Is there Any Way to Disable Logging in by Passing ID and Password in The URL in Oracle Access Manager 10g (OAM10.1.4.3) (Doc ID 2004434.1)

Last updated on JUNE 07, 2017

Applies to:

COREid Access - Version 10.1.4.3.0 and later
Information in this document applies to any platform.

Goal

Let's say I have a web page at "http://www.abc.com/abc/xyz".
Let's say this page requires a login.  The login is setup to use a form login.

I am finding out that I can log in and access the page right away without doing form login by passing query parameters "ID=USER_ID&password=PASSWORD" (i.e.  USER_ID is the id and PASSWORD is password) like this:

Examples:
==========
1. http://xxxx.abc.com/identity/oblix/apps/userservcenter/bin/userservcenter.cgi?login=USER_ID&password=PASSWORD&fromloginpage=true&ObLoginDomain=dc=ntrs,dc=com
2. http://xxxx.abcs.com/ars/Type1/?ID=USER_ID&password=PASSWORD

Questions
=============
1. How is this possible? Is this some kind of feature in OAM10g that allows to bypass the form login?
2. Can I disable this feature so users cannot log in this way?
3. Will OAM11g have the same feature.

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms