Wednesday, October 20, 2010

OID 11g orclrevpwd

Please be reminded that as of OID 11g (11.1.1.0), you will no longer be able to retrieve the LDAP attribute orclrevpwd (via LDAP query).

There is an errata in the documentation which mentions the attribute is retrievable with SSL over LDAP using mode 2 or 3 (option -U). However, that is not the case.

Please consider other approach(es) if you need to store a sensitive (e.g. password) attribute with symmetric encryption algorithm so that you can decrypt it. More info can be found in Doc ID 1159893.1 from support site.

Monday, March 22, 2010

[OAM] Redirection in Custom Authentication Plug-in API

In Authentication API you can set HTTP Header variable(s) or Cookie(s), just like setting authentication success and failure via the Policy Manager UI.

For example, if you are using C# managed code, the program fragment will be something like this:

info.get_ActionInfo().SetAction("Cookie:ANResult","NOTALLOWED",IObAuthnPlugin.ActionType.ObAnFailFixedVals);
info.get_ActionInfo().SetAction("HeaderVar:ANResult","NOTALLOWED",IObAuthnPlugin.ActionType.ObAnFailFixedVals);

Using the above code, when authentication is failed (ObAnFailFixedVals),
- a cookie ANResult will contain the value "NOTALLOWED"; and
- a HTTP header variable ANResult will contain the value "NOTALLOWED"

In fact, you can also redirect the user to a particular webpage (URL) by using the same method (SetAction()) with the first argument "redirectURL", e.g.

info.get_ActionInfo().SetAction("redirectURL","/failed.asp",IObAuthnPlugin.ActionType.ObAnFailRedirect);

The above line will redirect the user to /failed.asp if authentication is failed.

Friday, March 19, 2010

[WLS] cookie-http-only element in weblogic.xml

Q: The cookie-http-only element is in WLS (WebLogic Server) 9.2 and 10.0 (according to the documentation), can I use it with 10.3.0 or 10.3.1?

A: The cookie-http-only element is used for making the session cookies unavailable to browser scripts. The element is one of session-descriptor elements. It was introduced in WLS 10.3.1 and back ported to version 9.2 and 10.0.

For WLS 10.3.0, please log a SR and obtain the patch to enable the element.

Notes:
1. The element is not formally listed in the WLS 10.3.1 documentation.
2. Usage of the element in 10.0 can be found in the documentation.

Tuesday, January 26, 2010

[OAM] Duplicate Action and Custom Plug-in

In OAM, you can config how to handle duplicate action for the authorization rule (details can be found in the OAM documentation).

What is duplicate action?

As mentioned in the doc, if the action of one rule is set a HTTP header variable text string and the action of another rule is set the variable to a different value, a conflict occurs when both rules return values. Setting duplicate action helps conflict resolution.

A more detail example:
  • You have the first AuthZ Expression - Allow Everyone with Action to return a value HELLOALL in HTTP_TEST.
  • You have a second AuthZ Expression - Allow Admin with Action to return a value HELLOADMIN in HTTP_TEST.
  • You have a AuthZ Rule in the Policy using (Allow Everyone & Allow Admin)
  • WebGate supports only single value in header variable. By default, WebGate only return the last value. However, you can set duplicate action to "Ignore Duplicate" so that only the FIRST value can return (of coz, you can also set duplicate action to "Override" so that only the last instance will be returned. If you are using AccessGate, you can also set it to "Duplicate" to return all values).

How about HTTP header with Custom AuthZ Plugin?

However, please be reminded that the duplicate action will NOT handle HTTP header which set with Custom AuthZ Plug-in (a sample of AuthZ plugin which returns HTTP header variable can be found in metalink doc id 781073.1).

Disclaimer

This is a personal Blog maintained by Kenneth Heung (the author).

This Blog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion.

All data and information provided on this Blog is for informational purposes only. The author makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this Blog and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.

While every caution has been taken to provide my readers with most accurate information and honest analysis, please use your discretion before taking any decisions based on the information in this Blog. The author will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Feel free to challenge the author, disagree with the author, or tell the author "He's completely nuts" in the comments section of each blog entry, but the author reserve the right to delete any comment for any reason whatsoever (abusive, profane, rude, or anonymous comments) – so keep it polite, please.