This topic has 18 replies, 5 voices, and was last updated 5 years, 1 month ago by 
.
-
Posts
-
I’ve tried openam “Get started section” to protect an apache httpd server using web agent and openam as an authentication server. It works fine now but I have a more specific requirement that I need just part of the url patterns to be protected. For example, I’ve url patterns like http://apachehttpd.example.com:8080/pages/* and http://apachehttpd.example.com:8080/api/*, I only want the first one pattern to be protected by OAM web agent, and leave the second one be unprotected which means user can directly access those url without authentication. Could anyone tell me how to configure openam web agent and policies to do this?
I found one place may help to do this: Access Control->Realm->Agents->myAgent->Application->Not Enforced Url Processing. Is it the right way to filter urls from web agent? Can it be configured in Policy level? like /url_pattern1 for any users, /url_pattern2 for authenticated users.
Hi @rarondini
I need to only protect http://dev.gworks.mobi/customer/*.
I have tried in two ways
1. I could follow
Not Enforced Url processingbut it does not make anythingEasy for your reference -> https://postimg.org/image/iz638mseh/
2. REALM -> Authorization -> Policy Sets -> iPlanetWebAgentService -> my policy -> Resource -> http://dev.gworks.mobi:80/customer/*
Easy for your reference -> https://postimg.org/image/a0nu0zq25/
My web agent configuration:
Apache config path : /opt/apache/conf/httpd.conf
Server URL : http://frock.gworks.mobi:8080/openam
Agent URL : http://dev.gworks.mobi:80It always block anything on http://dev.gworks.mobi/*
can anyone spot what I did wrong here?
So…
Not enforce URI will not works in your usecase. You need to leave it blank.
The policy configuration looks OK. But id will depends of what you have configured in Action and Subject. I believe you should enable debug log in the Agent side and check that.
At.
Rogerio RondiniEasy for your reference for Action and Subjects of policy set
https://postimg.org/image/vechla7wr/
https://postimg.org/image/avhlg7tzf/In debug log no information was there
tail -f /opt/web_agents/apache24_agent/instances/agent_1/logs/debug/debug.log
I could change the level in http://frock.gworks.mobi:8080/openam/Debug.jsp, but no logs are get print.
It is may be a simple fix but I can’t get any clue.
note: Even I set http://www.google.com:80/* in policy it only blocks http://dev.gworks.mobi:80/*. it means policy does’t work.
So..
To enable policy agent debug log you need to edit Agent Profile.
Did you try to restart the Apache servers ?
This is the exact issue I faced right now https://forgerock.org/topic/agent-force-authentication-for-non-protected-resources/.
Me too protect my web application through reverse proxy but I am not enable sso only mode in my agent so that solution is not work for me. (easy for reference https://postimg.org/image/somq0syld/)
debug log trace:
method: GET original url: http://dev.gworks.mobi/ proto: http host: dev.gworks.mobi port: 80 path: / query: complete: http://dev.gworks.mobi:80/ overridden: http://dev.gworks.mobi:80/ pathinfo: (empty) normalized (pathinfo removed): (empty) overridden (pathinfo removed): (empty)This is the only line is related to policy in debug log.
2016-12-19 14:18:36.858 +0000 DEBUG [0x7efcf87f8700:8818][source/process.c:890] validate_policy(): for http://dev.gworks.mobi:80/ (ignoring pathinfo: no), entry status: not found.I follow the same steps to configure policy as per official openam get start guide.
https://backstage.forgerock.com/docs/openam/13/getting-started#create-web-policy-agent-profile
So…
What is the exact URL you are trying to access ?
By the log you are requesting “http://dev.gworks.mobi:80/” and the policy states for “http://dev.gworks.mobi:80/customer/*”.
Thanks for the patience! @rarondini
My understood: We need to set server and agent root url while create agent instance[./agentadmin –i]. Policy set is decision making area to protect url as per the url pattern.
./agentadmin --iroot server url : http://frock.gworks.mobi:8080/openam root agent url : http://dev.gworks.mobi:80policy set url pattern to protect particular url: http://dev.gworks.mobi:80/customer/*
Here I don’t understand why debug log point http://dev.gworks.mobi:80 as a protected resource. It does not take my policy set. It does not make sense to me, how it works?
Hi,
Ok.. my question was what URL you are trying to access?
The URL in the debug log is not the policy but probably what you are trying to access.Let me explain the behavior. Suppose that you have 2 resources “http://dev.gworks.mobi:80/sample.html” and “http://dev.gworks.mobi:80/customer/form.html”. Your URL pattern “http://dev.gworks.mobi:80/customer/*” only take effect in the “form.html” resource. As there is no policy for “sample.html” resource, it is blocked by default.
That is the reason I’m asking you what is the resource (URL) you are trying to access.
At.
Rogerio.I am trying to access home page of my application http://dev.gworks.mobi it is actually a e-commerce site so visitors also view that page without login.
Customer related details all are available in http://dev.gworks.mobi/customer
your explanation gives better clarity by the way do you mean I need to create two policy one for dev.gworks.mobi/* (unblock) another for dev.gworks.mobi/customer/* (block).
I have tried all the logical condition in policy subjects but no logical condition are equals to
url pattern -> All of -> no need authentication (unblock)
Ok, got it.
So… try this…
Configure Not Enforced URIs in Agent Profile as:
http://dev.gworks.mobi
http://dev.gworks.mobi/
http://dev.gworks.mobi/-*-The above configuration should not enforce authentication and authorization on all e-commerce public resources.
Configure Policy URL Patterns to protect customer resources as
http://dev.gworks.mobi/customer
http://dev.gworks.mobi/customer/*
http://dev.gworks.mobi/customer/*?*The above policy configuration should enforce authentication to the users and if you set Subject as “Authenticated User” all authenticated should be granted to access that.
At,
Rogerio Rondini@rarondini wow it works! million treat thanks :-)
You must be logged in to reply to this topic.
