My Oracle Support Banner

OAM 11g: Custom Authentication Modules Do Not Honor AuthenticationException Types (Doc ID 1464388.1)

Last updated on SEPTEMBER 19, 2023

Applies to:

Oracle Access Manager - Version and later
Information in this document applies to any platform.


When a custom plugin is developed (extension of AbstractAuthenticationPlugIn) there are several types of AuthorizationException that can be thrown: USER_LOCKED_ERROR, USER_PASSWORD_EXPIRED,... and so on.

* The type of the exception is lost between the plugin code and the final page. The main classes involved are two:
-> PlugInExceptor: The executor of custom or step by step plugins.
-> AuthenticationSchemeExecutor: The executor for any authentication scheme.

Step-By-Step to reproduce:

1.- Go to OAM console and in System Configuration -> Common Configuration -> Plugins:
1.1.- Import the plugin (select the jar I'm going to attach).
1.2.- Distribute.
1.3.- Activate..
NOTE: Sometimes some step fails but just try again.

2.- Create a Custom plugin that uses the previous plugin in one step. Go to System Configuration -> Access Manager Settings -> Authentication Modules -> Custom Authentication Module and select LDAPPlugin.
2.1.- Configure the default steps stepUI and stepUA based on your LDAP/User configuration.
2.2.- Add a new step stepSimple with my module (class SimpleUserAuthPlugin). This plugin just throw the exception which is configured, by default OAM-1007 which is USER_PASSWORD_EXPIRED.
2.3.- Configure this step as the last step UI -> UA -> Simple.
       UI: success -> UA | others -> failure
       UA: success -> Simple | others -> failure
       Simple: success -> success | others -> failure
2.4.- Save the module.

3.    - Create a Authentication Scheme that uses the previous module. In Policy Configuration -> Authentications Schemes -> Select LDAPScheme. Diplicate it.
3.1. - Change the name to LDAPCustom for example.
3.2. - Select LDAPPlugin as Authentication Module (the one created in the previous step).

4.- Assign the scheme to one of your application domains. In Policy Configuration -> Application Domains -> Select your app and in Authentication Policies -> Select Protected Resource Policy and change Authentication scheme to LDAPCustom.

5.- Test the login. In WLS console you will see "Throwing USER_PASSWORD_EXPIRED exception!!!" but the message displayed in login is always the same (invalid user or password).

How to solve this ?


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.