While OpenIG Intg. Open AM is not able to pass user session detail to http serv

This topic has 9 replies, 3 voices, and was last updated 6 years, 4 months ago by raghukanakala.

  • Author
    Posts
  • #8745
     raghukanakala
    Participant

    We are using full stack of ForgeRock tools (OpenDJ, OpenAM, OpenIDM and OpenIG). Our application is running on IBM HTTP server and IBM WebSphere server. I had already integrated with OpenDJ and OpenAM with our application. It is working as expected with Authentication and autherization.

    Now i am trying to integrate with reverse proxy functionality with OpenIG. As Rejesh shared on video https://forgerock.org/2015/08/forgerock-openig-getting-credentials-from-forgerock-openam/ as well followed the steps mentioned on https://backstage.forgerock.com/#!/docs/openig/3.1.0/gateway-guide/chap-password-capture-replay-tutorial#capture-replay-try-it-out.

    When i am trying to access http://openam.test.com:7080/replay , it is redirecting to OpenAM (http:openam.test.com:8085/openam) for authentication after that it showing one more dialogue from windows below:

    The server openam.text.com is asking for your user name and password. The server reports that it is from Default Realm.

    Warning: your user name and password will be sent using basic authentication on a connection that isn’t secure

    Looks like OpenAM and OpenIG credentials are not handshaking well. Is there any configuration i am missing in J2ee agent and also Webgent. Below logger from OpenIG:

    ------------------------------
    FRI MAR 18 19:06:55 IST 2016 (INFO) @Capture[{Router}/handler]
    
    <--- (response) exchange:5180099 ---
    
    HTTP/1.1 401 Unauthorized
    Server: IBM_HTTP_Server
    WWW-Authenticate: Basic realm="Default Realm"
    Content-Length: 0
    Date: Fri, 18 Mar 2016 13:36:55 GMT
    Content-Language: en-US
    X-Powered-By: Servlet/3.0
    
    ------------------------------
    

    The following are details:
    OpenAM 12.0.0 deployed in tomcat and running on 8085 port
    OpenIG 3.1.0 deployed in tomcat and running on 7080 port
    J2ee Agent : Tomcat-v6-Agent_3.5.0
    OpenDJ : 2.6.0
    IBM HTTP server : V8.0 :8083 port
    WebAgent :apache22_agent
    IBM WebSphere : 8.0.5 : Security enabled and integrated with OpenDJ
    OpenAM and OpenIG running on different Tomcat servers .

    Other Configuration details :
    1. config.json :

    {
        "handler": {
            "type": "Router",
            "audit": "global",
            "capture": "all"
        },
        "heap": [
            {
                "name": "LogSink",
                "type": "ConsoleLogSink",
                "config": {
                    "level": "DEBUG"
                }
            },
            {
                "name": "JwtSession",
                "type": "JwtSession"
            },
            {
                "name": "ClientHandler",
                "type": "ClientHandler"
            },
            {
                "name": "capture",
                "type": "CaptureDecorator",
                "config": {
                    "captureEntity": true,
                    "_captureExchange": true
                }
            }
        ],
        "baseURI": "http://openam.test.com:8083/policyadmin/index.seam"
    }

    2. Common 99-default.json:

    {
    	"handler": "ClientHandler"
    }

    3. replay.json

    {
        "handler": {
            "type": "Chain",
            "config": {
                "filters": [
                    {
                        "type": "CryptoHeaderFilter",
                        "config": {
                            "messageType": "REQUEST",
                            "operation": "DECRYPT",
                            "algorithm": "DES/ECB/NoPadding",
                            "key": "0JKAki/7hnw=",
                            "keyType": "DES",
                            "charSet": "utf-8",
                            "headers": [
                                "password"
                            ]
                        }
                    },
                    {
                        "type": "StaticRequestFilter",
                        "config": {
                            "method": "POST",
                            "uri": "http://openam.test.com:8083/test/index.seam",
                            "form": {
                                "username": [
                                    "${exchange.request.headers['username'][0]}"
                                ],
                                "password": [
                                    "${exchange.request.headers['password'][0]}"
                                ]
                            }
                        }
                    },
                    {
                        "type": "HeaderFilter",
                        "config": {
                            "messageType": "REQUEST",
                            "remove": [
                                "password",
                                "username"
                            ]
                        }
                    }
                ],
                "handler": "ClientHandler"
            }
        },
        "condition": "${matches(exchange.request.uri.path, '^/replay')}"
    }
    

    Please help on this issue. Thank you in advance for your help on this issue.
    If you need any information then let know i will provide you.

    #8775

    With OpenAM 12, there is a known issue when using XUI (the new UI style).

    Please try to deactivate XUI in your OpenAM settings.

    Configuration > Authentication > Core > Global Attributes > XUI interface and uncheck the box

    #8784
     raghukanakala
    Participant

    Even same issues. I am getting below dialogue box.

    The server openam.text.com is asking for your user name and password. The server reports that it is from Default Realm.
    Warning: your user name and password will be sent using basic authentication on a connection that isn’t secure

    #8803
     raghukanakala
    Participant

    Installed WebAgent, That issue is resolved now. Only i could see instead of OpenIG url (http://openam.test.com:7080/replay), it is re-directing to http URL (http://openam.test.com:8083/test/index.seam). Do i missing any reverse proxy configuration.

    Do i missing any URL masking in OpenIG configuration? Could you please guide me on this?

    #8812
     Peter Major
    Moderator

    I think the problem is more related to how your password is being requested. The message you are getting on the dialog suggests that the site is actually protected by HTTP Basic auth. In that scenario trying to auto-submit an HTML form won’t help much.
    To imitate providing the password, you just need to construct a request header in the right format:
    https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side

    I don’t have the details on how to achieve that though.

    #8815

    Your configuration rebase all incoming URLs to http://openam.test.com:8083.

    "baseURI": "http://openam.test.com:8083/policyadmin/index.seam"

    Note that the path part of the URL is ignored in the rebase process.

    Another thing: when calling the /replay route, all your forwarded messages are going to http://openam.test.com:8083/test/index.seam, then you don’t update the response content.
    So if the response from the seam page includes a redirect, your browser will follow it blindly.

    #8832
     raghukanakala
    Participant

    Thank you for quick response. As you suggested i had modified baseURI. Still, it is re-directing to http server URL (http://openam.test.com:8083/test/index.seam) instead of OpenIG URL (http://openam.test.com:7080/replay).

    My suspect: It is due to WebAgent, it is redirecting to application URL. Is there any configuration need to configure in WebAgent ?

    #8878
     raghukanakala
    Participant

    Any clue on URL writing.

    #8891

    A ScriptableFilter executing this following code, should be OK from a functional PoV:

    next.handle(context, request)
        .thenOnResult { response -> 
          response.entity.string = response.entity.string.replace('http://your.internal.url', 'http://your.exposed.url');
        }
    

    You’ll probably have to adapt that to only execute for textual content-type (JSON, HTML, …), leaving other responses unchanged.

    Hope that help

    #8894
     raghukanakala
    Participant

    Hello Guillaume,
    Thank you very much for your replay. Do i need keep above sample snippet in config.json or router.json file or ..

    Thank you again for helping this issue.

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?