Web Policy Agenmt > no action decision found

This topic has 10 replies, 3 voices, and was last updated 5 years ago by chary1112004.

  • Author
    Posts
  • #12356
     soma
    Participant

    Hi,
    I am playing with Web Policy Agent.

    My environment:
    – Apache HTTP 2.4.23
    – Web Agent: Apache_v24_Linux_64bit_4.0.0.zip
    – OpenAM 13.0

    I followed the documentation and it seems that my environment works fine:

    error_log
    [Tue Aug 02 12:10:02.87751625 2016] [mpm event:notice] [pid 9153:tid 140470639613760] AH00489: Apache/2.4.23 (Unix) OpenAM Web Agent/4.0.0 configured — resuming normal operations

    debug.log
    2016-08-02 12:26:15.378 +0200 INFO [0x7f10d82e3700:10228]

    ######################################################
    OpenAM Web Agent
    Version: 4.0.0
    Revision: 16207
    Build date: Nov 5 2015 10:19:59
    ######################################################

    But when I try to open an url I get a http 403 after the successful login via OpenAM login page. If I turn the agent off in the VirtualHost configuration (AmAgent Off) then I can open the requested page. If the “Invert Not Enforced URLs” is used then I have access to the page as well.

    I can see this in the log:
    WARNING […] am_get_session_policy_cacheentry(): failed to locate data for a key (….*….*)
    WARNING […] validate_policy(): decision: deny, reason: no action decision found

    Could you please tell me which settings are missing?

    Thx.

    #12359
     Rogerio Rondini
    Participant

    Hi,

    Please, give us detail on configured Policies and Not Enforce URLs, and resources you are trying to access as well.

    Abs.

    #12366
     soma
    Participant

    Not Enforce URI list in empty. I use the default Web Agent Settings, I have not changed anything.
    I use Centralized configuration with a realm.

    My VirtualHost looks like this:

    <VirtualHost *:80>
    ServerName api.example.com
    ServerAlias api.example.com

    DocumentRoot “/home/…./servers/apache-http/www/api.example.com”

    AmAgent On
    AmAgentConf “/home/…./servers/apache-http/openam/agent/instances/agent_1/config/agent.conf”

    Redirect 404 /favicon.ico
    <Location /favicon.ico>
    ErrorDocument 404 “No favicon
    </Location>

    <IfModule mod_headers.c>
    Header unset Server
    Header unset X-Powered-By
    Header set Access-Control-Allow-Origin “http://web.example.com:8080&#8221;
    Header set Access-Control-Allow-Credentials “true”
    Header set Access-Control-Allow-Metgods “GET, POST, DELETE”
    </IfModule>

    Options -Indexes
    ProxyRequests Off
    ProxyPreserveHost Off

    ErrorLog “logs/api.example.com-error_log”
    CustomLog “logs/api.example.com-access_log” common

    ProxyPass /myapp/api http://127.0.0.2:8082/myapp/api
    ProxyPassReverse /myapp/api http://127.0.0.2:8082/myapp/api
    </VirtualHost>

    • This reply was modified 5 years, 2 months ago by soma.
    #12368
     Rogerio Rondini
    Participant

    Ok,

    I can infer you are trying to access “http://api.example.com/myapp/api&#8221;. If so, you need to create a Policy in OpenAM grant GET/POST (GET at least) in that resource to particular users, groups or all authenticated users. By default, Policy Agent denied access to all resources when there are’t policies applied to.

    Abs.
    Rogerio

    #12480
     soma
    Participant

    Hi,

    Why do we need to declare AmAgentConf property in the VirtualHost configuration if centralized configuration is used?

    Where the policy configuration comes exactly in case of centralized config? Can I remove AmAgentConf property from VirtualHost definition?

    • This reply was modified 5 years, 2 months ago by soma.
    #12484
     soma
    Participant

    Hi @rarondini

    I think the reason why I always get HTTP403 is not because of missing Policy.
    Anyway, as you suggested I created a Policy set with the following parameters:

    My Resource Type
    * pattern 1: http://*/*
    * pattern 2: http://api.example.com/*
    * actions (allowed): GET, POST, PUT, HEAD, DELETE, OPTIONS, CREATE, READ, UPDATE, PATCH, ACTION, QUERY

    My Policy Set
    * Resources: http://*:80/*, http://api.example.com:80/gombi/api/*
    * actions: GET, POST, PUT, HEAD, DELETE, OPTIONS, CREATE, READ, UPDATE, PATCH, ACTION, QUERY
    * Subject: Any of… > Authenticated Users | Users & Groups, user subject: demo

    I still get http 403.

    Could you please check my web policy agent log?
    The log is here.

    What is wrong with my configuration?

    #12486
     Rogerio Rondini
    Participant

    So..

    You don`t need to create a custom Resource Type. Out of the box “URL” Resource Type is sufficient for your scenario.
    Also, you need to create a policy to match with the following resource.
    http://api.example.com:80/api/configuration.

    Try to create your “My Policy Set”using “URL”Resource type. After that you can create the policy for the resource like “http://api.example.com:80/api/*&#8221;

    #12487
     Rogerio Rondini
    Participant

    AgenConf will load the bootstrap file.

    #12823
     soma
    Participant

    @rarondini thanks for your reply.
    The solution was so tricky. I have spent days to figure it out why my policy set was not applied.

    I added a new Policy Set as you have suggested but could not see any changes in the openam/openam/debug/Policy log file. That was so suspicious.

    I read the documentation again and again and finally i have found this: “Policy Client Service Properties“. In this paragraph the there is mentioned a property: “Application”. I had to change the value of this property and after that OpenAM just started to use my policy set.

    The location of the “Application” property on the web console is Realms > [my realm name] > Agents > J2EE or Web > [my agent name] > OpenAM Services > Policy Client Service > Application.

    The issue is closed :)

    • This reply was modified 5 years, 1 month ago by soma.
    #12825
     Rogerio Rondini
    Participant

    ahaha… funny.. :-)

    Great job!!!

    #13493
     chary1112004
    Participant

    Another way I did that is:

    1) Login openam by user admin
    2) Chose realm
    3) Chose agent
    4) In Global tab > Click checkbox SSO Only Mode to enable
    (com.sun.identity.agents.config.sso.only = true)

    It means using only for authentication, not authorization.

    Regards,
    Uyen

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?