OAM 11g: Access Always Denied With IP Range Constraint In Public (Anonymous) Authorization Policy

(Doc ID 1371880.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Access Manager - Version: and later   [Release: No Release Description and later ]
Information in this document applies to any platform.


An Oracle Access Manager (OAM) 11g Authorization Policy for anonymously authenticated site / resource access is configured to restrict public page access based on Client IP Address.

When the Authorization Public Resource Policy is configured with an IP address range Constraint, access to any resource protected by this policy causes error 'Access denied' in the browser, even for clients who have IP addresses within the permitted range. The /oberr.cgi URL in the browser address bar shows ErrAuthzDeny.

If the same IP address range Constraint is configured for Protected Resource Policy, the resource can be accessed successfully.

The OAM managed server log shows the following:

[2011-10-07T07:24:09.278+02:00] [oam_server20] [ERROR] [] [oracle.jps.authorization.provider] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 3ec316d6eee8d1d7:6ae7db98:132dcd2f6fa:-8000-000000000000001b,0] [APP: oam_server] Error occurred while calling custom resource matcher oracle.security.am.common.policy.runtime.provider.oes.custom.OAMCustomResourceMatcher. Because of the error, the result has been set to deny.[[
com.wles.arme.EvalFuncInnerException: java.lang.RuntimeException: oracle.security.am.common.policy.runtime.PolicyEvaluationException: OAMSSA-06083: No Client IPAddress found in AccessContext Map.
at oracle.security.am.common.policy.admin.provider.oes.custom.ConstraintEvaluator.constraintEvaluator(ConstraintEvaluator.java:184)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)

Steps to reproduce

1. In the OAM Application Domain, create an Authorization Policy with IP range constraints.
2. Configure a resource in the application domain as 'unprotected'. Configure it to be protected by the Public Authentication Policy and the Authorization Policy created in step 1.
3. Access the resource in a browser: the user is redirected to /oberr.cgi?status%3D500%20errmsg%3DErrAuthzDeny%20p2%3D%2FtestApp%2Flogin.jsp.

Error 'OAMSSA-06083: No Client IPAddress found in AccessContext Map.' is shown in the OAM managed server logs.


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms