Authorization Rules Does Not Take Effect With IIS Webgate when IIS is configured as reverse proxy
(Doc ID 2113638.1)
Last updated on OCTOBER 26, 2023
Applies to:
Oracle Access Manager - Version 11.1.2.3.0 and laterInformation in this document applies to any platform.
Symptoms
Customer have an application that is protected by an IIS 7.5 webgate (2008 64-bit) and able to access the resource even though user is included in a deny authorization policy. As per webgate and OAM log user is shown as Denied
Webgate logs shows user is denied
2016/02/08@08:07:51.240000 5040 4840 WEB DEBUG3 0x00000201 ..\src\iis_filt_info.cpp:690 "SetHeader" Header^OBUSERDENIEDURL: Value^/webgate /webgate.dll?status%3D500%20errmsg%3DErrAuthzDeny%20p2%3D%2F bResult^1
However the IIS is still serving the page.
Issue was duplicated IIS 8.5 on Windows 2012 Server too.
Changes
IIS is configured as reverse proxy
<DIR>\inetpub\wwwroot\web.xml
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://<HOST>:<PORT>/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
<system.web>
<identity impersonate="false" />
</system.web>
<location path="" overrideMode="Allow">
<system.webServer>
<handlers accessPolicy="Read, Execute, Script">
<add name="OracleWebGateExtension" path="*" verb="*" modules="IsapiModule" scriptProcessor="<WG_INSTALL_DIR>\webgate\iis\lib\webgate.dll" resourceType="Unspecified" requireAccess="None" />
</handlers>
</system.webServer>
</location>
</configuration>
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |