This topic has 4 replies, 4 voices, and was last updated 4 years, 2 months ago by rmohammad.

  • Author
  • #4715


    I have everything set up following the openAM documentations but when I log in and try to open a protected url I get a 403 Forbidden error.

    My environments:
    – OpenAM 12.0: apache-tomcat-8.0.23 (
    – Java App server with J2EE Agent v3.5: jboss-as-7.1.1.Final (

    OpenAM settings:
    – Configuration > System > Platform > Cookie Domains > “”

    J2EE Agent Settings:
    – Real Name: / (default)
    – centralized
    – Agent Filter Mode: ALL
    – Not Enforced URI Processing: /rest-api/api/pubilc/*
    – Cross Domain SSO: enabled

    I have a simple web application (restful api) deployed on the Jboss App Server. It has two root urls:
    – /rest-api/api/pubilc/*
    – /rest-api/api/private/*

    When i open an private url (ex.: then OpenAM shows the login window. After the successful login I get a http 403 error.

    If I enable the “Not Enforced URI Processing > Invert Not Enforced URIs under the J2EE agent settings then I am able to open the requested url.

    According to the J2EE policy agent log the access is denied by agent:
    “Access to denied for user id=demo,ou=user,dc=openam,dc=forgerock,dc=org” f6c66438de48d6ca01 id=demo,ou=user,dc=openam,dc=forgerock,dc=org null INFO dc=openam,dc=forgerock,dc=org “Not Available” id=j2ee-agent,ou=agent,dc=openam,dc=forgerock,dc=org “Not Available” amAgent_arnold_mylinux_com_8080.log

    Could you pleas help me?

    • This topic was modified 7 years, 2 months ago by soma.
     Scott Heger

    Sounds like you don’t have a policy in place to allow access to your resource. By default the OpenAM agents enforce both Authentication and Authorization. You can enable SSO_ONLY mode in your agent profile if you only wish to have it enforce Authentication. See for more details.


    Hi Scott,

    Thank you a lot.
    It works fine after SSO_ONLY was set and the OpenAM server was restarted.

    According to the documentation this property is “Hot swap: no”, so if i am right I need to restart OpenAM server after the modification.


    You should only need to restart the agent for this change to be picked up; the agent profile is retrieved when the agent starts.

    On a related note, we are currently working on making all of the server properties hot-swappable to eliminate restarts.



    This reply has been reported for inappropriate content.

    Hi Jonathan,

    For me after login to OpenAM as end user, actually should take me to profile page but it gives me Forgibben after successful authentication.

    Your help would be really appreciated.


Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?