OAM 11g: Access Always Denied With IP Range Constraint In Public (Anonymous) Authorization Policy
(Doc ID 1371880.1)
Last updated on FEBRUARY 03, 2019
Applies to:Oracle Access Manager - Version: 126.96.36.199.0
Information in this document applies to any platform.
An Oracle Access Manager (OAM) 11g Authorization Policy for anonymously authenticated site / resource access is configured to restrict public page access based on Client IP Address.
When the Authorization Public Resource Policy is configured with an IP address range Constraint, access to any resource protected by this policy causes error 'Access denied' in the browser, even for clients who have IP addresses within the permitted range. The /oberr.cgi URL in the browser address bar shows ErrAuthzDeny.
If the same IP address range Constraint is configured for Protected Resource Policy, the resource can be accessed successfully.
The OAM managed server log shows the following:
[2011-10-07T07:24:09.278+02:00] [oam_server20] [ERROR]  [oracle.jps.authorization.provider] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 3ec316d6eee8d1d7:6ae7db98:132dcd2f6fa:-8000-000000000000001b,0] [APP: oam_server] Error occurred while calling custom resource matcher oracle.security.am.common.policy.runtime.provider.oes.custom.OAMCustomResourceMatcher. Because of the error, the result has been set to deny.[[
com.wles.arme.EvalFuncInnerException: java.lang.RuntimeException: oracle.security.am.common.policy.runtime.PolicyEvaluationException: OAMSSA-06083: No Client IPAddress found in AccessContext Map.
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Steps to reproduce
1. In the OAM Application Domain, create an Authorization Policy with IP range constraints.
2. Configure a resource in the application domain as 'unprotected'. Configure it to be protected by the Public Authentication Policy and the Authorization Policy created in step 1.
3. Access the resource in a browser: the user is redirected to /oberr.cgi?status%3D500%20errmsg%3DErrAuthzDeny%20p2%3D%2FtestApp%2Flogin.jsp.
Error 'OAMSSA-06083: No Client IPAddress found in AccessContext Map.' is shown in the OAM managed server logs.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.|