Tuesday, March 8, 2011

HTTP Basic authentication in OAM 11g

Hi everyone, this is my first posting so I wanted to first introduce myself. My name is Vinay Kalra and I'm also part of the A-team at Oracle. I came to Oracle in 2005 as part of the Oblix acquisition that brought with it Oracle Access Manager (OAM).

From Brian:  Welcome Vinay!  I'm adding this post to the OAM 11g Academy Series.  To view the first post in the series which will be updated throughout to contain links to the entire series, click here: http://fusionsecurity.blogspot.com/2011/02/oracle-access-manager-11g-academy.html

So lets get started....

The Problem:
As I was playing with OAM 11g, I came across an issue with protecting a resources using Basic Authentication. The Basic authentication dialog box did show up, however, my credentials failed. Not only that, after the first attempt, all subsequent attempts were coming from the Weblogic Server, not OAM's Basic authentication.

First attempt, notice that the site description is 'OAM 11g'.



When I entered my credentials as testuser1/welcome1 it failed and again prompted for password. Notice that the site description is now 'Weblogic Server'.




The oam sever logs revealed that it could not find the user's (testuser1) DN:

####<Mar 7, 2011 2:32:09 PM PST> <Debug> <SecurityAtn> <vk3-iam.us.oracle.com> <oam_server1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <11d1def534ea1be0:2428bd9f:12e920267a3:-8000-0000000000000062> <1299537129287> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=IdM_Domain", "(&(uid=testuser1)(objectclass=person))", base DN & below)>

####<Mar 7, 2011 2:32:09 PM PST> <Debug> <SecurityAtn> <vk3-iam.us.oracle.com> <oam_server1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <11d1def534ea1be0:2428bd9f:12e920267a3:-8000-0000000000000062> <1299537129287> <BEA-000000> <DN for user testuser1: null>

Well, first off the filter and the search base were incorrect. I had configured my user store to point to Oracle Internet Directory (OID), which had a different search base. The search base here was coming from WebLogic's embedded LDAP. Keep in mind that this worked perfectly with OAM's LDAP Authentication, which is form based authentication. So why didn't OAM Basic Authentication work??



The Solution:
As you may be aware, OAM 11g now sits on top of the WebLogic platform, so an extra step is required to get 'Basic' authentication to work. The issue is that all HTTP Basic Authentication traffic will be intercepted by WebLogic and not passed through to the OAM Server application.

The solution is to add the 'enforce-valid-basic-auth-credentials' tag to the config.xml file located under /user_projects/domains/<MyDomain>/config/. The tag must be inserted within the <security-configuration> tag as follows:

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

With this setting, WebLogic will not validate the Basic Authentication coming from the browser and continue through to the application. This setting will effect the entire domain, so be aware!

Ideally I would not recommend customers to use Basic Authentication in a production environment, but for a quick test to validate an OAM policy, no problem. Actually now in 11g there are OOTB Login forms (try LDAP Authentication), so no need to even test with Basic Authentication. I guess old habits are hard to break.

Here is a link that discusses the tag in more details:
http://fusionsecurity.blogspot.com/2009/09/another-reason-why-people-dont-really.html

Thanks to my colleague Chris Johnson for helping me figure this out!


3 comments:

  1. Thanks Vinay, Very useful post. Would like to see more on integration of OAM 11g with Fusion Middleware/E-Business Suite.

    Regards
    Atul Kumar
    http://onlineAppsDBA.com

    ReplyDelete
  2. I was struggling with this issue till I found this post.
    Thanks Vijay.

    Abhi

    ReplyDelete

Note: Only a member of this blog may post a comment.