POST Method Requests to Resources Protected by OAM Form-Based Authentication Fail Unless User Logs In Prior To POST Request (Doc ID 1330881.1)

Last updated on MARCH 08, 2017

Applies to:

COREid Access - Version: 10.1.4 and later   [Release: 10g and later ]
Oracle Access Manager - Version: 11.1.1.3.0 and later ]
Information in this document applies to any platform.

Symptoms

Post Data is lost if POST method requests are interrupted by Oracle Access Manager (OAM) form based authentication.

Requests issued with POST method are failing for unauthenticated users when the resource is protected by OAM form-based login. After the user has submitted OAM credentials in the OAM form login page, the application generates an error because the Post Data is not received with the request.

The HTTP header trace for the failing requests shows that when WebGate receives the POST method request the user is redirected to the OAM login page to be authenticated (HTTP-302). After successful OAM login the user is redirected back to the originally requested resource with another HTTP-302 redirect response causing the browser to re-issued the request with GET method instead of POST, with the original Post Data missing.

If the POST method request is re-issued in the same browser session after the user has logged in the application page is then displayed successfully.

The problem reproduces with both OAM 10g and OAM 11g servers.

Steps to reproduce

1. Open a new browser session and access any page that is unprotected or anonymously protected in OAM.
2. From this page, click a link that issues a request using POST method to a resource protected by an OAM form authentication scheme.
3. The user is redirected to the OAM form login page.
4. User submits credentials and is redirected back to the originally requested resource: application error occurs because the Post Data is not sent with the GET method request.


Note that this is not the same issue as described in <> Unable To Post Data To An Application As Coreid Webgate Is Consuming The Data.

The issue and RetainDownstreamPostData solution in that document is specific to one of the following conditions:

a) The authentication scheme has passthrough=yes and the passthrough resource is not receiving the Post Data.
b) The OAM policy is configured with the Query String Variable field and the application protected by the policy is not receiving the Post Data with authenticated user requests
.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms