HTTP Basic authentication in OAM 11g

Introduction

Hi everyone, this is my first posting so I wanted to first introduce myself. My name is Vinay Kalra and I’m also part of the A-team at Oracle. I came to Oracle in 2005 as part of the Oblix acquisition that brought with it Oracle Access Manager (OAM).From Brian:  Welcome Vinay!  I’m adding this post to the OAM 11g Academy Series.  To view the first post in the series which will be updated throughout to contain links to the entire series, click below:

http://www.ateam-oracle.com/oracle-access-manager-academy-from-the-fusion-security-blog/

So lets get started….

The Problem

As I was playing with OAM 11g, I came across an issue with protecting a resources using Basic Authentication. The Basic authentication dialog box did show up, however, my credentials failed. Not only that, after the first attempt, all subsequent attempts were coming from the Weblogic Server, not OAM’s Basic authentication.First attempt, notice that the site description is ‘OAM 11g’.

image3


When I entered my credentials as testuser1/welcome1 it failed and again prompted for password. Notice that the site description is now ‘Weblogic Server’.

image2

The oam sever logs revealed that it could not find the user’s (testuser1) DN:

####<Mar 7, 2011 2:32:09 PM PST> <Debug> <SecurityAtn> <vk3-iam.us.oracle.com> <oam_server1> <[ACTIVE] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <11d1def534ea1be0:2428bd9f:12e920267a3:-8000-0000000000000062> <1299537129287> <BEA-000000> <getDNForUser search(“ou=people,ou=myrealm,dc=IdM_Domain”, “(&(uid=testuser1)(objectclass=person))”, base DN & below)>####<Mar 7, 2011 2:32:09 PM PST> <Debug> <SecurityAtn> <vk3-iam.us.oracle.com> <oam_server1> <[ACTIVE] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <11d1def534ea1be0:2428bd9f:12e920267a3:-8000-0000000000000062> <1299537129287> <BEA-000000> <DN for user testuser1: null>


Well, first off the filter and the search base were incorrect. I had configured my user store to point to Oracle Internet Directory (OID), which had a different search base. The search base here was coming from WebLogic’s embedded LDAP. Keep in mind that this worked perfectly with OAM’s LDAP Authentication, which is form based authentication. So why didn’t OAM Basic Authentication work??


The Solution

As you may be aware, OAM 11g now sits on top of the WebLogic platform, so an extra step is required to get ‘Basic’ authentication to work. The issue is that all HTTP Basic Authentication traffic will be intercepted by WebLogic and not passed through to the OAM Server application.The solution is to add the ‘enforce-valid-basic-auth-credentials’ tag to the config.xml file located under /user_projects/domains/<MyDomain>/config/. The tag must be inserted within the <security-configuration> tag as follows:

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

With this setting, WebLogic will not validate the Basic Authentication coming from the browser and continue through to the application.

This setting will effect the entire domain, so be aware!

Ideally I would not recommend customers to use Basic Authentication in a production environment, but for a quick test to validate an OAM policy, no problem. Actually now in 11g there are OOTB Login forms (try LDAP Authentication), so no need to even test with Basic Authentication. I guess old habits are hard to break.  Here is a link that discusses the tag in more details.

Thanks to my colleague Chris Johnson for helping me figure this out!

Comments

  1. sekhar. V says:

    Please delete all my previous comments. I got the right file to make changes.

  2. sekhar. V says:

    Are the changes to be made in oam-config.xml file under OAM_domain_home/config/fmwconfig folder or is it a different config file?

  3. sekhar. V says:

    After i make the changes and restart the OAM server i see that the changes are lost meaning i don’t see the security-configuration section i added.

  4. sekhar. V says:

    Hi Vinay,

    I made the changes and restarted the OAM server, it seemed to work for the first time and later it started behaving the way if the flag mentioned above is set to true. Is there any thing else i need to do?

Add Your Comment