Logging into Oracle.com SSO Site (OAM) Programmatically
In most of the real time projects, we usually have a scenario where we need to login to third party SSO site (which implements OAM) from custom page. In this article, we shall see how to write Custom Login page which directly logins into oracle.com website and opens the oracle welcome page after logging in.You can download the files from below location:-
Download Here
Custom Page
1. Oracle.com, login page submits the form to https://login.oracle.com/oam/server/auth_cred_submit which needs additional details like username, password and OAM_REQ (a transient cookie).
2. So, in this use case we shall get OAM_REQ by connecting to below URL using HttpURLConnection http://www.oracle.com/webapps/redirect/signon?nexturl=https://support.oracle.com/cloud/faces/index . “nexturl” parameter value will be stored in OAM_REQ transient cookie which will tell where the user should be redirected after logging in.
3. http://www.oracle.com/webapps/redirect/signon URL again redirects to https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken= with Site2pstoreToken generated. HTML code of login page has OAM_REQ cookie value as hidden parameter which we grab and redirect from JSP to “https://login.oracle.com/oam/server/auth_cred_submit?username="+userName+"&password="+pwd+"&OAM_REQ="+oam_req” which finally creates a user session and redirects to the URL mentioned in “nexturl” in Step-1
1.
URLUtility.class which uses HttpURLConnection
and gets valid OAM_REQ transient cookie value. Snapshot of code is pasted:-
public static String getOAM_REQ() {
try {
String url =
"http://www.oracle.com/webapps/redirect/signon?nexturl=https://support.oracle.com/cloud/faces/index";
// First set the default cookie
manager.
java.net
.CookieHandler
.setDefault(new
java.net.CookieManager(null, java.net
.CookiePolicy
.ACCEPT_ALL));
java.net.URL obj = new
java.net.URL(url);
java.net.HttpURLConnection conn =
(java.net.HttpURLConnection) obj.openConnection();
conn.addRequestProperty("User-Agent", "Mozilla");
System.out.println("Request
URL ... " + url);
boolean redirect = false;
// normally, 3xx is redirect
int status =
conn.getResponseCode();
if (status !=
HttpURLConnection.HTTP_OK) {
if (status ==
HttpURLConnection.HTTP_MOVED_TEMP || status ==
HttpURLConnection.HTTP_MOVED_PERM ||
status ==
HttpURLConnection.HTTP_SEE_OTHER)
redirect = true;
}
System.out.println("Response
Code ... " + status);
java.net.HttpURLConnection conn1 =
null;
if (redirect) {
// get redirect url from
"location" header field
String newUrl =
conn.getHeaderField("Location");
System.out.println("Redirect to URL : " + newUrl);
// get the cookie if need, for
login
String cookies =
conn.getHeaderField("Set-Cookie");
System.out.println("Redirect to URL : " + newUrl);
java.net.URL newUrlObj = new
java.net.URL(newUrl); //,new sun.net.www.protocol.https.Handler());
// open the new connnection
again
conn =
(java.net.HttpURLConnection) newUrlObj.openConnection();
conn.setRequestProperty("Cookie",
cookies);
conn.addRequestProperty("User-Agent", "Mozilla");
System.out.println("Response Code ... " +
conn.getResponseCode());
}
BufferedReader in = new BufferedReader(new
InputStreamReader(conn.getInputStream()));
String inputLine;
StringBuffer html = new
StringBuffer();
while ((inputLine = in.readLine())
!= null) {
html.append(inputLine);
}
in.close();
System.out.println("URL
Content... \n" + html.toString());
String htmlStr = html.toString();
System.out.println("Done");
int beginIndex =
htmlStr.indexOf("OAM_REQ\" value=\"") +
"OAM_REQ\" value=\"".length();
int endIndex =
htmlStr.indexOf("\"><", beginIndex);
System.out.println("beginIndex=" + beginIndex);
System.out.println("endIndex=" + endIndex);
String OAM_REQ =
htmlStr.substring(beginIndex, endIndex);
return OAM_REQ;
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
2.
customLoginDirectly.jsp calls URLUtility class
to get OAM_REQ and redirects to https://login.oracle.com/oam/server/auth_cred_submit
with valid parameters i.e. username,password and OAM_REQ.
Code Snapshot pasted below:-
<!DOCTYPE html>
<%@ page
contentType="text/html;charset=UTF-8"%>
<%
String userName = "ENTER_VALID_USER_NAME";
String pwd = " ENTER_VALID_PASSWORD ";
String oam_req = foo.URLUtility.getOAM_REQ();
String finalUrl =
"https://login.oracle.com/oam/server/auth_cred_submit?username="+userName+"&password="+pwd+"&OAM_REQ="+oam_req;
System.out.println(finalUrl);
response.sendRedirect(finalUrl);
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
</head>
<body>
</body>
</html>
3.
When customLoginDirectly.jsp is ran, you will
find logged into the session and will open up https://support.oracle.com/cloud/faces/index
Brief flow when we login to oracle.com
Reference: http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/sso.htm#autoId0
SSO Log-in with Embedded Credential Collector and OAM Agents
Process overview: SSO Login Processing with Embedded Credential Collector and OAM Agents
- The user requests a resource.
- Webgate forwards the request to Access Manager for policy evaluation.
- Access Manager:
- Checks for the existence of an SSO cookie.
- Checks policies to determine if the resource protected and if so, how?
- Access Manager Server logs and returns decisions.
- Webgate responds as follows:
- Unprotected Resource: Resource is served to the user.
- Protected Resource:
Request is redirected to the credential collector.The login form is served based on the authentication policy. Authentication processing begins
- User sends credentials.
- Access Manager verifies credentials.
- Access Manager starts the session and creates the following host-based cookies:
· One per Agent: OAMAuthnCookie set by 11g Webgates (ObSSOCookie set by 10g Webgate) using the authentication token received from the OAM Server after successful authentication.
Note: A valid cookie is required for a session.
· One for OAM Server: OAM_ID
- Access Manager logs Success or Failure.
- Credential collector redirects to Webgate and authorization processing begins.
- Webgate prompts Access Manager to look up policies, compare the user's identity, and determine the user's level of authorization.
- Access Manager logs policy decision and checks the session cookie.
- OAM Server evaluates authorization policies and cache the result.
- OAM Server logs and returns decisions
- Webgate responds as follows:
- If the authorization policy allows access, the desired content or applications are served to the user.
- If the authorization policy denies access, the user is redirected to another URL determined by the Administrator.
Good article
ReplyDelete