Setting up public area of a website

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Setting up public area of a website

Alberto Treviño
Pardon the newbie question.

I have a site and I wish to protect part of it with OpenAM. Here is a
simplification of the directory structure:

  http://mysite.example.com/
  http://mysite.example.com/images
  http://mysite.example.com/styles
  http://mysite.example.com/scripts
  http://mysite.example.com/public

  http://mysite.example.com/members
  http://mysite.example.com/admin

I want everything in the site to be available to visitors (non-members, non-
authenticated users) with the exception of any URLs in the /members and /admin
directories.

I set up my agent and a basic policy for http://mysite.example.com/* with the
NOT(Never Match) subject condition. Everything appears to work with one
exception: OpenAM still requires a username and password to access any part of
the site. If I remove the policy I get HTTP 403.

How would I go about setting up my policies to allow public and authenticated
access to most of the site and only require authentication for the /members
and /admin portion of the site?

--
Alberto Treviño
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Setting up public area of a website

Bernhard Thalmayr
you may try to add

http://mysite.example.com/members
http://mysite.example.com/admin

to the 'not-enforced-list' and then use option 'invert not enforced list
urls'

<a href="https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-agents#configure-web-pa-application-props">https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-agents#configure-web-pa-application-props

-Bernhard

Am 29/01/16 um 20:44 schrieb Alberto Treviño:

> Pardon the newbie question.
>
> I have a site and I wish to protect part of it with OpenAM. Here is a
> simplification of the directory structure:
>
>   http://mysite.example.com/
>   http://mysite.example.com/images
>   http://mysite.example.com/styles
>   http://mysite.example.com/scripts
>   http://mysite.example.com/public
>
>   http://mysite.example.com/members
>   http://mysite.example.com/admin
>
> I want everything in the site to be available to visitors (non-members, non-
> authenticated users) with the exception of any URLs in the /members and /admin
> directories.
>
> I set up my agent and a basic policy for http://mysite.example.com/* with the
> NOT(Never Match) subject condition. Everything appears to work with one
> exception: OpenAM still requires a username and password to access any part of
> the site. If I remove the policy I get HTTP 403.
>
> How would I go about setting up my policies to allow public and authenticated
> access to most of the site and only require authentication for the /members
> and /admin portion of the site?
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Setting up public area of a website

Mark Boyd ソフトウェア 建築家
So is there no way to allow anonymous unauthenticated access via a policy? Is the not-enforced-url list the only way to selectively allow anonymous access?

Mark




On 1/29/16, 12:55 PM, "[hidden email] on behalf of Bernhard Thalmayr" <[hidden email] on behalf of [hidden email]> wrote:

>you may try to add
>
>https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_members&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=Td7NQBNMPQ9CWnyLinB1ZyCLU-WjNIRnc38LG1epX6k&e= 
>https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_admin&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=-kQTT6oDrbkKhMNCLo2CSVLK7UrgaY9xVuUWIRvGGJo&e= 
>
>to the 'not-enforced-list' and then use option 'invert not enforced list
>urls'
>
>https://urldefense.proofpoint.com/v2/url?u=https-3A__backstage.forgerock.com_-23-21_docs_openam_12.0.0_admin-2Dguide_chap-2Dagents-23configure-2Dweb-2Dpa-2Dapplication-2Dprops&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=i0LADRHwFMwBVNWLBNe-aQDwR0qVKuK1KW0Sw7LgNkU&e= 
>
>-Bernhard
>
>Am 29/01/16 um 20:44 schrieb Alberto Treviño:
>> Pardon the newbie question.
>>
>> I have a site and I wish to protect part of it with OpenAM. Here is a
>> simplification of the directory structure:
>>
>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=fikHRrt6wSNExVoUJwXQHYVz30h4hMUQgiUdy_rETlU&e= 
>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_images&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=9ed7F1Yp8i2fqAcL7L1ZaQdD13fX42OPtdqDydPufX0&e= 
>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_styles&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=UmtRmPGv7Y3F3RrWQfwoveay6PqsrEhx53hanhLSQBQ&e= 
>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_scripts&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=KZ0hUqJjSPrDftM9e3k1YCYBHYTW1kU-QsbypwkzyyM&e= 
>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_public&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=knPmmELcnycUKmJ69OA441Y0uZzQKsNrdrUfs3HQTeQ&e= 
>>
>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_members&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=Td7NQBNMPQ9CWnyLinB1ZyCLU-WjNIRnc38LG1epX6k&e= 
>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_admin&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=-kQTT6oDrbkKhMNCLo2CSVLK7UrgaY9xVuUWIRvGGJo&e= 
>>
>> I want everything in the site to be available to visitors (non-members, non-
>> authenticated users) with the exception of any URLs in the /members and /admin
>> directories.
>>
>> I set up my agent and a basic policy for https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_-2A&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=Ih1h5xNNFO4En8CC4-9BJxObrkciHiCvEzIWvkmSkLs&e=  with the
>> NOT(Never Match) subject condition. Everything appears to work with one
>> exception: OpenAM still requires a username and password to access any part of
>> the site. If I remove the policy I get HTTP 403.
>>
>> How would I go about setting up my policies to allow public and authenticated
>> access to most of the site and only require authentication for the /members
>> and /admin portion of the site?
>>
>
>
>--
>Painstaking Minds
>IT-Consulting Bernhard Thalmayr
>Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>Tel: +49 (0)8062 7769174
>Mobile: +49 (0)176 55060699
>
>[hidden email] - Solution Architect
>https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=ZlwIQ4bIaipGcR7lrOrQVxr6hgEeAMlSeEOicnK93YE&e= 
>https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=sNrBbUgLSE1wXX6FGOzMzDbmu7si0uEbd257lGCOV70&e= 
>
>This e-mail may contain confidential and/or privileged information.If
>you are not the intended recipient (or have received this email in
>error) please notify the sender immediately and delete this e-mail. Any
>unauthorized copying, disclosure or distribution of the material in this
>e-mail is strictly forbidden.
>_______________________________________________
>Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=6E_lDIm3B2-b82tkO_O1y-WeYVAaQUBEjh03gLskxPg&e= 
>OpenAM mailing list
>[hidden email]
>https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=XM3LAUsFvWJt0YbIxLhkY-H5QeT3srmllPBztP-uB34&e= 
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Setting up public area of a website

Bernhard Thalmayr
The first thing the agent does is to check for a valid SSO tracking
cookie in the request. If none is there it has to redirect for
authentication, otherwise it has no clue who tries to access a resource.

The agent ask for policy decision for a specific user.

So not-enforced-url list is the only way.

-Bernhard

Am 29/01/16 um 21:16 schrieb Mark Boyd ソフトウェア 建築家:

> So is there no way to allow anonymous unauthenticated access via a policy? Is the not-enforced-url list the only way to selectively allow anonymous access?
>
> Mark
>
>
>
>
> On 1/29/16, 12:55 PM, "[hidden email] on behalf of Bernhard Thalmayr" <[hidden email] on behalf of [hidden email]> wrote:
>
>> you may try to add
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_members&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=Td7NQBNMPQ9CWnyLinB1ZyCLU-WjNIRnc38LG1epX6k&e= 
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_admin&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=-kQTT6oDrbkKhMNCLo2CSVLK7UrgaY9xVuUWIRvGGJo&e= 
>>
>> to the 'not-enforced-list' and then use option 'invert not enforced list
>> urls'
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__backstage.forgerock.com_-23-21_docs_openam_12.0.0_admin-2Dguide_chap-2Dagents-23configure-2Dweb-2Dpa-2Dapplication-2Dprops&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=i0LADRHwFMwBVNWLBNe-aQDwR0qVKuK1KW0Sw7LgNkU&e= 
>>
>> -Bernhard
>>
>> Am 29/01/16 um 20:44 schrieb Alberto Treviño:
>>> Pardon the newbie question.
>>>
>>> I have a site and I wish to protect part of it with OpenAM. Here is a
>>> simplification of the directory structure:
>>>
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=fikHRrt6wSNExVoUJwXQHYVz30h4hMUQgiUdy_rETlU&e= 
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_images&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=9ed7F1Yp8i2fqAcL7L1ZaQdD13fX42OPtdqDydPufX0&e= 
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_styles&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=UmtRmPGv7Y3F3RrWQfwoveay6PqsrEhx53hanhLSQBQ&e= 
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_scripts&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=KZ0hUqJjSPrDftM9e3k1YCYBHYTW1kU-QsbypwkzyyM&e= 
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_public&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=knPmmELcnycUKmJ69OA441Y0uZzQKsNrdrUfs3HQTeQ&e= 
>>>
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_members&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=Td7NQBNMPQ9CWnyLinB1ZyCLU-WjNIRnc38LG1epX6k&e= 
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_admin&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=-kQTT6oDrbkKhMNCLo2CSVLK7UrgaY9xVuUWIRvGGJo&e= 
>>>
>>> I want everything in the site to be available to visitors (non-members, non-
>>> authenticated users) with the exception of any URLs in the /members and /admin
>>> directories.
>>>
>>> I set up my agent and a basic policy for https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_-2A&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=Ih1h5xNNFO4En8CC4-9BJxObrkciHiCvEzIWvkmSkLs&e=  with the
>>> NOT(Never Match) subject condition. Everything appears to work with one
>>> exception: OpenAM still requires a username and password to access any part of
>>> the site. If I remove the policy I get HTTP 403.
>>>
>>> How would I go about setting up my policies to allow public and authenticated
>>> access to most of the site and only require authentication for the /members
>>> and /admin portion of the site?
>>>
>>
>>
>> --
>> Painstaking Minds
>> IT-Consulting Bernhard Thalmayr
>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> Tel: +49 (0)8062 7769174
>> Mobile: +49 (0)176 55060699
>>
>> [hidden email] - Solution Architect
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=ZlwIQ4bIaipGcR7lrOrQVxr6hgEeAMlSeEOicnK93YE&e= 
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=sNrBbUgLSE1wXX6FGOzMzDbmu7si0uEbd257lGCOV70&e= 
>>
>> This e-mail may contain confidential and/or privileged information.If
>> you are not the intended recipient (or have received this email in
>> error) please notify the sender immediately and delete this e-mail. Any
>> unauthorized copying, disclosure or distribution of the material in this
>> e-mail is strictly forbidden.
>> _______________________________________________
>> Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=6E_lDIm3B2-b82tkO_O1y-WeYVAaQUBEjh03gLskxPg&e= 
>> OpenAM mailing list
>> [hidden email]
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=Qt_K_aVcbv6SWnMEwisOR60UhdxSvuD8izP9T9DURPI&s=XM3LAUsFvWJt0YbIxLhkY-H5QeT3srmllPBztP-uB34&e= 
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Setting up public area of a website

Alberto Treviño
In reply to this post by Bernhard Thalmayr
So let me see if I understand how this works. OpenAM by default protects all
URLs (a DENY by default approach). To make the site public we use the "invert
not enforced list urls" effectively turning it into a ALLOW by default
approach.

With ALLOW by default, we then specify URL patterns that need to be
protected in the Not Enforced List (effectively now an Enforced List). At that
point I can set up policies for those URLs as needed.

This is not very intuitive and I can think of scenarios where this won't work.

Just out of curiosity, is there a way to add a custom condition that would
allow the SSO tracking cookie to be created but not ask for authentication? (I
guess that would be some sort of anonymous session.)


On Friday, January 29, 2016 8:55:19 PM MST Bernhard Thalmayr wrote:

> you may try to add
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_membe
> rs&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqN
> HLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=85spYYEr3n02T48orc8KD
> eoxPkE-boeb6x1BKpYF3Uo&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_admi
> n&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNH
> LVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=i7PYobSN5kENp1n0w4MohP
> e21z2lsYRBYu8aAIN6WCI&e=
>
> to the 'not-enforced-list' and then use option 'invert not enforced list
> urls'
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__backstage.forgerock.com
> _-23-21_docs_openam_12.0.0_admin-2Dguide_chap-2Dagents-23configure-2Dweb-2Dp
> a-2Dapplication-2Dprops&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJi
> iJGOOJObdd-XgPYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=
> IyX-T1vKEYUSoJpF7iCCpBF57xNrEeyYQPTzMVr8NnA&e=
>
> -Bernhard
>
> Am 29/01/16 um 20:44 schrieb Alberto Treviño:
> > Pardon the newbie question.
> >
> > I have a site and I wish to protect part of it with OpenAM. Here is a
> >
> > simplification of the directory structure:
> >   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_&
> >   d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYq
> >   NHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=YLRT53uko6embXaI
> >   eiS8XrC84_uO19yOS2HENqBZ5Nk&e=
> >   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_
> >   images&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-Xg
> >   PYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=AffbHnvm2
> >   OXECbLLmbm_YEERObF0Of2ZqBQSpSq9FbA&e=
> >   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_
> >   styles&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-Xg
> >   PYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=tnaFJX1ig
> >   MlatdZI052pL7TI1JgcMTnxe2dDD0r3seU&e=
> >   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_
> >   scripts&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-X
> >   gPYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=j4U3-LbN
> >   Z6HPn7qzurTUYGTyKoXYGxLxiaZwTpp2vO8&e=
> >   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_
> >   public&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-Xg
> >   PYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=FZUYbrD6J
> >   v6FEOhP-xKYUd9Jt0MMlT84rRhYKu8nGYA&e=
> >  
> >   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_m
> >   embers&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-Xg
> >   PYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=85spYYEr3
> >   n02T48orc8KDeoxPkE-boeb6x1BKpYF3Uo&e=
> >   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_
> >   admin&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgP
> >   Yb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=i7PYobSN5k
> >   ENp1n0w4MohPe21z2lsYRBYu8aAIN6WCI&e=>
> > I want everything in the site to be available to visitors (non-members,
> > non- authenticated users) with the exception of any URLs in the /members
> > and /admin directories.
> >
> > I set up my agent and a basic policy for
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_-2
> > A&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYq
> > NHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=qTbTCClMmJEHPvPa8T
> > dJDH46oKQW2sd9ZygYcPO9fG8&e=  with the NOT(Never Match) subject condition.
> > Everything appears to work with one exception: OpenAM still requires a
> > username and password to access any part of the site. If I remove the
> > policy I get HTTP 403.
> >
> > How would I go about setting up my policies to allow public and
> > authenticated access to most of the site and only require authentication
> > for the /members and /admin portion of the site?


--
Alberto Treviño
WAM Team, ICS

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Setting up public area of a website

Bernhard Thalmayr
You could leverage anonymous authentication module
<a href="https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-auth-services#anon-module-conf-hints">https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-auth-services#anon-module-conf-hints


and then use policy conditions for the URLs to be protected.

However this would generate a lot of SSO sessions...

a custom policy condition does not help as the policy decision is not
requested by the agent without seing an SSO tracking cookie.

-Bernhard


Am 01/02/16 um 15:16 schrieb Alberto Treviño:

> So let me see if I understand how this works. OpenAM by default protects all
> URLs (a DENY by default approach). To make the site public we use the "invert
> not enforced list urls" effectively turning it into a ALLOW by default
> approach.
>
> With ALLOW by default, we then specify URL patterns that need to be
> protected in the Not Enforced List (effectively now an Enforced List). At that
> point I can set up policies for those URLs as needed.
>
> This is not very intuitive and I can think of scenarios where this won't work.
>
> Just out of curiosity, is there a way to add a custom condition that would
> allow the SSO tracking cookie to be created but not ask for authentication? (I
> guess that would be some sort of anonymous session.)
>
>
> On Friday, January 29, 2016 8:55:19 PM MST Bernhard Thalmayr wrote:
>> you may try to add
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_membe
>> rs&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqN
>> HLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=85spYYEr3n02T48orc8KD
>> eoxPkE-boeb6x1BKpYF3Uo&e=
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_admi
>> n&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNH
>> LVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=i7PYobSN5kENp1n0w4MohP
>> e21z2lsYRBYu8aAIN6WCI&e=
>>
>> to the 'not-enforced-list' and then use option 'invert not enforced list
>> urls'
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__backstage.forgerock.com
>> _-23-21_docs_openam_12.0.0_admin-2Dguide_chap-2Dagents-23configure-2Dweb-2Dp
>> a-2Dapplication-2Dprops&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJi
>> iJGOOJObdd-XgPYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=
>> IyX-T1vKEYUSoJpF7iCCpBF57xNrEeyYQPTzMVr8NnA&e=
>>
>> -Bernhard
>>
>> Am 29/01/16 um 20:44 schrieb Alberto Treviño:
>>> Pardon the newbie question.
>>>
>>> I have a site and I wish to protect part of it with OpenAM. Here is a
>>>
>>> simplification of the directory structure:
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_&
>>>   d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYq
>>>   NHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=YLRT53uko6embXaI
>>>   eiS8XrC84_uO19yOS2HENqBZ5Nk&e=
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_
>>>   images&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-Xg
>>>   PYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=AffbHnvm2
>>>   OXECbLLmbm_YEERObF0Of2ZqBQSpSq9FbA&e=
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_
>>>   styles&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-Xg
>>>   PYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=tnaFJX1ig
>>>   MlatdZI052pL7TI1JgcMTnxe2dDD0r3seU&e=
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_
>>>   scripts&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-X
>>>   gPYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=j4U3-LbN
>>>   Z6HPn7qzurTUYGTyKoXYGxLxiaZwTpp2vO8&e=
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_
>>>   public&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-Xg
>>>   PYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=FZUYbrD6J
>>>   v6FEOhP-xKYUd9Jt0MMlT84rRhYKu8nGYA&e=
>>>  
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_m
>>>   embers&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-Xg
>>>   PYb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=85spYYEr3
>>>   n02T48orc8KDeoxPkE-boeb6x1BKpYF3Uo&e=
>>>   https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_
>>>   admin&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgP
>>>   Yb9CYqNHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=i7PYobSN5k
>>>   ENp1n0w4MohPe21z2lsYRBYu8aAIN6WCI&e=>
>>> I want everything in the site to be available to visitors (non-members,
>>> non- authenticated users) with the exception of any URLs in the /members
>>> and /admin directories.
>>>
>>> I set up my agent and a basic policy for
>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__mysite.example.com_-2
>>> A&d=CwIF-g&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYq
>>> NHLVx4M&m=r7wLX7qcbKdF-mr6IGTjHKN7SNxuCKOV-WbUtPp6keE&s=qTbTCClMmJEHPvPa8T
>>> dJDH46oKQW2sd9ZygYcPO9fG8&e=  with the NOT(Never Match) subject condition.
>>> Everything appears to work with one exception: OpenAM still requires a
>>> username and password to access any part of the site. If I remove the
>>> policy I get HTTP 403.
>>>
>>> How would I go about setting up my policies to allow public and
>>> authenticated access to most of the site and only require authentication
>>> for the /members and /admin portion of the site?
>
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Setting up public area of a website

Alberto Treviño
On Monday, February 1, 2016 4:44:12 PM MST Bernhard Thalmayr wrote:
> You could leverage anonymous authentication module and then use policy
> conditions for the URLs to be protected.
>
> However this would generate a lot of SSO sessions...

I was able to test this in my local environment and it seems to work. The only
thing to be careful of is setting all your sites in one realm and keeping
OpenAM in its own realm to keep the authentication rules separate.

--
Alberto Treviño
WAM Team, ICS
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Setting up public area of a website

Bernhard Thalmayr
Am 01/02/16 um 16:54 schrieb Alberto Treviño:
> On Monday, February 1, 2016 4:44:12 PM MST Bernhard Thalmayr wrote:
>> You could leverage anonymous authentication module and then use policy
>> conditions for the URLs to be protected.
>>
>> However this would generate a lot of SSO sessions...
>
> I was able to test this in my local environment and it seems to work. The only
> thing to be careful of is setting all your sites in one realm and keeping
> OpenAM in its own realm to keep the authentication rules separate.

I actually don't understand why this should be needed.

-Bernhard

--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Setting up public area of a website

Alberto Treviño
On Monday, February 1, 2016 5:27:40 PM MST Bernhard Thalmayr wrote:
> > I was able to test this in my local environment and it seems to work. The
> > only thing to be careful of is setting all your sites in one realm and
> > keeping OpenAM in its own realm to keep the authentication rules
> > separate.

> I actually don't understand why this should be needed.

In order for the Anonymous module to work, it must be in the default chain. So
if everything is in the same realm, when you land in .../opensso/ OpenAM will
send you to the login page, the Anonymous module logs you in as an anonymous
user and sending you right to the user information page without prompting for
a username and password.

By setting up two realms, one for OpenAM (root realm) and another for your
sites, you can keep the standard ldapService chain for OpenAM, and use your
new chain with the Anonymous module to create the anonymous sessions.

--
Alberto Treviño
WAM Team, ICS
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Setting up public area of a website

Bernhard Thalmayr
Am 01/02/16 um 21:11 schrieb Alberto Treviño:

> On Monday, February 1, 2016 5:27:40 PM MST Bernhard Thalmayr wrote:
>>> I was able to test this in my local environment and it seems to work. The
>>> only thing to be careful of is setting all your sites in one realm and
>>> keeping OpenAM in its own realm to keep the authentication rules
>>> separate.
>
>> I actually don't understand why this should be needed.
>
> In order for the Anonymous module to work, it must be in the default chain. So
> if everything is in the same realm, when you land in .../opensso/ OpenAM will
> send you to the login page, the Anonymous module logs you in as an anonymous
> user and sending you right to the user information page without prompting for
> a username and password.
>
> By setting up two realms, one for OpenAM (root realm) and another for your
> sites, you can keep the standard ldapService chain for OpenAM, and use your
> new chain with the Anonymous module to create the anonymous sessions.
>

the org-auth chain is only used when you use 'realm-based
authentication'. You are free to use every configured chain.

Admins use 'OPENAM_DEPLOYMENT_URI/console' and then the
'admin-auth-chain' is used.

-Bernhard


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam