OAM HTTP Header Variable Names Are URL Encoded
(Doc ID 1084809.1)
Last updated on MARCH 05, 2019
Applies to:COREid Access - Version 10.1.4 and later
Information in this document applies to any platform.
When Oracle Access Manager (OAM) sets HTTP header variables as part of authentication or authorization actions the HTTP Header variable names are URL encoded. OAM is performing URL encoding of the HTTP header names.
This may prevent application code from retrieving the HTTP header variables.
Example of OAM policy authentication or authorization success action return value:
Type Name Value
HeaderVar MyApp Flag1 Set
In the application page there is JSP code which checks for this HTTP Header variable: request.getHeader("MyApp Flag1")
This code does not return any result because OAM sets the header variable name to MyApp Flag1.
Steps to reproduce
1. Access OAM-protected application page
2. User is redirected to OAM login page
3. User submits valid credentials and is redirected back to the protected application page
4. Application page fails to display correctly: expected HTTP header variables are not accessible to application because OAM has URL encoded the HTTP header names.
If the application code is changed to retrieve the HTTP Header variable using URL encoded name then the application page displays correctly e.g.request.getHeader("MyApp Flag1").
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document