OpenAM Web Policy Agent不会将具有过期会话的用户重定向到进行身份验证,而是使用403页面

时间:2017-01-24 04:08:00

标签: single-sign-on openam

我使用OpenAM 13和Web Policy Agent 4.0进行apache。

似乎Web Policy Agent无法识别 iPlanetDirectoryPro Cookie,这是由身份验证后OpenAM设置的令牌已过期或实际上是无效的。

看起来Web Policy Agent将获取令牌并使用OpenAM进行确认,然后被告知验证失败,如下面的这些日志行,并向用户提供403禁止页面。

2017-01-24 11:29:55.475 +0800 WARNING [0x7f180e887700:17669] am_get_session_policy_cache_entry(): failed to locate data for a key (AQIC5wM2LY4SfcxFG6Bl98dRT7AluZ7682rulJGU8-CCSN4.*AAJTSQACMDEAAlNLABQtMTQ2NTcwMTgyOTEwMjQ5MTg4OQACUzEAAA..*)
2017-01-24 11:29:55.484 +0800 WARNING [0x7f180e887700:17669] validate_policy(): retry 0 (remote session/policy call failure: error)
2017-01-24 11:29:57.490 +0800 WARNING [0x7f180e887700:17669] validate_policy(): retry 1 (remote session/policy call failure: error)
2017-01-24 11:29:59.497 +0800 WARNING [0x7f180e887700:17669] validate_policy(): retry 2 (remote session/policy call failure: error)
2017-01-24 11:30:01.504 +0800 WARNING [0x7f180e887700:17669] validate_policy(): retry 3 (remote session/policy call failure: error)
2017-01-24 11:30:03.504 +0800 ERROR [0x7f180e887700:17669] validate_policy(): remote session/policy call to validate 'http://agent.job.com.tw:80/notification/push' failed (max 3 retries exhausted)

在这种情况下的预期行为是将用户重定向到auth,我想是的,如果用户有效并且没有访问该页面的权限,则会指示代理阻止用户离开它,如下所示

2017-01-24 11:43:59.009 +0800 WARNING [0x7f17f9ff3700:17669] am_get_session_policy_cache_entry(): failed to locate data for a key (AQIC5wM2LY4Sfcz6gBnS77c_KhZogqv6gYGQdjU1WpRaQxE.*AAJTSQACMDEAAlNLABMzMTYxMjIwNDAzNjc4NDA4MDQxAAJTMQAA*)
2017-01-24 11:43:59.050 +0800 WARNING [0x7f17f9ff3700:17669] validate_policy(): decision: deny, reason: no action decisions found
2017-01-24 11:43:59.213 +0800 WARNING [0x7f180d000700:17669] validate_policy(): validate policy did not find a match for 'http://agent.job.com.tw:80/favicon.ico' in the cached entries, retrying with the new request to the policy service
2017-01-24 11:43:59.227 +0800 WARNING [0x7f180d000700:17669] validate_policy(): decision: deny, reason: no action decisions found

但是,如果我自己导航到OpenAM服务器页面,无论是在访问资源页面之前还是之后再获得403页面,OpenAM都会要求我进行身份验证!换句话说,要登录,并且 iPlanetDirectoryPro cookie消失了,我想它已被OpenAM清除,所以这意味着OpenAM能够区分过期的会话,或者至少它知道如何采取照顾一个不再有效的 iPlanetDirectoryPro cookie。

如果我选择不立即登录,并返回资源页面,它会开始重定向到OpenAM进行身份验证,这很好。获取403页面时,手动删除 iPlanetDirectoryPro cookie将执行相同的操作。

这真的很烦人,对一般用户来说可能很关键,他们不会意识到要做上面提到的那些解决方法。

我希望有人可以帮我解决这个问题,非常感谢。

1 个答案:

答案 0 :(得分:0)

我相信你遇到了这个错误:AMAGENTS-279