Here’s a scenario that everyone with Oracle Access Manager (OAM 11g) faces:
Your enterprise utilizes OAM’s form login authentication scheme. Why? Because 99.9% of the population knows how to handle it. So a user makes a request for http://www.yourcompany.com/badAssWebSite.html and they then get redirected to http://sso.mycompany.com/technically/formatted/url/that/a/MaNaGeR/decides/form.html
And what does a normal person think? “Hey! I should bookmark this login page so I know how to get back to this bad ass website!” And then they Ctrl+D the hell out of it. Right then, you can hear the tears of the IDM team. Why? Because when the user clicks on that bookmark next time and logs in, they get a non-standard blue error screen with an error message that is beyond useless. Users get pissed and call help desk. Help Desk gets pissed with all the calls for something the stupid application team should have coded for and call the App team manager. The managers get pissed and point a finger at the IDM team, who fully knows that this is an issue (and has been since the inception over Oblix 10 years ago), and while sobbing they raise their fists in the air, parting the clouds and thunder pounding around them scream, “WHY ORACLE HAVEN’T YOU FIXED THIS STUPID F**KING PROBLEM?!”
Oracle’s solution? “Tell your users not to bookmark the login page” LOLOLOLOLOL!!!!1
… epic fail …
Another wonderful problem this causes? If a user has three tabs open, each with the login form showing and they login to one of them, when they try to login via the subsequent tabs, they are shown the awesome blue error screen. Yep… genius.
So as I tell everyone that comes to me with a problem, “you better have a kick-ass solution in your back pocket to follow up with this…”
Here’s how I help my clients avoid this problem:
In the login form, make sure the form has an id of “oamLoginForm” and the submit button is an input type of “button” (not “submit”) and has an onclick=”LogMeIn();”
You can obviously change these, but these are what’s matched up in my code below:
Some JQuery Javascript:
function LogMeIn(){
$.ajax({
url: origURL,
success: function (data) {
if (data.indexOf(‘UNIQUE TEXT IN YOUR LOGIN FORM’) > 0) {
var newReqId = $(data).find(‘#request_id’).val();
$(‘#request_id’).val(newReqId);
$(‘#oamLoginForm’).submit();
} else {
window.location = origURL;
}
}
});
}
Here’s what it’s doing:
When the users clicks the “Login” button of your form, this function is called. It fires off an ajax request for the originally requested URL (which is stored in the quertystring of the URL when bookmarked, so it’ll work for multiple apps protected by one form =). I have some more code snippets below if you need them for pieces like this. Anyway, when the call returns with the data, we look for a unique string that’s in that form (UNIQUE TEXT IN YOUR LOGIN FORM). I pull from the <title>Welcome to My Bad Ass WebSite Login Form</title>. If that string is found, then the user obviously hasn’t been authenticated / authorized with OAM yet. Now that we’ve made a new request, we strip out the newly generated Request ID from the returned login form and put it into the hidden form field on the page the user is looking at. Important note: The ajax call is also updating / creating the OAM_REQ cookie with the required encrypted value needed for login to succeed. Now that the new Request ID is in the form, we post the form.
!!BAM!!
The user is logged in =)
If the returned data from the ajax call doesn’t have the unique string in it, then they are already authenticated and you’re seeing the data from the originally requested URL. So instead of submitting the form for a useless purpose and burdening OAM, we just redirect the user to the originally requested URL and the user is none the wiser =)
Something else I do (up to you), is I call this function on page load (minus the submit part). So if the user is already logged in on another page and they click the bookmark, when the login form page loads it’ll make the ajax call and see that the user is already logged in and pass them to app instead of the user even seeing the form. Nifty eh?
Another note for ya, because this is ajax, the request has to be to the same domain. Cross-domain ajax isn’t really allowed. You’ll have to use some hack-foo to get that one workin’.
Here’s a couple other javascript snippets for you:
Getting the originally requested url from the querystring:
function getParameterByName(name) {
name = name.replace(/[\[]/, “\\\[“).replace(/[\]]/, “\\\]”);
var regexS = “[\\?&]” + name + “=([^&#]*)”;
var regex = new RegExp(regexS);
var results = regex.exec(window.location.search);
if (results == null)
return “”;
else
return decodeURIComponent(results[1].replace(/\+/g, ” “));
}
var origURL = getParameterByName(‘resource_url’);
origURL = unescape(origURL);
And to call something on page load, here’s the quick JQuery way. The bit of code in there is to capture the Return key being pressed to “submit” the form. Since we took away the “submit” button, hitting the Enter key needs to be captured and processed manually:
$(document).ready(function () {
$(‘#oamLoginForm’).bind(‘keypress’, function (e) {
if (e.keyCode == 13) {
LogMeIn();
}
});
});
So, that’s what I got =)
I’m sure a ton of you have had this same problem in the past. What where you’re work arounds? Can you make this better? I’d love to hear it!
Cheers!