Custom access gate

Similar Messages

• Example of Certificate based authentication scheme using Custom Access Gate

  Can anyone provide me an example using Certificate authN scheme w/ Custom Access Gate. The developers guide has no examples of such. Thanks.

  Hi there
  I've got to get this working aswell.
  In my case I've got to have both the user/password authentication OR certificate based.
  The thing is, the documentation says that I need to have the containers (don't know if both the am server and the agent containers or only one of them ) with SSL and "Client Authentication enabled"... now the problem is, when I make it Client Authentication Enabled the container gives me a similar error to the one you described, this is because the server requests the browser to send a certificate when trying to access the server .....
  Can you give me any pointers to how this is supposed to be done? I would really appreciate help with this.
  Thanks
  Rp

• Custom Access Gate for tomcat in solaris 10 AMD 64

  i need write custom AccessGate in java, without install AccessServer SDK in server solaris 10 ADM64, is it possible?

  NO. You must install the Asdk in a supported platform, configure the accessgate, policy to be able to develop an access gate.

• Custom Access Gate for 2FA authentication

  Hello OAM Gurus,
  I am trying to build a custom accessgate which can authenticate user using our 2FA technology for a protected resource accessed initially. I have written a servlet to do this wherein I am expecting somehow when user tries to access the protected resource the user will be redirected to this servlet. The custom AccessGate will be running on a seperate server under a J2EE container. The problem has been 2 folds.
  1. I am unable to figure out how do I protect a resource (create a policy) on a web server which will be protected by my access gate.
  2. In My servlet how will I get the URL for the protected resource. I initially assumed that it should be referer.
  Here is the flow that I am looking at:
  User goes to a protected resource on a web server --> redirected to my servlet --> performs 2FA --> Servlet checks if user is authorised to access the resource --> redirect the user to the resource .
  Can somebody please help.
  Thanks,
  Gunjan

  Henrik,
  there is no SDK for OAM 11g so far, this might come in one of the next patch sets.
  You could resort to integrate with OAAM.
  --olaf                                                                                                                                                                                                                                                                                               

• Query on Access gate

  I have the following requirement :
  The requested protected URL is having the UserId as a query string and this has to be matched with UserId of logged-in user after authentication.
  So could you please suggest which is the approach I need to follow:
  1. Create a custom access gate which can do the authentication and also implement the logic of comparison.
  or
  2. Install a webgate and configure the redirect url to a servlet which can process the request and compare the userid in the requested URL and the logged in userid and subsequently redirect to the originally requested page.

  My suggestion is that the only reasonably secure way to approach this is to write a custom authZ plugin that will only authorize the request when the querystring param matches the profile attribute. I've seen similar things done to enforce user specific content in the URI or querysting. With this approach, you can consume the authZ processing decision via either WebGate or AccessGate equally.
  If you are working in the context of a servlet filter (for example) then you could, as you suggest, have OAM WebGate populate a header variable with the ID and write some comparison logic around that. I suspect you'll find various security concerns with this depending on how you are set up. All depends how critical the security is for you.
  Go with the authZ plugin if security is the primary driver.
  Mark

• How to make the Access Gate SDK work with Web Gate

  When we want control the display of one area in one page, we can define this area as one resource then control the access of it. But when the user has been authenticated in the application, how can we get the user session and then call Access Gate SDK to check if the user is authorized? The following is one utility class to archive it.
  * $Id: CreateUserAction.java,v 1.1 2005/10/11 23:19:34 jason Exp $
  * $Revision: 1.1 $
  * $Date: 2005/10/11 23:19:34 $
  * Copyright (C) 1972 - 2005, Oracle Co. All Rights Reserved
  * The program(s) herein may be used and/or copied only with
  * the written permission of Oracle Co. or in accordance with
  * the terms and conditions stipulated in the agreement/contract
  * under which the program(s) have been supplied.
  package oblix.view;
  import com.oblix.access.ObAccessException;
  import com.oblix.access.ObConfig;
  import com.oblix.access.ObResourceRequest;
  import com.oblix.access.ObUserSession;
  import javax.servlet.http.Cookie;
  import javax.servlet.http.HttpServletRequest;
  * @author zhoujian
  public class OblixUtil {
  private static String ObSSOCookie = "ObSSOCookie";
  private OblixUtil() {
  * Check if the user is Authorized
  * @param request
  * @param rescourceUrl
  * @return
  public static boolean isAuthorized(HttpServletRequest request,
  String rescourceUrl) {
  return isAuthorized(request, "http", rescourceUrl, "GET");
  * Check if the user is Authorized
  * @param request
  * @param resourceType
  * @param rescourceUrl
  * @param resourceMethod
  * @return
  private static boolean isAuthorized(HttpServletRequest request,
  String resourceType, String rescourceUrl, String resourceMethod) {
  try {
  ObConfig.initialize();
  ObResourceRequest resource = new ObResourceRequest(resourceType,
  rescourceUrl, resourceMethod);
  ObUserSession session = getObUserSession(request);
  return session.isAuthorized(resource);
  } catch (ObAccessException oe) {
  oe.printStackTrace();
  ObConfig.shutdown();
  return false;
  * Get the Oblix user session from the request.
  * @param request
  * @return
  * @throws ObAccessException
  private static ObUserSession getObUserSession(HttpServletRequest request)
  throws ObAccessException {
  String token = getCookieValueByName(request.getCookies(), ObSSOCookie);
  if (token != null) {
  return new ObUserSession(token);
  return null;
  private static String getCookieValueByName(Cookie[] cookies, String name) {
  for (int i = 0; i < cookies.length; i++) {
  if (cookies[i].getName().equalsIgnoreCase(name)) {
  return cookies[i].getValue();
  return null;
  }

  Couple of options. You seem have to taken the Access Gate based approach. I will throw this in any way and you can make a call which one you want to use.
  If its a web application you can control authorization based on Resource by defining policy in the Access Manager.
  You mentioned aout display of one area in one page. That should be driven off of User attribute or custom logic. If it is driven off of User attribute then you can return header variable and you can check in the code as opposed to writing custom access gate.
  Now if you do want to write custom access gate when the resource is already protected by a Web gate,
  you can get the ObSSOCookie from the users browser session.
  You can pass the URL to the IsAuthorized method and call.
  Now here you have to install the Access Server SDK on the server, create custom access gate and then write the code and deploy it on that server.
  THanks
  Ram

• How to make the Access Gate work

  have been following the developers guide to write an access gate. my application(simple html) is running on JBoss, want to protect this resouce using the access gate. JAccessGate.java is working fine however the access gate is not intercepting the resource request.
  how do i configure Jboss with the Access Server so that the Access Gate process the request.
  the servlet example isn't working ... constants.REQUEST isn't being recognised despite adding all the pkg's.
  it would be helpful if someone could share the steps to achieve this.
  that apart any idea about how the reverse proxy works ?
  thanks and regards
  Edited by: user642640 on Jun 6, 2009 4:14 AM

  Couple of options. You seem have to taken the Access Gate based approach. I will throw this in any way and you can make a call which one you want to use.
  If its a web application you can control authorization based on Resource by defining policy in the Access Manager.
  You mentioned aout display of one area in one page. That should be driven off of User attribute or custom logic. If it is driven off of User attribute then you can return header variable and you can check in the code as opposed to writing custom access gate.
  Now if you do want to write custom access gate when the resource is already protected by a Web gate,
  you can get the ObSSOCookie from the users browser session.
  You can pass the URL to the IsAuthorized method and call.
  Now here you have to install the Access Server SDK on the server, create custom access gate and then write the code and deploy it on that server.
  THanks
  Ram

• Multiple access gates with one ASDK

  Hello All,
  We have an ASDK installed on an application and configured an access gate to talk to OAM1 with datastore1. Now we have OAM2 with datastore2 and need this application to talk to the OAM2. OAM1 and OAM2 handle different sets of users.
  Can we install another access gate on the same ASDK and talk to OAM2? If not please suggest the best way to provide SSO with both OAMs to the application?
  Thanks in advance.

  IDMGod,
  I tried setting the environment variables, oracle doc below says
  http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12491/as_api.htm#CHDFCJEI
  OBACCESS_INSTALL_DIR = SDK_install_dir
  Points to the Access Manager SDK install root. (This is necessary only if your AccessGate does not specify SDK_install_dir as part of the ObConfig.initialize method).
  From what I understood, this needs to changed by defining the parameters in ObConfig.initialize method. Since I already have an Access Gate1 configured, is it possible to change this value for that Access Gate? If so where can I find this method in the AccessGate1 (I used configureaccessgate utility for this, there is no custom code used in this accessgate)
  When I install Access Gate2, do I need to write custom access gate code as mentioned in the examples in the above doc? or can I use the out of box access gate by running the configureaccessgate utility?
  Thank you.

• Access gate SDK, authentication and issues/bug

  I have been trying to test authentication against CORE ID using the access gate SDK for java and following the samples that installed with the SDK.
  I simulate user account lock-out and pwd to expire ( in two days) situations. Doing the form based access server authentication, I am able to see the error messages and in the case of locked a/c, it doesn't log me in.
  Using access gate SDK, it successfully creates a ObUserSession object for the protected resource, shows user as LOGGED_IN and the getStatus() returns normal. There is no indication of the actual status of the user account on the server !
  It does, catch the actual pwd expired status, as mentioned in the documentation.
  Is there anything missing here ?

  Couple of options. You seem have to taken the Access Gate based approach. I will throw this in any way and you can make a call which one you want to use.
  If its a web application you can control authorization based on Resource by defining policy in the Access Manager.
  You mentioned aout display of one area in one page. That should be driven off of User attribute or custom logic. If it is driven off of User attribute then you can return header variable and you can check in the code as opposed to writing custom access gate.
  Now if you do want to write custom access gate when the resource is already protected by a Web gate,
  you can get the ObSSOCookie from the users browser session.
  You can pass the URL to the IsAuthorized method and call.
  Now here you have to install the Access Server SDK on the server, create custom access gate and then write the code and deploy it on that server.
  THanks
  Ram

• I transferred files from a NAS server to the Mac Mini Snow Leopard Server and now some of the files have Custom Access and can't  be opened by some users.  How do I fix this?

  We're setting up our Mac Mini Snow Leopard Server, and in the process transferred files that had been stored and accessed from our Blackarmor NAS server over to the Mac.  These files were all created on PC's and are Office Excel files, WordPerfect files or PDF's.  When you look at the files on the Mac from the Mac and bring up Get Info for the affected file, it says that the file has Custom Access.  The files that work properly don't have that configuration.  I can access and open the files on some computers, but some users can't open the files from their computer even though they can see it.  We're all using PC's and they get the Error:  Access Denied-Contact your administrator--or something similar.  I've seen on the web similar issues and it may have something to do with ACL permissions.  I don't know enough about Mac OS to understand this, but what is baffling is that they can be opened from some PC's but not others, and all of the Users have the same accessibility to the files.  Thanks for a solution!!

  Oh, on the losing Internet, try this...
  Make a New Location, Using network locations in Mac OS X ...
  http://support.apple.com/kb/HT2712
  10.7 & 10.8…
  System Preferences>Network, top of window>Locations>Edit Locations, little plus icon, give it a name.
  10.5.x/10.6.x/10.7.x instructions...
  System Preferences>Network, click on the little gear at the bottom next to the + & - icons, (unlock lock first if locked), choose Set Service Order.
  The interface that connects to the Internet should be dragged to the top of the list.
  Instead of joining your Network from the list, click the WiFi icon at the top, and click join other network. Fill in everything as needed.
  For 10.5/10.6, System Preferences>Network, unlock the lock if need be, highlight the Interface you use to connect to Internet, click on the advanced button, click on the DNS tab, click on the little plus icon, then add these numbers...
  208.67.222.222
  208.67.220.220
  Click OK.
  PS. Your English is quite good & completely understandable.

• Using PowerShell to set Custom Access Rights on a Calendar Does not set Free/Busy Permissions

  We recently discovered an issue where, if you use Exchange Management Shell to configure custom access rights, the Free/Busy permissions do not get set at all (they remain as "None"):
  $temp = [Microsoft.Exchange.Management.StoreTasks.MailboxFolderAccessRight[]]("ReadItems","EditOwnedItems","DeleteOwnedItems","EditAllItems","DeleteAllItems","FolderVisible")
  Add-MailboxFolderPermission -Identity "conf-company-test:\calendar" -User "Company Calendar Management" -AccessRights $temp
  Add-MailboxFolderPermission -Identity "conf-company-test:\calendar" -User "mpinkston" -AccessRights Editor
  If you use a pre-defined "role" such as Editor given to mpinkston6 in the above example it sets the Free/Busy permission to Full Details. It would appear that using Add-MailboxFolderPermission or Set-MailboxFolderPermission is generic for folder
  objects, and doesn't explicitly set the Free/Busy permissions. In the case of the pre-defined roles either the command is doing something special/different, or the permission checks later accept pre-defined roles for determining Free/Busy permissions. No idea
  which is going on. If Free/Busy permissions can be fixed through PowerShell by some other mechanism/command, that would be great. If not, how do we go about requesting a fix/feature change in Exchange?
  http://technet.microsoft.com/en-us/library/dd298062%28v=exchg.150%29.aspx
  (Please expand Parameters and read AccessRights to get a better understanding for what I'm describing.)

  Did you try adding AvailabilityOnly or LimitedDetails in your $temp variable for Calendar folder? These would set it to "Free/Busy time, subject, location" or "Free/Busy time" respectively....
  Add-MailboxFolderPermission - http://technet.microsoft.com/en-us/library/dd298062(v=exchg.150).aspx
  The following roles apply specifically to calendar folders:
  AvailabilityOnly   View only availability data
  LimitedDetails   View availability data with subject and location
  Amit Tank | Exchange - MVP | Blog:
  exchangeshare.wordpress.com 

• Help - Lion "custom access" permissions mess

  I should start with an apology... I know there are a lot of threads that dance around this very issue, but it's so much I can't make sense of it.
  So I'm asking anew...
  Here's the situation: After months of persuassion, I finally talked my wife into letting me upgrade her Macbook from Snow Leopard to Lion. After installing, I then ran software update and installed everything else recommended. Reboot and everythign seemed to go fine, but then when I tried to delete a few PowerPC apps, the computer kept asking for her password.
  Wanting to find out why on earth I had to retype the password with every toss of a file, I looked online and found someone suggesting I had to log her out as an admin and then log back in. Why that would work, I don't know, but I tried it. Big mistake.
  When I tried to log her back in to make her an admin again, I couldn't get the computer to accept her password. So I then logged out and tried to log back in with my admin account which is set up on the same computer. That worked to get me in, but still wouldn't allow me to upgrade her to an admin in the system prefs.
  So I THEN found this "resetpassword" trick using the Lion Recovery partition and terminal. I did that and was able to restore her password and while there, I also "reset to default ACLs and Permissions" or whatever it says inside this utility, with the logic that repairing permissions has always been a decent failsafe fix.
  Okay... after a reboot and we're back in... and I run into a new problem with not having permission to do much of everything.
  So, I open the "Get Info" on the hard drive to look at the permissions at the bottom of the info window. It says I have "read only" access. I figure this must be an error so, perhaps foolishly (or should I say probably foolishly), I grant Read & Write access across the board, so it reads like this:
  System - Read & Write
  Wheel - Read & Write
  everyone - Read & Write
  And then, don't cringe, I apply to all enclosed items.
  When this is done, I rebooted to the Lion Recovery partition and ran the Disk Utility "repair permissions" there, too.
  Upon reboot...  I remember Keychain First Aid and run that too. It has errors to fix but says it was able to repair them too.
  Right now... it all appears to be working fine, though it says I have "custom access" in the Get Info window for my HD.
  However, I can't shake the nagging feeling that I've just used a flamethrower to clean up the living room.
  For instance, I look now on my own Macbook and see that "wheel" and "everyone" in the Get Info window and see it's Read Only. And yet, I have no permissions problems right now at all.
  (Update: I tried setting hers back to match mine in the same way (via the Get Info window, apply, disk utility, reboot, etc.) and the permissions problems all came back. So I went and made it Read & Write for everyone again. However, this just can't be right.)
  Can anybody tell me (in easy terms, please) what I can do to get it back to what it should be?
  I've seen notes on a program on xnation.com that "fixes ACLs"... and a few posts with Terminal commands... but I'm hesitant to borrow somebody else's solution, just in case it's not so good of a fit or if I don't understand it.
  What do you think?
  P.S. I  promise to rate good solutions offered to up your point totals.

  Something like this?
  System - Read & Write
  Wheel - Read Only
  everyone - Read Only
  Yes.
  ...software from xnation.com that is designed to reset those ACLs?
  I've never heard of it. You already know how to reset user permissions.
  if the system seems to be working fine, does that mean something is still broken/in danger of corrupting or something?
  You set wide-open permissions on all files. That's insecure, and some things won't work at all, maybe not anything you use.

• How to set custom access denied pages in SharePoint 2013?

  Hi everybody,
  in SharePoint 2010 custom access denied or other error pages could be easily set by setting the new path to the webapp-properties by using webApp.UpdateMappedPage. In SharePoint 2013 this seems to be ignored. The MSDN-entry seems to be out of date and just
  copied from SharePoint 2010:
  http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.administration.spwebapplication.updatemappedpage.aspx
  A possible workaround could be writing a HttpModule that checks the requested url for accessdenied.aspx and redirects to a custom page but there must be another more best practice way to achieve this behaviour??

  I found a workaround to redirect to a custom access denied page but I'm not happy with it.
  I created a HttpModule which uses static method SPCustomRedirect.RegisterRedirectHandler to register a class inheriting ISPCustomRedirectHandler to the current HttpContext. In this class there is a method GetRedirectUrl that returns the path to my custom
  access denied page.
  Now at last a value must be written to the HttpRequest.Querystring named "CustomRedirect". But to add something to the QueryString-NameValueCollection I must use reflection to make it writable because it's readonly. After setting the value, I reset the property
  to readonly.
  For clearness, I post the code-snippet from the HttpModule below:
  HttpRequest request = HttpContext.Current.Request;
  NameValueCollection QS = request.QueryString;
  QS = (NameValueCollection)request.GetType().GetField("_queryString", BindingFlags.NonPublic | BindingFlags.Instance).GetValue(request);
  PropertyInfo readOnlyInfo = QS.GetType().GetProperty("IsReadOnly", BindingFlags.NonPublic | BindingFlags.Instance);
  readOnlyInfo.SetValue(QS, false, null);
  QS["CustomRedirect"] = "CustomAccessDenied";
  readOnlyInfo.SetValue(QS, true, null);
  SPCustomRedirect.RegisterRedirectHandler("CustomAccessDenied", new CustomAccessDenied());
  This is the redirectHandler-class I register in the last line:
  public class CustomAccessDenied : ISPCustomRedirectHandler
  public string GetRedirectUrl(string key)
  string serverRelativeUrl = string.Empty;
  var ctx = HttpContext.Current.Items["DefaultSPContext"];
  if (ctx != null)
  serverRelativeUrl = ((SPContext)ctx).Web.ServerRelativeUrl;
  if (serverRelativeUrl.Equals("/"))
  serverRelativeUrl = string.Empty;
  return string.Format("{0}/_layouts/15/myCode/CustomAccessDenied.aspx", serverRelativeUrl);
  This works fine but I really don't like the need to add a value to the querystring by reflection or the need to do this for every page-request...
  What's your opinion for this?

• "You have custom access"??? (permissions issue)

  Apologies if this has been covered before but I have quite a few folders that say "You have custom access" in the Sharing & Permissions section of the "Get Info" Finder window, not "You can read and write" as I would expect. Some of these really do seem to have unusual permissions, such as an "(unknown user)" entry, but others appear to have identical permissions to those for which Get Info says "You can read and write."
  I suspect this is somehow related to some (but not all) of these folders originally being created in OS 10.1 (!!) & now in my Leopard file system courtesy of various Migration Assistant & Setup Assistant transfers spanning several Macs & hard drives since I played around with that ancient OS version.
  Can anyone help me understand why this is so & more importantly how I can set these folder's permissions to the default, non-custom ones, which I assume will say "You can read and write" in the Get Info window?

  Francine Schwieder wrote:
  This whole issue is very convoluted and confusing, with new bewilderments (at least bewildering to me) turning up every day.
  I agree completely! I keep hoping Apple will post some kbase articles or update Mac Help to explain more about the defaults & options, but so far the only things I have found are Mac OS X 10.5 Help: Sharing files on your network, Mac OS X 10.5 Help: Setting file-sharing options, & similar "lightweight" instructions which really don't say much more than I can discover by just poking around on my own.
  For myself, I simply gave up, cloned my Leopard install to the disk I had been using for Time Machine, and did an erase and install, then let the migration assistant that pops up as the install finishes copy what it wished how it wished from the cloned system. At least things now look consistent: no more "unknown" files, no ACLs where none should be in my home folder, all new files are saved to the apparent new standard: user francine uid 501, group staff gid 20 (of course yesterday I found out even that isn't as straight-forward as one might think, I'll spare your the details).
  Ironically perhaps, my Leopard install was done the same way (using Setup Assistant to copy everything possible from my Tiger clone, which is what I think you mean you used here) & it *did not* cause Spotlight to start indexing the Leopard volume or resolve any of the "unknown user" issues for me. This may have been because I messed around with permissions settings on some of my document files on the Tiger volume long ago when it had an additional standard account (since deleted), so that account's UID or GID could have been attached to a few files.
  Just to muddy the waters even more, I've discovered a file (/Library/Preferences/com.apple.preferences.accounts.plist) that contains an array of four essential properties of every account I've ever deleted since installing Tiger: the "UniqueID" (which appears to be the UID), the short & long user names, & the date deleted. This file apparently is created anew each time an account is deleted (except curiously its creation date is exactly one day later than that of the last account deletion) but it clearly includes the info from previous versions.
  Annoyingly, the Sharing Only user that I added that (I think) caused Spotlight to start indexing did not have the UID (& thus GID) of the deleted account I mentioned above, so the theory that the old account had something to do with it now looks dubious at best.
  The more I study this, the less it makes any sense.

• Multiple webgates pointing to one access gate entry in OAM

  Can we install webgates on multiple boxes and point to same access gate entry in OAM.
  Are there any issues with this kind of configuration?
  Any opinion?

  Hi,
  It is technically possible to do this, and makes sense when all the WebGates are logically the same (for example, they all reside on instances of load balanced web servers).
  When the WebGates reside on logically different web servers, then it will be more difficult to have different policies protecting similarly named resources on the different web server. For example,eg you may want to protect /admin differently on the different web servers, and you will not be able to use Preferred HTTP Host to achieve this when they share the same AccessGate definition. Also, you will not be able to set different timeouts on the different WebGates, or have different settings for such things as IPValidation or cookie domains.
  Regards,
  Colin