• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


  • Categories

  • Archive

  • How to read OAM ObSSOCookie through java script

    Posted by "" in "idm, integration, oam, sso" on 2012-05-04

    We have a shindig application protected by OAM 11g using an Apache 10g WebGate. Please refer my previous post on how to protect Apache Shindig application using OAM 11g.

    It is very common to pass on user attributes in authorization actions as headers or cookies. However we have a requirement to get the ObSSOCookie that was created by OAM after authentication.

    Well, there are cons of reading the OAM cookie and not advicable too – we will take this topic in some other post.

    We have written simple java script logic to read the cookies from headers and except OAM cookie all other cookies are fetchable. So I have used the following solution to overcome this:

    1. Login to OAM console.
    2. Goto OAM Agents, click on Form Based authentication scheme. We are using Form login.
    3. Specify the parameter ssoCookie=disablehttponly in Challenge Parameter as shown below.
    4. Apply the changes.

    By default the OAM 10g or 11g secures the OAM cookie in authentication scheme – hence the value for parameter is set as ssoCookie=httponly by default. This means OAM does not allow to read the OAM cookie using java script which is ideal in secured environment. In less secure environment, it is set to ssoCookie=disablehttponly.

    Then we are able to read the OAM Cookies from the headers using java script.

    One Response to “How to read OAM ObSSOCookie through java script”

    1. Alaa says:

      I have question regarding passing user attributes in authorization actions as header.

      After defining the resource, protecting it, and setting the responses (as header), What should I do to read theses responses in Apache server??

      As application by oam server, we need to know the identity of the user to do further actions. By now, the application can’t know who the user are?

      many thanks.

    Leave a Reply

  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP