POST Method Requests to Resources Protected by OAM Form-Based Authentication Fail Unless User Logs In Prior To POST Request
(Doc ID 1330881.1)
Last updated on FEBRUARY 28, 2019
Applies to:COREid Access - Version 10.1.4 and later
Oracle Access Manager - Version 18.104.22.168.0 and later
Information in this document applies to any platform.
Post Data is lost if POST method requests are interrupted by Oracle Access Manager (OAM) form based authentication.
Requests issued with POST method are failing for unauthenticated users when the resource is protected by OAM form-based login. After the user has submitted OAM credentials in the OAM form login page, the application generates an error because the Post Data is not received with the request.
The HTTP header trace for the failing requests shows that when WebGate receives the POST method request the user is redirected to the OAM login page to be authenticated (HTTP-302). After successful OAM login the user is redirected back to the originally requested resource with another HTTP-302 redirect response causing the browser to re-issued the request with GET method instead of POST, with the original Post Data missing.
If the POST method request is re-issued in the same browser session after the user has logged in the application page is then displayed successfully.
The problem reproduces with both OAM 10g and OAM 11g servers.
Steps to reproduce
1. Open a new browser session and access any page that is unprotected or anonymously protected in OAM.
2. From this page, click a link that issues a request using POST method to a resource protected by an OAM form authentication scheme.
3. The user is redirected to the OAM form login page.
4. User submits credentials and is redirected back to the originally requested resource: application error occurs because the Post Data is not sent with the GET method request.
The issue and RetainDownstreamPostData solution in that document is specific to one of the following conditions:
a) The authentication scheme has passthrough=yes and the passthrough resource is not receiving the Post Data.
b) The OAM policy is configured with the Query String Variable field and the application protected by the policy is not receiving the Post Data with authenticated user requests
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document