After log analyze and brainstorming I realized authentication doesn't match with authentication request. It means there is something wrong with login application. It's somewhat confused because the very same application works with OAM 11gR1. 
I'd skip logs mining, documentation sift and JSP analyze descriptions so   there is a gem:
For previous OAM versions  was quite enough to send request id with username and password. OAM 11.1.2.2.0 requires authentication token. Unfortunately our login page send request_id only and code below show how it has to be (additional lines in red).

 <!-- skipped JSP & HTML header -->  
 <%  
 String reqId = null;  
 String reqToken = null;  
 if( reqId == null && request.getAttribute( GenericConstants.REQUEST_ID ) != null )  
      {  
           reqId = ( String )request.getAttribute( GenericConstants.REQUEST_ID );  
      }  
      reqId = CSSUtil.escapeHtmlFull( reqId );  
     reqToken = request.getParameter(GenericConstants.AM_REQUEST_TOKEN_IDENTIFIER);  
 %>  
 <form id="loginData" action="/oam/server/auth_cred_submit" method="post" name="loginData" >  
 <!-- Skipped form declaration and decoration -->  
   <input name="<%=GenericConstants.REQUEST_ID%>" value="<%=reqId%>" type="hidden"/>  
   <input type="hidden" name="<%=GenericConstants.AM_REQUEST_TOKEN_IDENTIFIER%>" value="<%=reqToken%>" type="hidden"/>  
 </form>  
 <!-- skipped JSP & HTML footers -->  

Now it works  and if your have login form with token already you will never face this issue.
If not read my post and save time for upcoming l-o-o-o-ong beautiful weekend.

Enjoy and take care.


Post a Comment