0

I have one web application. I've successfully authenticated the users using OpenAM. For that i deployed and configured OpenAM on one Tomcate(8080) and my web application is deployed on another tomcate(8081).I have configured 'J2EE_AGENT' on tomcate(8081).

I am using OpenDJ for data store. I have created two users/group

user1 ----> group1 user2 ----> group2

I've created Agent and Policies on OpenAM. The configuration for Policies is as follows.

Resource Name which i wanted to protect is : http://example.com:8081/SpringMVC/welcome and allowed for GET and POST action. And assigned the group1 to this rule.

When i am trying to access protected URL, it gets successfully authenticated using OpenAM and able to access the link. But unfortunately group2 is also able to access the url though i didn't assgin that group to that rule.

My question comes over here How i can configure the rule so that group2 can not access that url or group2 get access denied for that URL.

I've spent around 1 day on this. Early help would be appreciated.

Sumit Paul
  • 189
  • 1
  • 2
  • 10

1 Answers1

0

Quick idea, under the agent config -> Global settings -> Agent Filter Mode, have you used SSO_only mode? This bypasses all authorization rules and allowed everyone that is authenticated.

If not I would recommend turning on the debug logs for the agent and the OpenAM. Set agent config -> Global settings -> Agent Debug Level to message and OpenAM main page -> configuration -> system -> logging -> logging level to INFO.

You can ind authorization decisions here /openam/debug/Policy

Stefan Rasmusson
  • 5,445
  • 3
  • 21
  • 48
  • Thanks Stefan for your reply. I have checked my configuration, in Agent filter mode i have used SSO_ONLY. Also i've turned on debug logs. For Agent its message and for OpenAM logging level is INFO. But still i am facing the same issue. Is there anything that i am missing here. Thanks in advance. – Sumit Paul Apr 08 '14 at 13:40
  • If your are using 'SSO_ONLY' mode the agent does not enforce authorization, it only checks if the user has a valid SSO Session. You either need 'ALL' or 'URL_POLICY' mode. Also note that OpenAM entitlement engine (used to calculated the policy decision) has some issues when the agent's policy client is running in 'subtree mode' ... see bugster. Check this in agent profile. As of this reason from OpenAM 11.0.0 on policy client mode is set to 'self' by default. – Bernhard Thalmayr Apr 09 '14 at 06:18
  • As I say in the answer, using SSO_ONLY makes the agent allow any authenticated user regardless of your authroizaton rules. This is the reasos you a re facing the problem – Stefan Rasmusson Apr 09 '14 at 09:52