OAM 10g: Why is a Policy With Query String Not Working Where Another Policy Exists For Same URL Pattern? (Doc ID 1377144.1)

Last updated on MARCH 08, 2017

Applies to:

COREid Access - Version: 10.1.4 to 10.1.4.3.0 - Release: 10g to
Information in this document applies to any platform.

Goal


An Oracle Access Manager (OAM) 10g policy domain has been configured with two policies for the same resource (URL Pattern) but one of them should be implemented only when the URL has a specific query parameter.

For example:

Policy Domain Name: Main App Policy Domain
Resource: /main
Default Rules:
Authentication Rule: Form Authn
Authentication Expression: Allow All

Name: Anonymous Protection for Homepage
Resource Type: http
Resource Ops: GET POST
Resource: wghostname/main
URL Pattern: home.html
Authentication Rule: Anonymous Authentication
Authorization Expression: Authorize all

Policy Name: Authenticated Access Policy
Resource Type: http
Resource ops: GET POST
Resource: wghostname/main
URL Pattern: home.html
Query String: *app=*
No authentication rule defined (default Form Authn will apply)
No authorization expression defined (default Authorize all will apply)


When http://wghostname:port/mail/home.html?app=val is accessed in a new browser session, the user is not prompted for form login. Access is allowed using the 'Anonymous Protection for Homepage' policy.

Why isn't OAM implementing the 'Authenticated Access Policy' policy in this case?


Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms