Oracle Access Manager (OAM) WebGate - HTTP 200 RESPONSE DOESN'T INCLUDE SECURITY DIRECTIVES FROM HTTPD.CONF It Is Blank
(Doc ID 2955924.1)
Last updated on JUNE 21, 2023
Applies to:
Oracle Access Manager - Version 12.2.1.4.0 and laterInformation in this document applies to any platform.
Symptoms
New generated HTML page (HTTP 200 response from WebGate) doesn't inherit directive from httpd.conf for headers and found that there is no value for content security policy (it is blank).
When POST is configured as ChallengeRedirectMethod, the response for redirection to OAM server is returned with HTTP 200 as HTTP body so that the query string is sent as POST data. The HTTP body has FORM data submitting the parameters by POST method, as presented in Doc ID 2553154.1 . This means webgate generates mentioned HTML page with needed information and performs POST operation.
- Secure Headers (content security policy is blank and duplicate header is passed
- Set HTTP secure headers using OHS httpd.conf file
- Tested for headers and found that there is no value for content security policy (it is blank) and there are duplicate content security policy in the response header
- Tried removing values that were set in httpd.conf file but still are not getting the headers response (content security policy is still passed from OAM). content security policy, cache control, pragma etc.
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |