问题
We're using OpenAM to manage sessions on our application. The problem is everytime we're trying to pass a parameters with the GET method, the ressource is blocked (error 403 - forbidden). If no parameter is set, everything is wirking.
EX:
http://mysite.com/logo.jpg ----> Works.
http://mysite.com/logo.jpg?foo=bar ----> ERROR !
For images or css, it's normal to do not have parameters, but all links with using the GET method aren't working.
How could we solve our problem? Actually, disabling this policy would be a good solution.
We've looked for section 7.4.2 in the OpenAM's documentation (http://openam.forgerock.org/doc/admin-guide/OpenAM-Admin-Guide.html) but nothing is working.
Any clue ?
Thanks for your time.
回答1:
You have to create the appropriate policies to accept parameters in your url.
In your OpenAm console :
- go to the Access Control Tab
- click on the realm you want to modify
- click on the Agents Tab
- click agent name you want to modify
- go to the Application Tab
In the Not Enforced URL Processing section
- look for the NotEnforced URLs parameter
- Enter the new policies in New Value
- click Add and then save.
You can use * or -*- depending on what you want :
*
include all subdivision (Ex : mysite.com/* would permit mysite.com/Foo/Bar)-*-
exclude subdivision (Ex : mysite.com/-*- would permit mysite.com/page1.aspx but not mysite.com/Foo/page1.aspx)
So you can use for your parameters something like mysite.com?-*-
or
more specifically mysite.com?myparam=-*-
And be aware : despite the fact that it is indicated "Hot Swap : yes", it doesn't mean that your changes are effective immediately.
回答2:
So all you need to do is create 2 policies one to cover
.mysite.com/ (i could not post the http://)
.mysite.com/?*
Since the policy engine actually looks are arguments and can restrict access based on args or not.
Creating a second policy to allow args, will solve your problems.
来源:https://stackoverflow.com/questions/7487584/opensso-openam-turn-off-url-enforcement