Openam web policy agent is redirecting URL which are not specified

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Openam web policy agent is redirecting URL which are not specified

Olivier Rivat
Hi,

Openam web policy agent is redirecting URL which are not specified

-I am running on local VM with apache 2.4 configured
-Web policy agent 4.00 with openAm 12.0 is installed

I have also

cat /etc/hosts
127.0.0.1 www.example.com
127.0.0.1 sp.example.net

I have created 2 virtuals servers
www.example.com:8000
sp.example.net:9000

Protected URL by Web policy agent is www.example.com:8000

Each time I invoking sp.example.net:9000 I am bounced to openam for
authentication (which should not be the case),
as web policy agent ins also intercpeting te request for sp.example.net:9000


I am getting followong web poliy agent trace (cf below)
For troublehsooting I already have tried various things:
-uncheck FQDN check
-try to add virtual FQDN host map
-try to add as not enforced URL sp.example.net:9000

None of those attemps has worked.
What should be done to have web policy agent not redirecting
sp.example.net:9000 to openam ?

Regards,

Olivier





2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
get_method_num(): number corresponds to GET method^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
am_web_is_notification(): http://sp.example.net:9000/ is not
notification url
http://www.example.com:8000/UpdateAgentCacheServlet?shortcircuit=false.^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
am_web_is_notification(): http://sp.example.net:9000/ is not
notification url
http://www.example.com:8000/UpdateAgentCacheServlet?shortcircuit=false.^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all: get_sso_token():
sso token (null), status - not found^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
am_web_set_host_ip_in_env_map(): map_insert: client_ip=127.0.0.1^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
get_normalized_url(): Original url: http://sp.example.net:9000/^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
get_normalized_url(): PathInfo: ^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
get_normalized_url(): Using Full URI for policy evaluation.^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
get_normalized_url(): Normalized url: http://sp.example.net:9000/^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
am_web_is_access_allowed(): Processing url http://sp.example.net:9000/.^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
is_url_not_enforced(): client_ip 127.0.0.1 not found in client ip not
enforced list^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 AM_POLICY_SERVICE:
am_policy_compare_urls: Comparison of "http://sp.example.net:9000/" and
"http://sp.example.net:9000/dummypost*" returned AM_NO_MATCH
(usePatterns=true)^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
in_not_enforced_list: Enforcing access control for
http://sp.example.net:9000/ ^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
is_url_not_enforced(): URL http://sp.example.net:9000/ is enforced.^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
am_web_get_parameter_value(): Param Name = iPlanetDirectoryPro, & Param
Value = NULL, status not found^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
am_web_is_access_allowed()(http://sp.example.net:9000/,GET): no sso
token, setting status to invalid session.^M
2016-06-07 10:23:48.537     Info 4690:7f6fcc006980 all:
am_web_is_access_allowed()(http://sp.example.net:9000/, GET) returning
status: invalid session.^M
2016-06-07 10:23:48.537     Info 4690:7f6fcc006980 all:
process_request(): Access check for URL http://sp.example.net:9000/ 
returned invalid session.^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
process_request(): AM_INVALID_SESSION, will redirect (post data: (null))^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
am_web_get_url_to_redirect: goto URL is http://sp.example.net:9000/^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
find_active_login_server(): conditional login url is not available^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
find_active_login_server(): trying server:
http://openam.example.com:18080/openam/UI/Login^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
is_server_alive(): connection timeout set to 2^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
is_server_alive(): returned success^M







---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Openam web policy agent is redirecting URL which are not specified

Jari Ahonen
Hi,

The policy agent by default denies all access and redirects to OpenAM server for authentication.

In order to allow access you either need to have the URL pattern in the exclusion list (which then requires no authentication at all and doesn't redirect the client to OpenAM server) or have a valid access policy for the URL pattern (which then requires authentication first). Note that if your OpenAM server and web agent are in different cookie domains you also need to set up cross domain SSO for any authenticated access to work.

> -try to add as not enforced URL sp.example.net:9000

What exactly do you have as the exclusion pattern? It needs to be a fully qualified URL pattern (with appropriate wildcards).

Note that the web server also needs to have appropriate configuration (virtual hosts etc.) for serving these URLs. A simple test is to completely remove the agent from the configuration and the web server should work without authentication.

- Jari

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Olivier Rivat
Sent: Tuesday, June 07, 2016 10:48 AM
To: [hidden email]
Cc: [hidden email]
Subject: [OpenAM] Openam web policy agent is redirecting URL which are not specified

Hi,

Openam web policy agent is redirecting URL which are not specified

-I am running on local VM with apache 2.4 configured
-Web policy agent 4.00 with openAm 12.0 is installed

I have also

cat /etc/hosts
127.0.0.1 www.example.com
127.0.0.1 sp.example.net

I have created 2 virtuals servers
www.example.com:8000
sp.example.net:9000

Protected URL by Web policy agent is www.example.com:8000

Each time I invoking sp.example.net:9000 I am bounced to openam for
authentication (which should not be the case),
as web policy agent ins also intercpeting te request for sp.example.net:9000


I am getting followong web poliy agent trace (cf below)
For troublehsooting I already have tried various things:
-uncheck FQDN check
-try to add virtual FQDN host map
-try to add as not enforced URL sp.example.net:9000

None of those attemps has worked.
What should be done to have web policy agent not redirecting
sp.example.net:9000 to openam ?

Regards,

Olivier





2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
get_method_num(): number corresponds to GET method^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
am_web_is_notification(): http://sp.example.net:9000/ is not
notification url
http://www.example.com:8000/UpdateAgentCacheServlet?shortcircuit=false.^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
am_web_is_notification(): http://sp.example.net:9000/ is not
notification url
http://www.example.com:8000/UpdateAgentCacheServlet?shortcircuit=false.^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all: get_sso_token():
sso token (null), status - not found^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
am_web_set_host_ip_in_env_map(): map_insert: client_ip=127.0.0.1^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
get_normalized_url(): Original url: http://sp.example.net:9000/^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
get_normalized_url(): PathInfo: ^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
get_normalized_url(): Using Full URI for policy evaluation.^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
get_normalized_url(): Normalized url: http://sp.example.net:9000/^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
am_web_is_access_allowed(): Processing url http://sp.example.net:9000/.^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
is_url_not_enforced(): client_ip 127.0.0.1 not found in client ip not
enforced list^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 AM_POLICY_SERVICE:
am_policy_compare_urls: Comparison of "http://sp.example.net:9000/" and
"http://sp.example.net:9000/dummypost*" returned AM_NO_MATCH
(usePatterns=true)^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
in_not_enforced_list: Enforcing access control for
http://sp.example.net:9000/ ^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
is_url_not_enforced(): URL http://sp.example.net:9000/ is enforced.^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
am_web_get_parameter_value(): Param Name = iPlanetDirectoryPro, & Param
Value = NULL, status not found^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
am_web_is_access_allowed()(http://sp.example.net:9000/,GET): no sso
token, setting status to invalid session.^M
2016-06-07 10:23:48.537     Info 4690:7f6fcc006980 all:
am_web_is_access_allowed()(http://sp.example.net:9000/, GET) returning
status: invalid session.^M
2016-06-07 10:23:48.537     Info 4690:7f6fcc006980 all:
process_request(): Access check for URL http://sp.example.net:9000/ 
returned invalid session.^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
process_request(): AM_INVALID_SESSION, will redirect (post data: (null))^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
am_web_get_url_to_redirect: goto URL is http://sp.example.net:9000/^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
find_active_login_server(): conditional login url is not available^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
find_active_login_server(): trying server:
http://openam.example.com:18080/openam/UI/Login^M
2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
is_server_alive(): connection timeout set to 2^M
2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
is_server_alive(): returned success^M







---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Openam web policy agent is redirecting URL which are not specified

Bernhard Thalmayr
In reply to this post by Olivier Rivat
Another alternative (although not handled by the installer as it's not
aware of 'virtual host configuration') would be to load the agent module
(it's just like any other Apache http server module) in the virtual host
config section (https://httpd.apache.org/docs/current/mod/mod_so.html)

-Bernhard

Am 07/06/16 um 10:47 schrieb Olivier Rivat:

> Hi,
>
> Openam web policy agent is redirecting URL which are not specified
>
> -I am running on local VM with apache 2.4 configured
> -Web policy agent 4.00 with openAm 12.0 is installed
>
> I have also
>
> cat /etc/hosts
> 127.0.0.1 www.example.com
> 127.0.0.1 sp.example.net
>
> I have created 2 virtuals servers
> www.example.com:8000
> sp.example.net:9000
>
> Protected URL by Web policy agent is www.example.com:8000
>
> Each time I invoking sp.example.net:9000 I am bounced to openam for
> authentication (which should not be the case),
> as web policy agent ins also intercpeting te request for
> sp.example.net:9000
>
>
> I am getting followong web poliy agent trace (cf below)
> For troublehsooting I already have tried various things:
> -uncheck FQDN check
> -try to add virtual FQDN host map
> -try to add as not enforced URL sp.example.net:9000
>
> None of those attemps has worked.
> What should be done to have web policy agent not redirecting
> sp.example.net:9000 to openam ?
>
> Regards,
>
> Olivier
>
>
>
>
>
> 2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
> get_method_num(): number corresponds to GET method^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> am_web_is_notification(): http://sp.example.net:9000/ is not
> notification url
> http://www.example.com:8000/UpdateAgentCacheServlet?shortcircuit=false.^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> am_web_is_notification(): http://sp.example.net:9000/ is not
> notification url
> http://www.example.com:8000/UpdateAgentCacheServlet?shortcircuit=false.^M
> 2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all: get_sso_token():
> sso token (null), status - not found^M
> 2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
> am_web_set_host_ip_in_env_map(): map_insert: client_ip=127.0.0.1^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> get_normalized_url(): Original url: http://sp.example.net:9000/^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> get_normalized_url(): PathInfo: ^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> get_normalized_url(): Using Full URI for policy evaluation.^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> get_normalized_url(): Normalized url: http://sp.example.net:9000/^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> am_web_is_access_allowed(): Processing url http://sp.example.net:9000/.^M
> 2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
> is_url_not_enforced(): client_ip 127.0.0.1 not found in client ip not
> enforced list^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 AM_POLICY_SERVICE:
> am_policy_compare_urls: Comparison of "http://sp.example.net:9000/" and
> "http://sp.example.net:9000/dummypost*" returned AM_NO_MATCH
> (usePatterns=true)^M
> 2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
> in_not_enforced_list: Enforcing access control for
> http://sp.example.net:9000/ ^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> is_url_not_enforced(): URL http://sp.example.net:9000/ is enforced.^M
> 2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
> am_web_get_parameter_value(): Param Name = iPlanetDirectoryPro, & Param
> Value = NULL, status not found^M
> 2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
> am_web_is_access_allowed()(http://sp.example.net:9000/,GET): no sso
> token, setting status to invalid session.^M
> 2016-06-07 10:23:48.537     Info 4690:7f6fcc006980 all:
> am_web_is_access_allowed()(http://sp.example.net:9000/, GET) returning
> status: invalid session.^M
> 2016-06-07 10:23:48.537     Info 4690:7f6fcc006980 all:
> process_request(): Access check for URL http://sp.example.net:9000/
> returned invalid session.^M
> 2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
> process_request(): AM_INVALID_SESSION, will redirect (post data: (null))^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> am_web_get_url_to_redirect: goto URL is http://sp.example.net:9000/^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> find_active_login_server(): conditional login url is not available^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> find_active_login_server(): trying server:
> http://openam.example.com:18080/openam/UI/Login^M
> 2016-06-07 10:23:48.537 MaxDebug 4690:7f6fcc006980 all:
> is_server_alive(): connection timeout set to 2^M
> 2016-06-07 10:23:48.537    Debug 4690:7f6fcc006980 all:
> is_server_alive(): returned success^M
>
>
>
>
>
>
>
> ---
> L'absence de virus dans ce courrier électronique a été vérifiée par le
> logiciel antivirus Avast.
> https://www.avast.com/antivirus
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam