My Oracle Support Banner

OAM 10g: Why is a Policy With Query String Not Working Where Another Policy Exists For Same URL Pattern? (Doc ID 1377144.1)

Last updated on MARCH 08, 2017

Applies to:

COREid Access - Version: 10.1.4 to - Release: 10g to
Information in this document applies to any platform.


An Oracle Access Manager (OAM) 10g policy domain has been configured with two policies for the same resource (URL Pattern) but one of them should be implemented only when the URL has a specific query parameter.

For example:

Policy Domain Name: Main App Policy Domain
Resource: /main
Default Rules:
Authentication Rule: Form Authn
Authentication Expression: Allow All

Name: Anonymous Protection for Homepage
Resource Type: http
Resource Ops: GET POST
Resource: wghostname/main
URL Pattern: home.html
Authentication Rule: Anonymous Authentication
Authorization Expression: Authorize all

Policy Name: Authenticated Access Policy
Resource Type: http
Resource ops: GET POST
Resource: wghostname/main
URL Pattern: home.html
Query String: *app=*
No authentication rule defined (default Form Authn will apply)
No authorization expression defined (default Authorize all will apply)

When http://wghostname:port/mail/home.html?app=val is accessed in a new browser session, the user is not prompted for form login. Access is allowed using the 'Anonymous Protection for Homepage' policy.

Why isn't OAM implementing the 'Authenticated Access Policy' policy in this case?


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.