OpenSSO (OpenAM) : Turn off URL enforcement
We're using OpenAM to manage sessions on our application. The problem is everytime we're trying to pass a parameters with the GET method, the ressource is blocked (error 403 - forbidden). If no parameter is set, everything is wirking.
EX:
http://mysite.com/logo.jpg ----> Works.
http://mysite.com/logo.jpg?foo=bar ----> ERROR !
For images or css, it's normal to do not have parameters, but all links with using the GET method aren't working.
How could we开发者_运维知识库 solve our problem? Actually, disabling this policy would be a good solution.
We've looked for section 7.4.2 in the OpenAM's documentation (http://openam.forgerock.org/doc/admin-guide/OpenAM-Admin-Guide.html) but nothing is working.
Any clue ?
Thanks for your time.
So all you need to do is create 2 policies one to cover
.mysite.com/ (i could not post the http://)
.mysite.com/?*
Since the policy engine actually looks are arguments and can restrict access based on args or not.
Creating a second policy to allow args, will solve your problems.
You have to create the appropriate policies to accept parameters in your url.
In your OpenAm console :
- go to the Access Control Tab
- click on the realm you want to modify
- click on the Agents Tab
- click agent name you want to modify
- go to the Application Tab
In the Not Enforced URL Processing section
- look for the NotEnforced URLs parameter
- Enter the new policies in New Value
- click Add and then save.
You can use * or -*- depending on what you want :
*
include all subdivision (Ex : mysite.com/* would permit mysite.com/Foo/Bar)-*-
exclude subdivision (Ex : mysite.com/-*- would permit mysite.com/page1.aspx but not mysite.com/Foo/page1.aspx)
So you can use for your parameters something like mysite.com?-*-
or
more specifically mysite.com?myparam=-*-
And be aware : despite the fact that it is indicated "Hot Swap : yes", it doesn't mean that your changes are effective immediately.
精彩评论