3

I have installed a tomcat 6 server with a j2ee openam policy agent. After the installation I am unable to access it, I always get redirected to manager/amlogin.html.

This did not previously happen so I can only assume it is because of the agent installation. Is there a configuration setting I have missed?

Michael Allen
  • 5,712
  • 3
  • 38
  • 63

2 Answers2

1

As part of our continuous integration we wanted the ability to automatically deploy our application into our openam agent protected tomcat server.

The hudson deploy plugin uses the tomcat manager application to deploy, however as detailed in the question, after agent installation the manager application is no longer accessible by the normal mechanism (HTTP basic auth).

During installation the agent updates the manager app web.xml to change the default BASIC authentication to a FORM based authentication, that can subsequently be configured to work with openam (to provide a single sign on to the manager app as well) - for more info see http://docs.oracle.com/cd/E19681-01/820-7251/gicpx/index.html.

To use the hudson deploy plugin, we reverted the changes to the manager app web.xml (the agent backs up the original web.xml during its installation)

In order to enable the default UserDatabase realm for the manager, we placed the Realm definition into the Context element specific to the manager app ${TOMCAT_HOME}/conf/Catalina/manager.xml: 

<Context antiResourceLocking="false" privileged="true" useHttpOnly="true">

    <!-- user default tomcat-users to manage roles for the manager app -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
         resourceName="UserDatabase"/>

</Context>

This re-enabled basic auth login to the manager app, without affecting the custom realm installed by the agent that the other web application need for openam integration.

McVeigh
  • 56
  • 4
0

Yep, that's normal behaviour if you're trying to access protected content.

The policy agent detects that you don't have an authenticated session and as a consequence redirects you to the Identity Provider that will be in charge to authenticate you.
For more info on how OpenAM works, you should take a look at the SAML 2.0 wikipedia page: http://en.wikipedia.org/wiki/SAML_2.0
In your case, the OpenAM agent is a Service Provider.

The policy agent normally affects the global web.xml and Tomcat's server.xml files. If you were accessing unprotected content, you should edit the URL pattern that OpenAM should protect in those 2 files.

sk_
  • 2,105
  • 17
  • 31
  • Is this still the case when the manager is not listed as a protected resource? I have set the non-protected uri list to inverted and listed only the pages I want to protect so the manager isn't protected since its not in the list. – Michael Allen Sep 05 '11 at 11:07
  • This method seems to be not recommended according to http://download.oracle.com/docs/cd/E19681-01/820-4803/gataa/index.html . Maybe you can try to use the default filtering policy and specify your url pattern in "com.sun.identity.agents.config.notenforced.uri" – sk_ Sep 05 '11 at 11:27