OAM HTTP Header Variable Names Are URL Encoded
Last updated on MARCH 08, 2017
Applies to:COREid Access - Version: 10.1.4
Information in this document applies to any platform.
When Oracle Access Manager (OAM) sets HTTP header variables as part of authentication or authorization actions the HTTP Header variable names are URL encoded. OAM is performing URL encoding of the HTTP header names.
This may prevent application code from retrieving the HTTP header variables.
Example of OAM policy authentication or authorization success action return value:
Type Name Value
HeaderVar MyApp Flag1 Set
In the application page there is JSP code which checks for this HTTP Header variable: request.getHeader("MyApp Flag1")
This code does not return any result because OAM sets the header variable name to MyApp%20Flag1.
Steps to reproduce
1. Access OAM-protected application page
2. User is redirected to OAM login page
3. User submits valid credentials and is redirected back to the protected application page
4. Application page fails to display correctly: expected HTTP header variables are not accessible to application because OAM has URL encoded the HTTP header names.
If the application code is changed to retrieve the HTTP Header variable using URL encoded name then the application page displays correctly e.g.request.getHeader("MyApp%20Flag1").
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms