OAM 11g: Custom Authentication Modules Do Not Honor AuthenticationException Types
(Doc ID 1464388.1)
Last updated on SEPTEMBER 19, 2023
Applies to:
Oracle Access Manager - Version 11.1.1.5.0 and laterInformation in this document applies to any platform.
Goal
When a custom plugin is developed (extension of AbstractAuthenticationPlugIn) there are several types of AuthorizationException that can be thrown: USER_LOCKED_ERROR, USER_PASSWORD_EXPIRED,... and so on.
* The type of the exception is lost between the plugin code and the final page. The main classes involved are two:
-> PlugInExceptor: The executor of custom or step by step plugins.
-> AuthenticationSchemeExecutor: The executor for any authentication scheme.
Step-By-Step to reproduce:
1.- Go to OAM console and in System Configuration -> Common Configuration -> Plugins:
1.1.- Import the plugin (select the jar I'm going to attach).
1.2.- Distribute.
1.3.- Activate..
NOTE: Sometimes some step fails but just try again.
2.- Create a Custom plugin that uses the previous plugin in one step. Go to System Configuration -> Access Manager Settings -> Authentication Modules -> Custom Authentication Module and select LDAPPlugin.
2.1.- Configure the default steps stepUI and stepUA based on your LDAP/User configuration.
2.2.- Add a new step stepSimple with my module (class SimpleUserAuthPlugin). This plugin just throw the exception which is configured, by default OAM-1007 which is USER_PASSWORD_EXPIRED.
2.3.- Configure this step as the last step UI -> UA -> Simple.
UI: success -> UA | others -> failure
UA: success -> Simple | others -> failure
Simple: success -> success | others -> failure
2.4.- Save the module.
3. - Create a Authentication Scheme that uses the previous module. In Policy Configuration -> Authentications Schemes -> Select LDAPScheme. Diplicate it.
3.1. - Change the name to LDAPCustom for example.
3.2. - Select LDAPPlugin as Authentication Module (the one created in the previous step).
4.- Assign the scheme to one of your application domains. In Policy Configuration -> Application Domains -> Select your app and in Authentication Policies -> Select Protected Resource Policy and change Authentication scheme to LDAPCustom.
5.- Test the login. In WLS console you will see "Throwing USER_PASSWORD_EXPIRED exception!!!" but the message displayed in login is always the same (invalid user or password).
How to solve this ?
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |