OAM HTTP Header Variable Names Are URL Encoded (Doc ID 1084809.1)

Last updated on MARCH 08, 2017

Applies to:

COREid Access - Version: 10.1.4 and later   [Release: 10g and later ]
Information in this document applies to any platform.

Symptoms


When Oracle Access Manager (OAM) sets HTTP header variables as part of authentication or authorization actions the HTTP Header variable names are URL encoded. OAM is performing URL encoding of the HTTP header names.

This may prevent application code from retrieving the HTTP header variables.

Example of OAM policy authentication or authorization success action return value:

Type Name Value
HeaderVar MyApp Flag1 Set

In the application page there is JSP code which checks for this HTTP Header variable: request.getHeader("MyApp Flag1")

This code does not return any result because OAM sets the header variable name to MyApp%20Flag1.

Steps to reproduce
1. Access OAM-protected application page
2. User is redirected to OAM login page
3. User submits valid credentials and is redirected back to the protected application page
4. Application page fails to display correctly: expected HTTP header variables are not accessible to application because OAM has URL encoded the HTTP header names.

If the application code is changed to retrieve the HTTP Header variable using URL encoded name then the application page displays correctly e.g.request.getHeader("MyApp%20Flag1").



Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms