OpenAM with http Apache server - 403 Error

Tagged: #OpenAM, 403, agent, apache, forbidden

This topic has 6 replies, 4 voices, and was last updated 5 years, 7 months ago by Rogerio Rondini.

Author

Posts
September 27, 2016 at 3:47 pm #13307
f.strada
Participant
Hi,
I’ve hard problem about OpenAM. I configured OpenAM with Http Apache Server, using Policy Agent for Apache 2.4. I followed the guide “https://forgerock.org/openam/doc/bootstrap/quick-start-guide/index.html#install-apache-http”.
Unfortunately, if I call “url of apache resource” with special character, I’ve got this error:
“Forbidden – you don’t have permission to access …. on this server”.

For example:
OpenAM URL: http://openam.example.com:8080/openam
Url Apache: http://www.example.com:8085/

if I call http://www.example.com:8085/page1.html there’s no error
if I call http://www.example.com:8085/page1.html?h=223 there’s 403 http error

I don’t find the solution. Help me!!!
- This topic was modified 5 years, 8 months ago by f.strada.
September 27, 2016 at 4:59 pm #13309

Henrique Droog
Participant

Hi @f-strada,

I guess you need to use wildcard like /*? and /*?*, I tried to find an example in the documentation but I didn’t. You can try to find here Agent DOC

Sorry for my english.

Regards.

September 28, 2016 at 10:39 am #13349

f.strada
Participant

Unfortunately, I don’t find the solution. I tried to disabled “FQDN check” on OpenAM Web Agent, but I ‘ve got same error. Is It possible that OpenAM does accept special character such as “?” or query String? Most of the web url contain query string with special character (?,% ecc….)…

September 28, 2016 at 11:33 am #13350

[email protected]
Participant

if you are using virtual host, then add below code to httpd-vhosts.conf (<apachehome>/conf\extra)

<directory “E:/Documenten/Dropbox/Dropbox/dummy-htdocs”>
Allow from all
</directory>

Example:

<VirtualHost *:80>
DocumentRoot “C:/webserver/sites/site2”
ServerName http://example.com
# Set access permission
<Directory “C:/webserver/sites/site2”>
Options Indexes FollowSymLinks
AllowOverride None
Allow from All
Require all granted
</Directory>

</VirtualHost>

September 28, 2016 at 11:46 am #13352

f.strada
Participant

Eureka!!!! I solved the problem!!!! It’s very simple:
1) TOP LEVEL REALM -> Authorization -> Policy Sets
2) Select “your policy agent” (If it doesn’t exists, select “new policy Set”)
3) Select Add Resources
4) Select as resource pattern *://*.*/*?* and valorize : http://www.example.com:8080/*?*
5) Select as resource pattern *://*.*/* and valorize : http://www.example.com:8080/*

It works!!!!

September 29, 2016 at 11:27 am #13376
f.strada
Participant
I’ve got other problem on this integration: if there’s a wildcard “*” into query string, I’ve got 403 forbidden. For example:

http://www.example.com:8085/page1.html?h=223*&yyy=343efwfwe

The result of call is: 403 Forbidden.
In this case, It’s not possibile to resolve this problem using Policy Set. How can I resolve it?
- This reply was modified 5 years, 7 months ago by f.strada.
September 30, 2016 at 1:20 am #13409
Rogerio Rondini
Participant
In the previous post you was talking about “www.example.com:8080” … now you are talking about “www.example.com:8085”. Is that just a typo in the post related to port 8080 and 8085, or is really missing policy for port 8085?
- This reply was modified 5 years, 7 months ago by Rogerio Rondini.
Author

Posts