5 Oracle Adaptive Access Manager Proxy

Oracle Adaptive Access Manager's Universal Installation Option (UIO) reverse proxy deployment option offers login risk-based multifactor authentication to Web applications without requiring any change to the application code.

The proxy's main function is to redirect user traffic from the application login flow to the Oracle Adaptive Access Manager login flow.

The Oracle Adaptive Access Manager Proxy is available for the Apache Web server and Microsoft Internet Security and Acceleration (ISA) Server.

This chapter:

• Explains the use and configuration of the Oracle Adaptive Access Manager Proxy.

• Provides instructions for both Microsoft ISA and Apache implementations.

The intended audience is for integrators who configure the Oracle Adaptive Access Manager Proxy to add multifactor authentication to Web applications. An understanding of HTTP request/response paradigm is required to understand the material presented in this document.

The chapter contains the following sections:

• Introduction

• Installing Oracle Adaptive Access Manager Proxy for Microsoft ISA

• Installing Oracle Adaptive Access Manager Proxy for Apache

• Setting Up Rules and User Groups

• Setting Up Policies

• Configuring the Oracle Adaptive Access Manager Proxy

• Interception Process

• Configuring Redirection to the Oracle Adaptive Access Manager Server Interface

• Application Discovery

• Samples

For information on configuring OAAM Server, the client-facing multifactor authentication Web application specific to the Universal Installation Option deployment, refer to Chapter 6, "Configuring OAAM Server."

5.1 Introduction

The Introduction section of this chapter contains the following topics:

• Important Terms

• Architecture

• References

5.1.1 Important Terms

For your reference, important terms are defined in this section.

Microsoft ISA

From the Microsoft Web site: "the Internet Security and Acceleration (ISA) Server is the integrated edge security gateway that helps protect IT environments from Internet-based threats while providing users with fast and secure remote access to applications and data."

Universal Installation Option

The Universal Installation Option is the Oracle Adaptive Access Manager integration strategy that does not require any code modification to the protected Web applications. The Universal Installation Option involves placing the Oracle Adaptive Access Manager Proxy in front of the protected Web applications

Proxy

A proxy is a server that services the requests of its clients by forwarding requests to other servers. This chapter is concerned with the Web proxy, where the proxy handles Web Protocols, mainly HTTP.

Forward Proxy

A forward proxy is an intermediate server that sits between the client and the origin server. To get content from the origin server, the client sends a request to the proxy naming the origin server as the target, and the proxy then requests the content from the origin server and returns it to the client. The client must be specially configured to use the forward proxy to access other sites.

Reverse Proxy

A reverse proxy appears to the client just like an ordinary Web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests and returns the content as if it were itself the origin. The Oracle Adaptive Access Manager Proxy running in the Microsoft Internet Security and Acceleration (ISA) Server is an example of a reverse proxy.

OAAM Server

OAAM Server is the Web application component of Oracle Adaptive Access Manager. The Oracle Adaptive Access Manager Proxy redirects the client browser to OAAM Server for tracking and authentication purposes as defined by the Oracle Adaptive Access Manager Universal Installation Option Proxy XML configuration.

5.1.2 Architecture

The following diagrams show a typical Oracle Adaptive Access Universal Installation Option deployment.

The first diagram shows a Web application before the Oracle Adaptive Access Universal Installation Option is deployed to provide multifactor authentication.

Figure 5-1 Before the Oracle Adaptive Access Universal Installation Option

The second diagram shows various components added after the Oracle Adaptive Access Universal Installation Option deployment.

Figure 5-2 After Universal Installation Option Deployment

The Oracle Adaptive Access Manager Proxy intercepts the HTTP traffic between the client (browser) and the server (Web application) and performs the appropriate actions, such as redirecting the traffic to OAAM Server, to provide multifactor authentication and authorization. OAAM Server, in turn, communicates with OAAM Admin to assess the risk, and then takes the appropriate actions, such as permitting the login, challenging the user, blocking the user, and other actions.

The Oracle Adaptive Access Manager Proxy is available for the Apache Web server and Microsoft Internet Security and Acceleration (ISA) Server.

5.1.3 References

For detailed information on installing and configuring the Microsoft ISA server, refer to the Microsoft ISA Server setup documentation. Web publishing rule creation and listener creation are explained further in this document.

For more information about the Apache HTTP Server, refer to the Apache HTTP Server 2.2 documentation at:

http://httpd.apache.org/docs/2.2

5.2 Installing Oracle Adaptive Access Manager Proxy for Microsoft ISA

The Oracle Adaptive Access Manager Proxy for Microsoft ISA uses the API provided by Microsoft ISA Server to monitor the HTTP traffic and perform various actions. Refer to the Microsoft ISA Server setup documentation for the details on installing and configuring the ISA server. For a successful installation of the proxy, a .NET framework 2.0 or better should to be installed. Install all the recommended updates from Microsoft on the machine.

Microsoft ISA Server 2006 Standard Edition should be installed and Web publishing rules for Web applications should be created before installing the Oracle Adaptive Access Manager Proxy.

This section provides:

• Information on creating Web publishing rules and listeners so that Web applications and OAAM Server can be accessible from the Internet.

  • Section 5.2.1, "Proxy Web Publishing Configuration."

• Instructions on installation and programming information for the Oracle Adaptive Access Manager Proxy for Microsoft ISA.

  • Section 5.2.2, "Registering the Oracle Adaptive Access Manager Proxy for Microsoft ISA DLL."

  • Section 5.2.3, "Settings to Control the Proxy."

5.2.1 Proxy Web Publishing Configuration

The purpose of this section is to explain the creation of Web publishing rules and listeners in Microsoft ISA for Adaptive Access Manager applications. It is intended for integrators who install and configure Microsoft ISA to support multiple Web applications.

5.2.1.1 Web Listener Creation

For details on creating a Web listener, refer the Microsoft Web site.

1. For the Web Listener Name, enter Bharosa Proxy Listener.

2. Select SSL secure connection as the type of connection the Web listener will establish with clients.

3. For the Web Listener IP Addresses, choose external, internal, and local host.

4. Choose to use a single certificate for the Web Listener and select the certificate.

5. Select no authentication for how clients will validate their credentials.

5.2.1.2 Web Publishing Rule Creation

In a typical deployment, Web applications and OAAM Server run on machines in an internal network and are not directly accessible from the Internet.

In the case of the Oracle Adaptive Access Manager Proxy for Microsoft ISA, only the Oracle Adaptive Access Manager Proxy machine, which runs Microsoft ISA Server, will be accessible from the Internet.

The following should be published via Web publishing rules in the Microsoft ISA Server.

• OAAM Server

• Web applications

Therefore, you need to set two (at least) rules, one for the main application and another for OAAM Server.

Refer to the Microsoft documentation for detailed instructions. The following tips are provided for your reference.

5.2.1.2.1

Web Publishing Rule Creation for OAAM Server

To create a new Web publishing rule for OAAM Server you will need to access Microsoft ISA Server's Web publishing rule wizard and follow the on-screen instructions.

1. For the name of the rule, enter a name such as Bharosa OAAM Server.

2. Choose to allow incoming requests matching the rule conditions.

3. Choose to publish a single Web site or a load balancer in front of several servers.

4. Choose SSL as a connection option if the Web application is listening on SSL; otherwise, choose the non-secured connection option.

5. For the internal site name, provide the machine name where the Web server runs.

   Translate the public name into the internal name.

6. If the IP address or the machine name of the Web application to be published is known, select the option to use the computer name or IP address and provide that information.

7. If you want to include all files and subfolders within a folder, enter /* for the name of the file or folder you want to publish. If you need to publish more than one file or folder, enter only the first file/folder instead. The remaining files can be entered later by editing the rule. Later you will enter the path you entered here for your public details.

8. For your Web listener, select Bharosa Proxy Listener.

9. For authentication delegation, select no delegation and that client cannot authenticate directly.

10. Make sure you are able to apply the rule to requests from all users.

Check the properties for your newly created rule by accessing the rule properties.

1. If more than one file or folders need to be published, add all paths.

2. If you have more than one domain name to access the application, add all the domain names.

5.2.1.2.2 Web Publishing Rule Creation for Protected Web Applications

To create a new Web publishing rule for Web applications, you will need to access Microsoft ISA Server's Web publishing rule wizard and follow the onscreen instructions.

1. For the name of the rule, enter a name such as Online Banking Application.

2. Choose to allow incoming requests matching the rule conditions.

3. Choose to publish a single Web site or a load balancer in front of several servers.

4. Choose SSL as a connection option if the Web application is listening on SSL; otherwise, choose the non-secured connection option.

5. For the internal site name, provide the machine name where the Web server runs.

6. If the IP address or the machine name of the Web application to be published is known, select the option to use the computer name or IP address and provide that information.

7. If you want to include all files and subfolders within a folder, enter /* for the name of the file or folder you want to publish. If you need to publish more than one file or folder, enter only the first file/folder instead. The remaining files can be entered later by editing the rule. Later you will enter the path you entered here for your public details.

8. For your Web listener, select Bharosa Proxy Listener.

9. For authentication delegation, select no delegation and that client cannot authenticate directly.

10. Make sure you are able to apply the rule to requests from all users.

Check the properties for your newly created rule by accessing the rule properties.

1. If more than one file or folders need to be published, add all paths.

2. If you have more than one domain name to access the application, add all the domain names.

5.2.2 Registering the Oracle Adaptive Access Manager Proxy for Microsoft ISA DLL

The Oracle Adaptive Access Manager Proxy for Microsoft ISA is installed as a Web filter in Microsoft ISA Server. To install the Oracle Adaptive Access Manager Proxy for Microsoft ISA, follow these steps:

1. Copy the BharosaProxy.dll to the Microsoft ISA Server installation directory, which is by default, %ProgramFiles%\Microsoft ISA Server

2. Open the command prompt and navigate to the Microsoft ISA Server installation directory

3. Register the BharosaProxy.dll with the following command:

   regsvr32 .\BharosaProxy.dll
   

5.2.3 Settings to Control the Proxy

Various aspects of the Oracle Adaptive Access Manager Proxy for Microsoft ISA can be controlled using the registry values. All Oracle Adaptive Access Manager Proxy for Microsoft ISA settings are stored under HKLM\SOFTWARE\Bharosa\Proxy key. Changes to most of the registry values are picked up by the proxy immediately without requiring a proxy restart.

5.2.3.1 Configuration files

During startup (and during config reload), the proxy loads the configuration from the files listed under the HKLM\SOFTWARE\Bharosa\Proxy\ConfigFiles key.

• The type of each value under this key should be REG_DWORD.

• The name of each value under this key should be the filename containing the proxy configuration.

• The filename can either be fully qualified or relative to the location of the BharosaProxy.dll.

• The proxy will load a configuration file only if the data has a nonzero value. This can be used to dynamically load and unload proxy configuration files.

• The files will be loaded in the lexicographic order of the filenames in the registry.

• Changes under the ConfigFiles key will not be effective until either the proxy is restarted or HKLM\SOFTWARE\Bharosa\Proxy\ReloadConfig is set to 1.

5.2.3.2 Configuration Reload

The proxy configuration can dynamically be changed while the proxy is running; new configuration files can be added and currently loaded files can be updated or removed. These changes will not be applied until the ReloadConfig registry value is set to a nonzero value. When setting ReloadConfig to a nonzero value, the proxy will load configuration files. After loading the files, the proxy will reset the ReloadConfig value to 0.

Note that the new configuration will be used only for new client (browser) connections. Clients already connected will continue to use the previous configuration.

5.2.3.3 Session ID Cookie

The Oracle Adaptive Access Manager Proxy for Microsoft ISA uses a cookie to associate multiple requests from a client. The name of this cookie can be configured in the registry value, SessionIdCookieName (of type REG_SZ). If this value is not present or empty, the Oracle Adaptive Access Manager Proxy for Microsoft ISA will use the cookie name, BharosaProxy_SessionId.

5.2.3.4 Configuring Session Id Cookie attributes via Global Variables

The attributes of the Session Id Cookie can be configured using global variables listed in Table 5-1.

Table 5-1 Session Id Cookie Attributes via Global Variables

Cookie Attribute	Global Variable Name	Description
expires	SessionCookie_ExpiryInMinutes	'expires' attribute will be added to the session cookie if this global variable is set to value greater than 0.This variable specifies the number of minutes the session cookie should be persisted by the client browser.
HttpOnly	SessionCookie_IsHttpOnly	'HttpOnly' attribute will be added to the session cookie if this global variable is set to value greater than 0
secure	SessionCookie_IsSecure	'secure' attribute will be added to the session cookie if this global variable is set to value greater than 0.
domain	SessionCookie_DomainLevelCount	'domain' attribute will be added to the session cookie if this global variable is set. For example, to set the cookie domain as ".mydomain.com" for an application at "test.myserver.mydomain.com", set this global variable to "2". The value should be greater than 1 - if a lower value is specified, proxy will use 2 as the value.

5.2.3.5 Session Inactive Interval

Sessions in the Oracle Adaptive Access Manager Proxy for Microsoft ISA will be removed after a certain period of inactivity. This period, in seconds, is specified in the MaxSessionInactiveInterval registry value. If this value is not specified, the Oracle Adaptive Access Manager Proxy for Microsoft ISA will remove a session after 1200 seconds (20 minutes) of inactivity. This value should be set to at least a few seconds higher than the Web application session timeout value.

5.2.3.6 Settings for Troubleshooting

Trace messages from the Oracle Adaptive Access Manager Proxy for Microsoft ISA can be used for troubleshooting any issues with the proxy configuration and operation. Trace settings, like trace level and destinations, can be controlled using the registry values under HKLM\SOFTWARE\Bharosa\Proxy. Registry values are shown in Table 5-2.

Table 5-2 Settings for Troubleshooting

Name	Type	Description
TraceFilename	REG_SZ	Full path to the file in which the trace messages should be written to
TraceFileMaxLength	REG_DWORD	Maximum length of the trace file in bytes. Once the trace file reaches this size, the proxy will rename the file by adding the timestamp to the filename and create a new trace file to write subsequent trace messages.
TraceToFile	REG_DWORD	Trace messages will be written to file only if this value is nonzero.
TraceToDebugTerminal	REG_DWORD	Trace messages will be written to debug the terminal only if this value is nonzero. Tools like DbgView can be used to view these trace messages in real time.
TraceLevel	REG_DWORD	Each trace level (debug, info, warning, error) has an integer value associated. The registry value should be set to the sum of desired the trace level values. FATAL 0x1, ERROR 0x2, WARN 0x4 INFO 0x8, DEBUG 0x10, HTML 0x80, FLOW 0x80000
IgnoreUrlMappings	REG_DWORD	If this value is nonzero, the proxy will ignore all the interceptors defined in the proxy configuration. Essentially this will put the Oracle Adaptive Access Manager Proxy for Microsoft ISA in "pass-through" mode.
CaptureTraffic	REG_DWORD	The proxy does not handle (save, inspect) the HTTP traffic for URLs that don't have interceptors defined in the configuration. But during application discovery process, it will be necessary to get a dump of all the HTTP traffic thorough the proxy. On such occasion, this registry value should be set to nonzero.

5.3 Installing Oracle Adaptive Access Manager Proxy for Apache

To install the Oracle Adaptive Access Manager Proxy for Apache, a new Apache httpd has to be installed into which the Oracle Adaptive Access Manager Proxy for Apache will be installed. This Apache httpd will use mod_proxy to reverse-proxy to the backend application that has to be protected.

The Installation section contains information for installing the Oracle Adaptive Access Manager Proxy for Apache for Windows and Linux platforms.

The installation procedure involves:

• Ensuring that the Apache httpd requirements are met

  See Section 5.3.2, "Apache httpd Requirements."

• Copying the proxy dlls and supported dlls to specific directories in Apache

  See Section 5.3.3, "Copying the Oracle Adaptive Access Manager Proxy for Apache and Supported Files to Apache."

• Configuring memcache (for Linux only)

  See Section 5.3.4, "Configuring Memcache (for Linux only)."

• Editing the httpd.conf to activate the proxy

  See Section 5.3.5, "Configuring httpd.conf."

  As part of this section, information is also provide on optionally installing the mod_proxy_html, which is needed to rewrite the HTML links in a proxy situation, to ensure that links work for the users outside the proxy

• Modifying the settings of the proxy using application configuration XML files

  Section 5.3.6, "Modifying the Oracle Adaptive Access Manager Proxy for Apache Settings."

The post-installation procedures involve:

• Section 5.4, "Setting Up Rules and User Groups."

  Creating a new user to run the Universal Installation Option Proxy Apache process (on Linux only)

• Section 5.5, "Setting Up Policies."

5.3.1 Proxy Files for Windows and Linux

The Oracle Adaptive Access Manager Proxy for Apache binaries for Windows and Linux are different. Since the proxy is in C/C++, the same binary will not work on different platforms (unlike Java).

The files are located under $ORACLE_HOME/oaam/oaam_proxyplatform_specific_file.

5.3.1.1 Windows

For Windows, the binary files are listed in Table 5-3.

Table 5-3 Windows Binary Files

Name	Description
mod_uio.so	Oracle Adaptive Access Manager Proxy for Apache module
log4cxx.dll	Apache Log4cxx library
libxml2.dll	XML/HTML Parser
apr_memcache.dll	APR Memcache client library.

The data files are listed in Table 5-4.

Table 5-4 Windows Data files

Name	Description
UIO_Settings.xml	Oracle Adaptive Access Manager Proxy for Apache Settings XML file
UIO_log4j.xml	Oracle Adaptive Access Manager Proxy for Apache Log4j (log4cxx) configuration XML file
TestConfig.xml	Oracle Adaptive Access Manager Proxy for Apache Sample application configuration file
UIO_Settings.rng	Relax NG grammar for UIO_Settings.xml
UIO_Config.rng	Relax NG grammar for application configuration XML files

5.3.1.2 Linux

For Linux, the binary files are listed in Table 5-5.

Table 5-5 Linux Binary Files

Name	Description
mod_uio.so	Oracle Adaptive Access Manager Proxy for Apache module
liblog4cxx.so.0.10.0.0	Apache Log4cxx library
libxml2.so.2.6.32	XML/HTML parser
libapr_memcache.so.0.0.1	APR Memcache client library.

The data files are listed in Table 5-6.

Table 5-6 Linux Data Files

Name	Description
UIO_Settings.xml	Oracle Adaptive Access Manager Proxy for Apache Settings XML file
UIO_log4j.xml	Oracle Adaptive Access Manager Proxy for Apache Sample Log4j (log4cxx) configuration XML file
TestConfig.xml	Oracle Adaptive Access Manager Proxy for Apache Sample application configuration files
UIO_Settings.rng	Relax NG grammar for UIO_Settings.xml
UIO_Config.rng	Relax NG grammar for application configuration XML files

5.3.2 Apache httpd Requirements

The pre-installation steps involved for downloading or building the Apache httpd, depend on the platform, Windows or Linux, and on whether certain requirements are met.

5.3.2.1 Windows

You can download the latest Apache httpd (2.2.8) build for Windows from the Apache Web site.Ensure that:

• the Apache httpd (2.2.8) build is version 2.2.8

• the mod_proxy support is enabled (the standard installation contains the mod_proxy)

• the mod_ssl support is enabled

5.3.2.2 Linux

Instructions to build the Apache httpd are available on the Apache Web site. When you build Apache, ensure that

• the Apache httpd (2.2.8) build is version 2.2.8

• the mod_so is enabled (for dynamically loading modules)

• the mod_proxy is enabled

• the mod_ssl support is enabled

5.3.3 Copying the Oracle Adaptive Access Manager Proxy for Apache and Supported Files to Apache

Instructions are provided in this section for copying the Oracle Adaptive Access Manager Proxy for Apache and support files to specific directories in Apache for both Windows and Linux platforms.

5.3.3.1 Windows

Table 5-7 summarizes:

• The directories you have to copy the Oracle Adaptive Access Manager Proxy for Apache files to after installation

• The tree structure of the Oracle Adaptive Access Manager Proxy for Apache libraries and configuration files, assuming that you installed the files in C:\Apache2.2

• The directories the Oracle Adaptive Access Manager Proxy for Apache binary files go into are listed in Table 5-7.

Table 5-7 Directories for Windows UIO Binary Files

Directories	File Descriptions
C:\Apache2.2\modules\mod_uio.so	Oracle Adaptive Access Manager Proxy for Apache module
C:\Apache2.2\bin\log4cxx.dll	Apache Log4cxx library
C:\Apache2.2\bin\libxml2.dll	XML/HTML Parser
C:\Apache2.2\bin\apr_memcache.dll	APR Memcache library.

The data files will go in the directories summarized in Table 5-8.

Table 5-8 Directories for Windows UIO Data Files

Directories	File Descriptions
C:\OAAMUIO\UIO_Settings.xml	Oracle Adaptive Access Manager Proxy for Apache settings XML file
C:\OAAMUIO\UIO_log4j.xml	Oracle Adaptive Access Manager Proxy for Apache Log4j (log4cxx) configuration XML file
C:\OAAMUIO\TestConfig.xml	Oracle Adaptive Access Manager Proxy for Apache application configuration files (any number)
C:\OAAMUIO\UIO_Settings.rng	Relax NG grammar for UIO_Settings.xml
C:\OAAMUIO\UIO_Config.rng	Relax NG grammar for application configuration XML files
C:\OAAMUIO\logs\uio.log	Oracle Adaptive Access Manager Proxy for Apache log

If you want to change the location of the various configuration files, refer to the "Configuring httpd.conf" section.

5.3.3.2 Linux

After the installation of the Apache httpd, you will have to copy the Oracle Adaptive Access Manager Proxy for Apache binary files into (assuming Apache httpd is installed in /usr/local/apache2) the directories shown in Table 5-9.

Table 5-9 Directories for Linux UIO Binary Files

Directories	Description
/usr/local/apache2/modules/mod_uio.so	Oracle Adaptive Access Manager Proxy for Apache Module
/usr/local/apache2/lib/liblog4cxx.so.0.10.0.0	Apache Log4cxx Library
/usr/local/apache2/lib/libxml2.so.2.6.32	XML/HTML Parser
/usr/local/apache2/lib/libapr_memcache.so.0.0.1	APR Memcache client library.

Then, create soft links to the libraries as follows:

cd /usr/local/apache2/lib
ln -s liblog4cxx.so.10.0.0 liblog4cxx.so.10
ln -s libxml2.so.2.6.32 libxml2.so.2
ln -s libapr_memcache.so.0.0.1 libapr_memcache.so.0

Also, ensure that the binary files have executable permission.

Apache httpd is typically run as root so that it creates a parent process that listens on port 80, and it spawns handler processes that run as the user given in the User directive in httpd.conf.

For this reason, create a user called oaamuio that will be the checkpoint user for the Oracle Adaptive Access Manager Universal Installation Option for Apache. The Oracle Adaptive Access Manager Universal Installation Option configuration and log files will be accessible by this user. Ensure that only this user can access the log files. Assuming /home/oaamuio is the home directory for this user, the directory structure will look like the one presented in Table 5-10.

The Oracle Adaptive Access Manager Universal Installation Option for Apache data files should follow the directory structure shown in Table 5-10.

Table 5-10 Directories for Linux UIO Data Files

Directories	Description
/home/oaamuio/uio/UIO_Settings.xml	Oracle Adaptive Access Manager Proxy for Apache settings XML file
/home/oaamuio/uio/UIO_log4j.xml	Oracle Adaptive Access Manager Proxy for Apache Log4j (log4cxx) configuration XML file
/home/oaamuio/uio/TestConfig.xml	Oracle Adaptive Access Manager Proxy for Apache application configuration files (any number)
/home/oaamuio/uio/UIO_Settings.rng	Relax NG grammar for UIO_Settings.xml
/home/oaamuio/uio/UIO_Config.rng	Relax NG grammar for application configuration XML files
/home/oaamuio/uio/logs/uio.log	Oracle Adaptive Access Manager Proxy for Apache log

If you want to change the location of the various configuration files, refer to the "Configuring httpd.conf" section.

The run-time user of httpd should have the appropriate permissions to access all these files.

5.3.4 Configuring Memcache (for Linux only)

Apache httpd ships with a selection of Multi-Processing Modules (MPMs) which are responsible for binding to network ports on the machine, accepting requests, and dispatching children to handle the requests. On Linux, httpd can run with two different MPMs (the httpd kernel): httpd with prefork MPM (httpd kernel) or with worker MPM. The MPM is built into the httpd and is not a run-time option. Usually, the binary distribution of Apache httpd is with prefork MPM. If you need to use worker MPM, you will have to build Apache httpd using the instructions from the Apache Web site.

With prefork MPM, httpd maintains a pool of single-threaded processes, where each request is handled by a single process. With worker MPM, httpd maintains a pool of multithreaded processes, where every process could be handling multiple requests at a time. (On Windows, httpd MPM is always in multi-threading mode with a single process.)

On Linux, in the case where the httpd runs multiple process (irrespective of single or multithreaded), the Oracle Adaptive Access Manager Proxy for Apache session data must be maintained in a common store (database or cache) so that multiple processes can access the session data. The Oracle Adaptive Access Manager Proxy uses memcache (a memory based very fast cache) to store the session data.

At startup, the Oracle Adaptive Access Manager Proxy autodetects whether httpd is running with a single process or multiple processes. If httpd is running with multiple processes (which is the case with prefork or worker mpm on Linux), it will try to connect to the memcache daemon using default connection parameters (that are defined in Section 5.3.6.1, "UIO_Settings.xml"). On Windows, by default, the Oracle Adaptive Access Manager Proxy will use local sessions. It does not connect to the memcache daemon; however it can be configured to maintain session data in the memcache daemon (explained in Section 5.3.6.1, "UIO_Settings.xml").

For the scenarios where the Oracle Adaptive Access Manager Proxy for Apache will be connecting to memcache daemon, you will have to install memcache on your system using the instructions from the memcache Web site and run the memcache daemon(s) before running the Apache httpd.

Install memcache using instructions at:

http://www.danga.com/memcached

You may already have a binary installation available from your Linux distribution. The Oracle Adaptive Access Manager Proxy for Apache has been tested with version 1.2.5 of memcache.

In the simple configuration, you can run a single memcache daemon on the machine that is running your Apache httpd.

You can choose to have a highly scalable installation, where you run more than one memcache daemon-- all of which are accessed by multiple machines running Apache httpds.

5.3.5 Configuring httpd.conf

This section provides information on how to edit the httpd.conf file to activate the Oracle Adaptive Access Manager Proxy for Apache.

5.3.5.1 Basic Configuration without SSL

In the sample installation, the Apache httpd has been installed in c:\ProgramFiles\Apache2.2 or /usr/local/apache2.

Also, in the sample installation, BigBank40 and BharosaUIO40 are running on test.dummy.com.

To ensure that http.conf is correctly set up in your environment, follow these steps:

1. Ensure that the following lines are uncommented to enable mod_proxy.

   LoadModule proxy_module modules/mod_proxy.so
   LoadModule proxy_http_module modules/mod_proxy_http.so
   

2. Add the following line to the end of the LoadModule group of lines to activate the Oracle Adaptive Access Manager Proxy for Apache.

   LoadModule uio_module modules/mod_uio.so
   

3. Add a line to point to the UIO_Settings.xml file that has the settings for the Oracle Adaptive Access Manager Proxy for Apache.

   Note:

   This should be an absolute path to the UIO_Settings.xml file.

   On Windows (all paths should be with forward slashes),

   UioProxySettingsFile c:/OAAMUIO/UIO_Settings.xml
   

   On Linux,

   UioProxySettingsFile /home/oaamuio/uio/UIO_Settings.xml
   

4. Disable mod_proxy's forward-proxy-ing capability since it is not needed.

   ProxyRequests Off
   <Proxy *>
         Order deny,allow
         Allow from all
   </Proxy>
   

5. Enable the mod_proxy configuration to reverse-proxy to the protected applications (BigBank40 and BharosaUIO40 in our sample installation).

   ProxyPass / http://uio-dev.oracle.com:9090/
   ProxyPassReverse / http://uio-dev.oracle.com:9090/
   

6. Set the user/group of httpd using User and Group directives to oaamuio.

The actual settings for #4 and #5 are installation-specific. They are only examples of the settings you must set. For information on setting details, refer to the Apache Web site.

With the changes described and by properly setting up UIO_Settings.xml, you should be able to access BigBank40 and run Phase One scenarios. The URL for BigBank40 is

http://<apache-host>:<apache-port>/bigbank40

So far in this chapter, we have performed the configuration to the proxy without using SSL.

5.3.5.2 Configuration with SSL

To enable SSL, refer to the Apache Web site for Tomcat and for Apache procedures.

Note that the Oracle Adaptive Access Manager Proxy for Apache requires mod_ssl to be part of httpd. This ensures that the OpenSSL library is linked in and is properly configured for the Oracle Adaptive Access Manager Proxy for Apache to generate session ids. You need to ensure that mod_ssl is loaded and you do not need to do any configuration if you are not using SSL.

mod_proxy_html module (optional)

Optionally, you may need to install the mod_proxy_html (http://apache.webthing.com/mod_proxy_html/) Apache module. This module is needed only if the protected application has Web pages that have hard-coded URL links to itself. If the application has relative URLs, you do not need this module.

From their Web site, the executive summary of this module is as follows:

mod_proxy_html is an output filter to rewrite HTML links in a proxy situation, to ensure that links work for users outside the proxy. It serves the same purpose as Apache's ProxyPassReverse directive does for HTTP headers, and is an essential component of a reverse proxy.

For example, if a company has an application server at appserver.example.com that is only visible from within the company's internal network, and a public webserver www.example.com, they may wish to provide a gateway to the application server at http://www.example.com/appserver/. When the application server links to itself, those links need to be rewritten to work through the gateway. mod_proxy_html serves to rewrite <a href="http://appserver.example.com/foo/bar.html">foobar</a> to <a href="http://www.example.com/appserver/foo/bar.html">foobar</a> making it accessible from outside."

5.3.6 Modifying the Oracle Adaptive Access Manager Proxy for Apache Settings

5.3.6.1 UIO_Settings.xml

<UIO_ProxySettings xmlns="http://bharosa.com/">
 
       <Log4jProperties location="C:/OAAMUIO/UIO_log4j.xml"/>
 
Or
 
       <Log4jProperties location="/home/oaamuio/uio/UIO_log4j.xml"/>
 
       <GlobalVariable name="@one" value="something"/>
 
       <ConfigFile location="/home/oaamuio/uio/TestConfig1.xml" enabled="false"/>
       <ConfigFile location="/home/oaamuio/uio/TestConfig.xml" enabled="false"/>
 
       <ConfigFile location="C:/OAAMUIO/TestConfig1.xml" enabled="false"/>
       <ConfigFile location="C:/OAAMUIO/TestConfig.xml" enabled="true"/>
 
       <Setting name="GarbageCollectorInterval_ms" value="5"/>
       <Setting name="MaxSessionInactiveInterval_ms" value="5"/>
       <Setting name="SessionIdCookieName_str" value="UIOSessionId"/>
 
       <Setting name="IgnoreUrlMappings" value="0"/>
       <Setting name="CaptureTraffic" value="0"/>
 
       </UIO_ProxySettings>

Log4jProperties

Set the location of log4j.xml file that defines the logging configuration for the Oracle Adaptive Access Manager Proxy for Apache. The location should be an absolute path; it cannot be ServerRoot relative. On Linux, you have to ensure that the httpd process can access the directory.

When using httpd in a multiprocessing mode, do not use FileAppender; use SocketAppender instead to log the logs from the different processes. Refer to the log4j documentation on the Internet for more information.

GlobalVariable

GlobalVariable is a global variable that is used in the application configuration. You can have any number of such name-value pairs.

ConfigFile

ConfigFile is the absolute path to an application configuration. You can have any number of such configurations. Again, you need to make sure, on Linux, that the httpd process has the permissions to access these files. Refer to "Configuring the Oracle Adaptive Access Manager Proxy" to understand how to perform a configuration for an application.

Memcache

Memcache has the IP address and port of a memcache server. You can have multiple Memcache elements in the settings file if you have multiple memcache servers running. If you have a single local memcache running, you do not need to have this element at all. By default, the Oracle Adaptive Access Manager Proxy for Apache will try to connect to memcache on IP address 127.0.0.1 and port 11211.

Settings

These are flags to control the behavior of the Oracle Adaptive Access Manager Proxy for Apache. Various settings are listed in Table 5-11.

Table 5-11 UIO Proxy Flags.

Flags	Description
MaxSessionInactiveInterval_sec	Session expiry time in sec (default = 30 minutes) For example, <Setting name="MaxSessionInactiveInterval_sec" value="1800"/>
GarbageCollectorInterval_ms	Interval for running session expiry thread (default = 5 minutes) For example, <Setting name="GarbageCollectorInterval_ms" value="300000"/>
FileWatcherInterval_ms	Interval for checking if the settings or any config file has changed (default = 1minute) For example, <Setting name="FileWatcherInterval_ms" value="60000"/> (After modifying the configuration XML file, even though the proxy will update the configuration on the fly, it is advisable to restart the httpd server.)
SessionIdCookieName_str	Name of the cookie used by Universal Installation Option to maintain its session (default = OAAM_UIOProxy_SessionId For example, <Setting name="SessionIdCookieName_str" value="SessionId"/>
SessionCookie_DomainLevelCount	Domain level for the Sessions cookie For example, <Setting name="SessionCookie_DomainLevelCount" value="2"/>
SessionCookie_ExpiryInMinutes	The value of this setting is used to compute the expiry time that is put in the expires attribute of the Set-Cookie header of the Apache UIO Proxy session cookie. Default is zero which means the expires attribute is not added.
SessionCookie_IsHttpOnly	If set to 1, the cookie is marked as HTTP only in the Set-Cookie header. Default is not to mark the cookie as HTTP only.
SessionCookie_IsSecure	If set to 1, the cookie is marked as secure in the Set-Cookie header. Default is not to mark the cookie as secure.
IgnoreUrlMappings	Ignore the application configuration XML files; the proxy behaves as a flow-through proxy For example, <Setting name="IgnoreUrlMappings" value="0"/>. The value of 0 disables this mode and the value of 1 enables capture traffic mode. The value of 1 will make the proxy act as flow-through and the value of 0 will enable the configuration XML interceptors.
CaptureTraffic	Capture the HTTP traffic - headers and content in the log files. This mode is for debugging purpose. Note that it captures the headers and contents as is and could contain customer's personal data. Use this mode with caution and only for debugging/test. For example, <Setting name="CaptureTraffic" value="0"/>. Value of 1 enables capture traffic and 0 disables it.
MaxReqBodyBytes	Maximum request body size to cache while processing requests. This is necessary when the application has POSTs with big files getting uploaded. For example, <Setting name="MaxReqBodyBytes" value="10240"/>
UseMemcache	Force the use of memcache even when httpd is running in single process mode. Has no effect when running in multiple process mode. Applies at startup and requires restarting httpd for change to apply. For example, <Setting name="UseMemcache" value="1"/>". Value of 1 enables use of memcache for a single process httpd. Value of 0 is ignored.
CachedConfigExpiry_sec	Expiry time for unused config XML data in memory, if multiple config XML configurations have been loaded into memory. This happens when config XML files are automatically loaded when they are modified. (Default = 60 minutes). For example, <Setting name="CachedConfigExpiry_sec" value="3600"/>
AutoLoadConfig	Set to 1 to enable auto-loading of config XML files when they are modified by user. Set to 0 to turn this feature off. It is OK to enable this feature when using single-process mode of httpd. Do not enable this feature for multiple process mode of httpd for production use, since individual processes could have different versions of the config XML files. For example, <Setting name="AutoLoadCOnfig" value="1"/>. Value of 1 enables auto-load and 0 disables it.

5.3.6.2 UIO_log4j.xml

For actual log4j format details, refer to log4j manual available on the Internet. Apache::log4cxx is a C++ implementation of the log4j framework and the XML file format is common to log4cxx and log4j.

5.3.6.3 Application configuration XMLs

These XML files are the application configuration files that are defined in the ConfigFile element of UIO_Settings.xml file.

5.4 Setting Up Rules and User Groups

For information on setting up rules and user groups, refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

5.5 Setting Up Policies

To set up policies for Universal Installation Option, import the out-of-the-box policies. Information about importing policies is available in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

5.6 Configuring the Oracle Adaptive Access Manager Proxy

The Oracle Adaptive Access Manager Proxy intercepts all HTTP traffic between the client browser and the Web application and performs actions specified in the configuration files. The configuration files are in XML format that comply with the Oracle Adaptive Access Manager Proxy configuration XML schema 2.

5.6.1 Elements of the Proxy Configuration File

The following sections describe various elements of the Oracle Adaptive Access Manager Proxy configuration file.

5.6.1.1 Components of Interceptors

Interceptors are the most important elements in the Oracle Adaptive Access Manager Proxy configuration. You will see that authoring the Oracle Adaptive Access Manager Proxy configuration file is all about defining interceptors.

There are two types of interceptors: request interceptors and response interceptors. As the names suggest, request interceptors are used when the Oracle Adaptive Access Manager Proxy receives HTTP requests from the client browser and response interceptors are used when the Oracle Adaptive Access Manager Proxy receives HTTP response from the server i.e. Web application or OAAM Server.

There are four components to an interceptor and all of them are optional.

1. List of URLs - the interceptor will be evaluated if the interceptor URL list contains the current request URL or if the URL list is empty.

2. List of conditions - conditions can inspect the request/response contents, such as checking for the presence of an HTTP header/parameter/cookie, and so on, or testing whether a header/parameter/cookie has a specific value or not. Filters and action defined in the interceptor will be executed only if all the conditions specified are met or if no condition is specified.

3. List of filters - filters perform an action that might modify the request/response contents or modify some state information in the Oracle Adaptive Access Manager Proxy. For example, a filter can add/remove HTTP headers, save HTTP header/parameter/cookie value in a proxy variable, and so on.

4. Action - after executing the filters the interceptor will perform the action, if one is specified. Actions can be one of:

   1. redirect the client to a different URL

   2. send a saved response to the client

   3. perform a HTTP get on server

   4. perform a HTTP post on server

   5. send a saved request to the server

5.6.1.2 Conditions

Conditions are used in the Oracle Adaptive Access Manager Proxy to inspect HTTP request/response or the state information saved in the proxy (variables). Each condition evaluates to either true or false. Conditions are evaluated in the order they are listed in the configuration file until a condition evaluates to false or all conditions are evaluated. Table 5-12 lists conditions that can be defined in an interceptor.

Table 5-12 Conditions Defined in an Interceptor

Condition name	Attributes	Description
HeaderPresent	id, enabled, name	Checks the presence of the specified header in request/response. The header name should be terminated by a colon (":"). Example: <HeaderPresent name="userid:"/>
ParamPresent	id, enabled, name	Checks the presence of the specified parameter in request. Example: <ParamPresent name="loginID"/>
QueryParamPresent	id, enabled, name	Checks the presence of the specified query parameter in the URL. Example: <QueryParamPresent name="TraceID"/>
VariablePresent	id, enabled, name	Checks whether the specified proxy variable has been set. Example: <VariablePresent name="$userid"/>
RequestCookiePresent	id, enabled, name	Checks the presence of the specified cookie in request Example: <RequestCookiePresent name="SESSIONID"/>
ResponseCookiePresent	id, enabled, name	Checks the presence of the specified cookie in response Example: <ResponseCookiePresent name="MCWUSER"/>
HeaderValue	id, enabled, name, value, mode, ignore-case	Checks whether the specified request/response header value matches the given value. The header name should be terminated by a colon (":"). Example: <HeaderValue name="Rules-Result:" value="allow"/>
ParamValue	id, enabled, name, value, mode, ignore-case	Checks whether the specified request parameter value matches the given value. Example: <ParamValue name="cancel" value="Cancel"/>
QueryParamValue	id, enabled, name, value, mode, ignore-case	Checks whether the specified URL query parameter value matches the given value. Example: <QueryParamValue name="requestID" value="Logout"/>
VariableValue	id, enabled, name, value, mode, ignore-case	Checks whether the specified proxy variable value matches the given value. Example: <VariableValue name="%REQUEST_METHOD" value="post"/>
RequestCookieValue	id, enabled, name, value, mode, ignore-case	Checks whether the specified request cookie value matches the given value. Example: <RequestCookieValue name="CurrentPage" value="/onlineserv/" mode="begins-with" ignore-case="true"/>
ResponseCookieValue	id, enabled, name, value, mode, ignore-case	Checks whether the specified response cookie value matches the given value. Example: <ResponseCookieValue name="CurrentPage" value="/onlineserv/" mode="begins-with" ignore-case="true"/>
HttpStatus	id, enabled, status	Checks whether the status code of the response matches the given value. Example: <HttpStatus status="302"/>
HtmlElementPresent	id, enabled, name, attrib-name, attrib-value, attrib-name1, attrib-value1, … attrib-name9, attrib-value9,	Checks presence of a html element to match the specified conditions: <name attrib-name="attrib-value" attrib-name1="attrib-value1" …/> Example: <HtmlElementPresent name="form" attrib-name="name" attrib-value="signon"/>
PageContainsText	id, enabled, text	Checks whether the response contains the given text. Example: <PageContainsText text="You have entered an invalid Login Id"/>
NotVariableValue	id, enabled, name, value, mode, ignore-case	Checks whether the specified proxy variable value does not match the given value. Example: <NotVariableValue name="$Login-Status" value="In-Session"/>
And	id, enabled	Evaluates to true only if all the child conditions evaluate to true. Example: <And> <PageContainsText text="Your password must be"/> <PageContainsText text="Please re-enter your password"/> </And>
Or	id, enabled	Evaluates to true if one of the child conditions evaluates to true. Example: <Or> <ParamValue name="register" value="Continue"/> <ParamValue name="cancel" value="Cancel"/> </Or>
Not	id, enabled	Reverses the result of the child condition(s). Example: <Not> <HttpStatus status="200"/> </Not>

Attribute "id" is optional and is used only in trace messages. If no value is specified, the condition name (like HeaderPresent) will be used.

Attribute "enabled" is optional and the default value is "true". This attribute can be used to enable/disable a condition. The value of this attribute can be set to the name of a global variable; in such case, the condition will be enabled or disabled according to the value of the global variable.

Attribute "value" can be set to the name of a proxy variable. In such a case, the proxy will evaluate the variable at checkpoint and use that value in the condition.

Attribute "mode" can be set to one of the following: begins-with, ends-with, contains.

Attribute "ignore-case" can be set to one of the following: true, false.

5.6.1.3 Filters

Filters are used in the Oracle Adaptive Access Manager Proxy to modify HTTP request/response contents or modify the state information saved in the proxy (variables). Filters are executed in the order they are listed in the configuration file. Table 5-13 lists filters that can be defined in an interceptor.

Table 5-13 Filters Defined in an Interceptor

Filter name	Attributes	Description
AddHeader	id, enabled, name, value	Adds the specified header with a given value to request/response. The header name should be terminated by a colon (":"). Example: <AddHeader name="userid:" value="$userid"/>
SaveHeader	id, enabled, name, variable	Saves the specified request/response header value in the given proxy variable. The header name should be terminated by a colon (":"). Example: <SaveHeader name="userid:" variable="$userid"/>
RemoveHeader	id, enabled, name	Removes the specified header from request/response. The header name should be terminated by a colon (":"). Example: <RemoveHeader name="InternalHeader:"/>
AddParam	id, enabled, name, value	Adds a request parameter with a specified name and value. Example: <AddParam name="loginID" value="$userid"/>
SaveParam	id, enabled, name, variable	Saves the specified request parameter value in to the given proxy variable. Example: <SaveParam name="loginID" variable="$userid"/>
AddRequestCookie	id, enabled, name, value	Adds the specified cookie with a given value to request Example: <AddRequestCookie name="JSESSIONID" value="$JSESSIONID"/>
SaveRequestCookie	id, enabled, name	Saves the specified request cookie value in the given proxy variable
AddResponseCookie	id, enabled, name	Adds the specified cookie with a given value to response Example: <AddResponseCookie name="JSESSIONID" value="$JSESSIONID"/>
SaveResponseCookie	id, enabled, name	Saves the specified response cookie value in the given proxy variable. Example: <SaveResponseCookie name="JSESSIONID" variable="$JSESSIONID"/>
SaveHiddenFields	id, enabled, form, variable, save-submit-fields	Saves all the hidden, submit fields value, in the given form if form name is specified to the given proxy variable. To not save submit fields, set save-submit-fields attribute to false. Example: <SaveHiddenFields form="pageForm" variable="%lg_HiddenParams"/>
AddHiddenFieldsParams	id, enabled, variable	Adds request parameters for each hidden field saved in the variable. Example: <AddHiddenFieldsParams variable="%lg_HiddenParams"/>
SetVariable	id, enabled, name, value	Sets the proxy variable with the given name to the specified value. Example: <SetVariable name="$Login-Status" value="In-Session"/>
UnsetVariable	id, enabled, name	Removes the proxy variable with the given name. Example: <UnsetVariable name="$Login-Status"/>
ClearSession	id, enabled, name	Removes all session variables in the current session. Example: <ClearSession/>
SaveQueryParam	id, enabled, name, variable	Saves the specified query parameter in the given proxy variable. Example: <SaveQueryParam name="search" variable="$search"/>
SaveRequest	id, enabled, variable	Saves the entire request content in the given proxy variable. Example: <SaveRequest variable="$billPayRequest"/>
SaveResponse	id, enabled, variable	Saves the entire response content in the given proxy variable. Example: <SaveResponse variable="$BillPay-Response"/>
ReplaceText	id, enabled, find, replace	Updates the response by replacing the text specified in "find" attribute with the value given in "replace" attribute. Example: <ReplaceText find="string-to-find" replace="string-to-replace"/>
ProcessString	id, enabled, source, find, action, count, search-str, start-tag, end-tag, ignore-case, replace	This filter can be used to extract a sub-string from a string (like request, response contents) and save it to a proxy variable. This filter can also be used to dynamically format strings. See the following examples on how to use this filter.
FormatString	id, enabled, variable, format-str, encoder, param-0, param-1, …, param-n	This filter provides functionality similar to the sprintf() C library function - to store a formatted string in a variable. Optionally, the string stored in the variable can be encoded in "base64" format. Refer to the example in Section 5.6.1.5, "Filter Examples - FormatString" on using this filter to create a HTTP Basic Authentication header. FormatString is not supported in the Proxy for Apache.

5.6.1.4 Filter Examples - ProcessString

Find the sub-string between the given start-tag and end-tag in the source string, extract the sub-string found and save extracted sub-string in the given variable.

<ProcessString source="%RESPONSE_CONTENT"
    find="sub-string"
    start-tag="var traceID = '" end-tag="';"
    action="extract"
    variable="$TRACE_ID"/>

Find the given search-string in the source string, replace it with the replace string and save the updated string in the given variable.

<ProcessString 
      source="/bfb/accounts/accounts.asp?TraceID=$TRACE_ID"
      find="string" search-str="$TRACE_ID"
      action="replace"
      replace="$TRACE_ID"
      variable="%POST_URL"/>

Find the sub-string between the given start-tag and end-tag in the source string, replace it (including the start and end tags) with the evaluated value of the sub string found and save the updated string in the given variable.

<ProcessString 
         source="/cgi-bin/mcw055.cgi?TRANEXIT[$UrlSuffix]"
         find="sub-string" start-tag="[" end-tag="]"
         action="eval"
         variable="%LogoffUrl"/>

5.6.1.5 Filter Examples - FormatString

Here is an example to create a HTTP Basic Authentication response header in variable $AuthHeaderValue, using the username/password in variables %userid and %password:

<FormatString variable="%UsernamePassword"
              format-str="{0}:{1}"
              param-0="%userid"
              param-1="%password"
              encoder="Base64"/>
 
<FormatString variable="$AuthHeaderValue"
              format-str="Basic {0}"
              param-0="%UsernamePassword"/>

5.6.1.6 Actions

An interceptor can optionally perform one of the following actions after executing all the filters. No further interceptors will be attempted after executing an action.

redirect-client

Often the proxy would need to redirect the client to load another URL; redirect-client is the action to use in such cases. The proxy will send a 302 HTTP response to request the client to load the specified URL.

If the display-url attribute is specified in the interceptor, the proxy will send a HTTP 302 response to the browser to load the URL specified in display-url attribute. When the proxy receives this request, it will do a HTTP-GET on the server to get the URL specified in "url" attribute.

send-to-client

Often a response from the server would have to be saved in the proxy and sent to the client later after performing a few other HTTP requests; send-to-client is the action to use in such cases. The proxy will send the client the contents of specified variable.

If the display-url attribute is specified in the interceptor, the proxy will send a HTTP 302 response to the browser to load the URL specified in display-url attribute. When the proxy receives this request, it will send the response specified in the interceptor.

get-server

Sometimes the proxy would need to get a URL from the server; get-server is the action to use in such cases. The proxy will send a HTTP-GET request for the specified URL to the server.

If the display-url attribute is specified in the interceptor or if this action is specified in a response interceptor, the proxy will send a HTTP 302 response to the browser. When the proxy receives this request it will do a HTTP-GET on the server to get the URL specified in "url" attribute.

post-server

Sometimes the proxy would need to post to a URL in the server; post-server is the action to use in such cases. The proxy will send a HTTP-POST request for the specified URL to the server.

If display-url attribute is specified in the interceptor or if this action is specified in a response interceptor, the proxy will send a HTTP 302 response to the browser. When the proxy receives this request it will do a HTTP-POST to the server to the URL specified in "url" attribute.

send-to-server

In certain situations the request from client needs to be saved in the proxy and sent to the server later after performing a few other HTTP requests; send-to-server is the action to use in such cases. The proxy will send the contents of the specified variable to the server.

If display-url attribute is specified in the interceptor or if this action is specified in a response interceptor, the proxy will send a HTTP 302 response to the browser. When the proxy receives this request it will send the request specified in the interceptor to the server.

5.6.1.7 Variables

The proxy variables can store string data in the proxy memory. Variables can be used in conditions, filters and actions. For example, SaveHeader filter can be used to save the value a specific header in the given proxy variable. This variable value could later be used, for example, to add a parameter to the request. Variables can also be used in conditions to determine whether to execute an interceptor or not.

The proxy variables are of 3 types, depending upon the lifespan of the variable. The type of variable is determined by the first letter of the variable name, which can be one of: %, $, @.

All types of variables can be set using filters like SetVariable, SaveHeader, SaveParam, SaveResponse, etc.

All types of variables can be unset/deleted by UnsetVariable filter. ClearSession filter can be used to remove all session variables.

Request variables

Request variables - these variable names start with %. These variables are associated with the current request and are deleted at the completion of the current request. Request variables are used where the value is not needed across requests.

Session variables

Session variables - these variable names start with $. These variables are associated with the current proxy session and are deleted when the proxy session is cleaned up. Session variables are used where the value should be preserved across requests from a client.

Global variables

Global variables - these variable names start with @. These variables associated with the current proxy configuration and are deleted when the proxy configuration is unloaded. Global variables are used where the value needs to be preserved across requests and across clients.

Global variables can be set at the proxy configuration load time using SetGlobal in the configuration file. Global variables can also be set by adding registry values under key HKLM\Software\Bharosa\Proxy\Globals. Name of each entry under this key should be the variable name, starting with @. And the data of the entry should be the value of the variable. The registry-type of the value can be REG_DWORD, REG_SZ or REG_EXPAND_SZ.

Configuring Session ID cookie attributes via Global Variables

The attributes of the Session ID Cookie can be configured using global variables listed in Table 5-14.

Table 5-14 Global variables to configure session ID cookie

Cookie Attribute	Global Variable Name	Description
expires	@SessionCookie_ExpiryInMinutes	'expires' attribute will be added to the session cookie if this global variable is set to value greater than 0. This variable specifies the number of minutes the session cookie should be persisted by the client browser.
HttpOnly	@SessionCookie_IsHttpOnly	'HttpOnly' attribute will be added to the session cookie if this global variable is set to value greater than 0.
secure	@SessionCookie_IsSecure	'secure' attribute will be added to the session cookie if this global variable is set to value greater than 0.
domain	@SessionCookie_DomainLevelCount	'domain' attribute will be added to the session cookie if this global variable is set. For example, to set the cookie domain as ".mydomain.com" for an application at "test.myserver.mydomain.com", set this global variable to "2". The value should be greater than 1 - if a lower value is specified, proxy will use 2 as the value.

Pre-defined variables

The Oracle Adaptive Access Manager Proxy supports the following pre-defined request variables:

Table 5-15 Pre-defined Variables Supported by the Proxy

Variable name	Description
%RESPONSE_CONTENT	This variable contains the contents of the entire response from the Web server for the current request.
%REQUEST_CONTENT	This variable contains the contents of the entire request from the client.
%QUERY_STRING	This variable contains the query string, starting with ?, for the current request URL.
%REQUEST_METHOD	HTTP method verb for the request: GET, POST, etc
%REMOTE_HOST	Hostname of the client or agent of the client
%REMOTE_ADDR	IP address of the client or agent of the client
%HTTP_HOST	The content of HTTP Host header
%URL	URL for the current request

5.6.1.8 Application

A single Oracle Adaptive Access Manager Proxy installation can be used to provide multifactor authentication for multiple Web application that run in one or more Web servers. In the Oracle Adaptive Access Manager Proxy configuration, an application is a grouping of interceptors defined for a single Web application.

Request and response interceptors can be defined outside of an application in the Oracle Adaptive Access Manager Proxy configuration file. These interceptors are called "global" interceptors and will be evaluated and executed prior to interceptors defined in applications.

5.6.2 Interception Process

When a request arrives, the Oracle Adaptive Access Manager Proxy evaluates request interceptors defined for the URL in the order they are defined in the configuration file. Similarly when on receiving response from the Web server, the Oracle Adaptive Access Manager Proxy evaluates response interceptors defined for the URL in the order defined in the configuration file.

If the conditions in an interceptor evaluate to true, the Oracle Adaptive Access Manager Proxy will execute that interceptor i.e. execute the filters and action. After executing an interceptor, the Oracle Adaptive Access Manager Proxy will continue with the next interceptor only if the following conditions are met:

• no action is specified for the current interceptor

• post-exec-action attribute for the current interceptor is continue

Even if one of the conditions is not met the Oracle Adaptive Access Manager Proxy will stop evaluating subsequent interceptors.

It is highly recommended that "post-exec-action" attribute is specified for interceptors that don't define an action. For global interceptors (for example, the interceptors defined outside of any application), the default value of "post-exec-action" attribute is continue. For non-global interceptors, the default value is stop-intercept.

As mentioned earlier the Oracle Adaptive Access Manager Proxy configuration can contain multiple applications. While finding the list of interceptors to evaluate for a URL, only the following interceptors are considered:

• global interceptors that are defined outside of any application

• interceptors defined in the application associated with the current session

Each session will be associated with at most one application. If no application is associated with the current session (yet) when the proxy finds an interceptor in an application for the URL, it will associate the application with the current session.

If the current session already has an application associated, and if no interceptor is found in that application for the URL, the proxy will then look for intercepts in other applications. If an interceptor is found in another application for the URL, a new session will be created and the request will be associated with the new session.

5.6.3 Configuring Redirection to the Oracle Adaptive Access Manager Server Interface

The Oracle Adaptive Access Manager Proxy redirects the user to OAAM Server pages at appropriate times, for example to collect the password using OAAM Server, to run risk rules, etc. HTTP headers are used to exchange data between Oracle Adaptive Access Manager Proxy and OAAM Server. The following table lists OAAM Server pages referenced in the proxy configuration along with the details of HTTP headers used to pass data. It also lists the expected action to be taken by the proxy on the given conditions.

Table 5-16 OAAM Server Interface

URL	Condition	Action
Any request to OAAM Server page	On receiving request	Set header "BharosaAppId". OAAM Server will use this header value to select appropriate customizations (UI, rules, etc.).
loginPage.jsp or login.do	On receiving request to application login page	Redirect to this URL to use the Oracle Adaptive Access Manager login page instead of the application's login page.
password.do	Response contains headers userid, password (could be more depending upon the application)	Save the credentials from the response headers and post to the application
login.do	Phase-1 only: After validating the credentials entered by the user.	Redirect to this URL to update the status in Oracle Adaptive Access Manager and run appropriate risk rules.
login.do	Phase-1 only: On receiving the request.	Set "userid" header to the userid entered by the user. Set "Login-Status" header to one of the following: success, wrong_password, invalid_user, user_disabled, system_error. Set "OAAM ServerPhase" header to "one".
updateLoginStatus.do	Phase-2 only: After validating the credentials entered by the user.	Redirect to this URL to update the status in Oracle Adaptive Access Manager and run appropriate risk rules
updateLoginStatus.do	Phase-2 only: On receiving request	Set "Login-Status" header to one of the following: success, wrong_password, invalid_user, user_disabled, system_error
updateLoginStatus.do challengeUser.do registerQuestions.do userPreferencesDone.do	Response header "Rules-Result" has value "allow"	The Oracle Adaptive Access Manager rules evaluated to permit the login. The proxy can permit access to the protected application URLs after this point.
updateLoginStatus.do challengeUser.do registerQuestions.do userPreferencesDone.do	Response header "Rules-Result" has value "block"	Either the application did not accept the login credentials or the Oracle Adaptive Access Manager rules evaluated to block the login. The proxy should logoff the session in the application, if login was successful. Then a login blocked message should be sent to the browser.
changePassword.do	Response contains headers "password", "newpassword" and "confirmpassword"	Save the passwords from the response headers and post to the application
loginFail.do	To display error message in OAAM Server page, like to display login blocked message	Redirect to this URL with appropriate "action" query parameter, like loginFail.do?action=block
logout.do	On completion of application session logout	Redirect to this URL to logout OAAM Server session
logout.do	On receiving response	Redirect to application logout URL to logoff application session, if it is not done already
resetPassword.do	Response contains headers "newpassword" and "confirmpassword"	Save the passwords from the response headers and post to the application
getUserInput.do	Response contains headers "BH_UserInput"	Save the user input and take appropriate action (like post to application, etc)
changeUserId.do	On receiving request	Add "newUserId" header
changeUserId.do	On receiving response	Redirect to appropriate application page or send back saved application response
updateForgotPasswordStatus.do	Phase-2 only: After validating the forgot- password-credentials entered by the user.	Redirect to this URL to update the status in Oracle Adaptive Access Manager and run appropriate risk rules.
updateForgotPasswordStatus.do	Phase-2 only: On receiving request	Set "BH_FP-Status" header to one of the following: success, wrong_password, invalid_user, user_disabled, system_error.
updateForgotPasswordStatus.do challengeForgotPasswordUser.do	Response header "BH_FP-Rules-Result" has value "allow"	The Oracle Adaptive Access Manager rules evaluated to permit the forgot-password flow. The proxy can permit continuation of to forgot-password flow, perhaps to reset the password or allow the user login, depending on the application.
updateForgotPasswordStatus.do challengeForgotPasswordUser.do	Response header "BH_FP-Rules-Result" has value "block"	Either the application did not accept the forgot-password credentials or the Oracle Adaptive Access Manager rules evaluated to block the forgot-password flow. A login blocked message should be sent to the browser.
Any request to OAAM Server page	If the proxy needs to get a property value from OAAM Server. On receiving request	"BH_PropKeys" request header should be set to list of property names (separated by comma). OAAM Server will return the values in multiple response headers, one for each property. The return response header names will be of format: "BH_Property-<name>"

5.7 Application Discovery

Application discovery is the process of studying an existing Web application to author the proxy configuration to add multifactor authentication using the Oracle Adaptive Access Manager Universal Installation Option. Few logins attempts to the application would be made via the proxy to capture the HTTP traffic in each attempt. The captured HTTP traffic would be then be analyzed to author the proxy configuration. The Oracle Adaptive Access Manager Proxy should be set up to dump all the HTTP traffic through it to a file. Then a few logins/login attempts to the application should be made via the proxy. The captured HTTP traffic should be then be analyzed to author the proxy configuration.

5.7.1 Application Information

For application discovery process it is preferable to work with the Web application in customer's test environment, rather than the live application being used by users. If the test environment is not available for some reason, the live application can be used.

The following information is needed from the client for the application discovery process:

1. URL to login to the application.

2. Test user account credentials, including the data required in forgot password scenario. It will be best to get as many test accounts as possible, preferably at least 5 accounts, for uninterrupted discovery and testing. Note that during discovery process some accounts could become disabled, perhaps due to multiple invalid login attempts.

3. Contact (phone, email) to enable/reset test accounts

5.7.2 Setting Up the Oracle Adaptive Access Manager Proxy for Microsoft ISA

The Microsoft ISA server should be set up to publish the Web application under discovery i.e. creating a Web site publishing rule with appropriate parameters. During the application discovery process, the application will be accessed via Microsoft ISA, which hosts the Oracle Adaptive Access Manager Proxy for Microsoft ISA. Refer to the Microsoft ISA configuration document for details of setting up Microsoft ISA.

The Oracle Adaptive Access Manager Proxy for Microsoft ISA settings (registry values under HKLM\SOFTWARE\Bharosa\Proxy key) should be set as given in Table 5-17 for the proxy to capture the HTTP traffic to the specified file. This HTTP traffic captured will later be used for analysis to author the proxy configuration.

Table 5-17 Setting up the proxy

Setting	Value
IgnoreUrlMappings	1
CaptureTraffic	1
TraceFilename	<filename>
TraceLevel	0x87
TraceToFile	1

It might be useful to capture the HTTP traffic for each scenario (like successful login attempt, wrong password, wrong username, disabled user, etc.) in separate files. TraceFilename setting should be updated to the desired filename before start of the scenario.

After application discovery is done, the proxy settings should be set as given in Table 5-18 to restore the default Oracle Adaptive Access Manager Proxy for Microsoft ISA behavior.

Table 5-18 Proxy settings after application discovery

Setting	Value
IgnoreUrlMappings	0
CaptureTraffic	0
TraceFilename	<filename>
TraceLevel	0x7
TraceToFile	1

5.7.3 Setting Up the Oracle Adaptive Access Manager Proxy for Apache

For application discovery, the HTTP traffic needs to be captured through the proxy.

Table 5-19 shows the settings (in UIO_Settings.xml) to enable this mode of operation.

Table 5-19 Settings for Capturing HTTP

Settings	Value
IgnoreUrlMappings	1
CaptureTraffic	1

The IgnoreUrlMappings setting is used to disable URL interception of the HTTP traffic through the proxy.

The CaptureTraffic setting captures the HTTP traffic through the logger name http set to log level of info.

It might be useful to capture the HTTP traffic for each scenario (like successful login attempt, wrong password, wrong username, disabled user, and so on) in separate files. The log file name setting should be updated to the desired filename before the start of the scenario.

After application discovery is performed, the proxy settings should be set, as shown in Table 5-20, to restore the default Oracle Adaptive Access Manager Proxy for Apache behavior.

Table 5-20 Settings to restore detault proxy behavior

Settings	Value
IgnoreUrlMappings	0
CaptureTraffic	0

5.7.4 Scenarios

Information should be collected for the following scenarios during the discovery process:

Login

1. URL that starts the login process

2. URL that contains the login form

3. Names of the input fields like username, password used to submit the credentials

4. URL to which the login form submits the credentials

5. Identifying successful login. The HTTP traffic dump needs to be studied carefully to derive this information. Here are few ways applications respond on successful login:

   1. by setting a specific cookie in the credential submit response

   2. by redirecting to a specific URL (like account summary, welcome page)

   3. by responding with specific text

6. Identifying failure login with the reason for failure. This would often be derived by looking for certain text in the response to credential submit request.

Logout

1. URL that starts the logout process

2. URL that completes the logout process. In most cases the logout completes on receiving response to the logout start URL.

Change password

1. URL that starts the change password process

2. URL that contains the change password form

3. Names of the input fields like password, new-password, confirm-password used to submit the change password request

4. URL to which the change password form submits the passwords

5. Identifying the status (success/failure) of the change password request. This would often be derived by looking for certain text in the response.

Reset password

Follow the same process as Change password.

Change LoginId

1. URL to which the login-id change is posted to the application

2. Names of the input fields like new-login used to submit the change password request.

3. Identifying the status (success/failure) of the change login-id request. On successful change login-id request, changeUserId.do page in OAAM Server should be called to update the login-id in the Oracle Adaptive Access Manager database.

Forgot password

Forgot-password options provided by the application should first be understood. Most applications ask for alternate ways to identity the user (account number/PIN, SSN/PIN, question/answer, etc.); some applications provide more than one option. Some applications let the user reset the password on successfully entering alternate credentials; others send a new password to the user by mail/email; and some other applications would require the user to call customer care. For each of the supported scenarios, the following data should be captured:

1. URL that starts the forgot-password process

2. URL that contains the forgot-password form

3. Names of the input fields and URLs to submit the forgot-password request

4. Identifying the status (success/failure) of the forgot-password request.

5.8 Samples

The Oracle Adaptive Access Manager Proxy configuration to add multifactor authentication to BigBank Web application is listed as follows:

For ISA proxy use:

<?xml version="1.0" encoding="utf-8"?>
<BharosaProxyConfig xmlns="http://bharosa.com/"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:schemaLocation="http://bharosa.com/ BharosaProxy.xsd ">

For Apache proxy use:

<?xml version="1.0" encoding="utf-8"?>
<BharosaProxyConfig xmlns="http://bharosa.com/">

  <Application id="BigBank">

    <RequestInterceptor id="AddAppIdTobharosauioRequests"
           desc="Add BharosaAppId header to each request to bharosauio"
           post-exec-action="continue">
      <Conditions>
        <VariableValue name="%URL"
                       value="/bharosauio/"
                       mode="begins-with"
                       ignore-case="true"/>
      </Conditions>

      <Filters>
        <AddHeader name="BharosaAppId:" value="BigBank"/>
      </Filters>
    </RequestInterceptor>

    <!-- Phase-1: Use BigBank login form to collect credentials -->
    <!-- Phase-2: Use BharosaUIO login forms to collect credentials -->

    <!-- Disable this interceptor after phase one is retired -->
    <RequestInterceptor id="Phase1BigBankLoginPostRequest"
                        desc="get the loginid from the post parameters"
                        post-exec-action="continue" enabled="true">
      <RequestUrl url="/bigbank/login.do"/>

      <Conditions>
        <VariableValue name="%REQUEST_METHOD" value="post"/>
      </Conditions>

      <Filters>
        <ClearSession/>
        <SetVariable name="$WebUIOPhase" value="one"/>
        <SaveParam   name="userid"       variable="$userid"/>
      </Filters>
    </RequestInterceptor>

    <!-- Enable this interceptor after phase one is retired -->
    <RequestInterceptor id="Phase2RedirectBigBankLoginPageRequest"
          desc="Redirect BigBank login page requests to UIO login page"
          enabled="false">
      <RequestUrl url="/bigbank"/>
      <RequestUrl url="/bigbank/"/>
      <RequestUrl url="/bigbank/loginPage.jsp"/>

      <Target action="redirect-client" url="/bharosauio/login.do"/>
    </RequestInterceptor>

    <RequestInterceptor id="Phase2BharosaLoginPageRequest"
                        desc="Phase-2 loginid post request"
                        post-exec-action="continue">
      <RequestUrl url="/bharosauio/login.do"/>

      <Conditions>
        <VariableValue name="%REQUEST_METHOD" value="post"/>
        <ParamPresent  name="userid"/>
        <Not>
          <ParamPresent name="password"/>
        </Not>
      </Conditions>

      <Filters>
        <ClearSession/>
        <SetVariable name="$WebUIOPhase" value="two"/>
      </Filters>
    </RequestInterceptor>

    <ResponseInterceptor id="Phase2PassowrdPageResponse"
           desc="Save userid, decoded password from Bharosa response">
      <ResponseUrl url="/bharosauio/password.do"/>

      <Conditions>
        <HeaderPresent name="userid:"/>
        <HeaderPresent name="password:"/>
      </Conditions>

      <Filters>
        <SaveHeader name="userid:"   variable="$userid"/>
        <SaveHeader name="password:" variable="$password"/>
      </Filters>

      <Target action="redirect-client"
              url="/bigbank/login.do"
              display-url="/bigbank/GetLoginPage"/>
    </ResponseInterceptor>

    <ResponseInterceptor id="GetBigBankLoginPageResponse"
             desc="Save hidden fields; then post login crdentials">
      <ResponseUrl url="/bigbank/GetLoginPage"/>

      <Filters>
        <SaveHiddenFields variable="%LoginPageHiddenParams"/>

        <AddHiddenFieldsParams variable="%LoginPageHiddenParams"/>
        <AddParam              name="userid"   value="$userid"/>
        <AddParam              name="password" value="$password"/>

        <UnsetVariable name="$password"/>
      </Filters>

      <Target action="post-server" url="/bigbank/login.do"/>
    </ResponseInterceptor>

    <ResponseInterceptor id="InvalidLoginResponse"
                         desc="Invalid login response from BigBank">
      <ResponseUrl url="/bigbank/login.do"/>

      <Conditions>
        <PageContainsText text="You have entered an invalid Login Id"/>
      </Conditions>

      <Filters>
        <SetVariable  name="$Login-Credentials-Status"
                      value="invalid_user"/>
        <SetVariable  name="$Login-Continue-Url"
                      value="%URL"/>
        <SaveResponse variable="$Submit-Credentials-Response"/>
      </Filters>

      <Target action="redirect-client"
              url="/bharosauio/UpdateLoginStatusPage"/>
    </ResponseInterceptor>

    <ResponseInterceptor id="WrongPasswordResponse"
                         desc="Invalid login response from BigBank">
      <ResponseUrl url="/bigbank/login.do"/>

      <Conditions>
        <PageContainsText text="We do not recognize your password"/>
      </Conditions>

      <Filters>
        <SetVariable name="$Login-Credentials-Status"
                     value="wrong_password"/>
        <SetVariable name="$Login-Continue-Url"
                     value="%URL"/>
        <SaveResponse variable="$Submit-Credentials-Response"/>
      </Filters>

      <Target action="redirect-client"
              url="/bharosauio/UpdateLoginStatusPage"/>
    </ResponseInterceptor>

    <ResponseInterceptor id="LoginSuccessResponse"
                         desc="Login success response from BigBank">
      <ResponseUrl url="/bigbank/activity.do"/>
      <ResponseUrl url="/bigbank/login.do"/>

      <Conditions>
        <NotVariableValue name="$Login-Status" value="In-Session"/>
        <PageContainsText text="/bigbank/images/success.gif"/>
      </Conditions>

      <Filters>
        <SetVariable name="$Login-Credentials-Status" value="success"/>
        <SetVariable name="$Login-Continue-Url"       value="%URL"/>
        <SaveResponse variable="$Submit-Credentials-Response"/>
      </Filters>

      <Target action="redirect-client"
              url="/bharosauio/UpdateLoginStatusPage"/>
    </ResponseInterceptor>

    <RequestInterceptor id="Phase1UpdateLoginStatusPageRequest"
                   desc="Update Bharosa Tracker with the login status">
      <RequestUrl url="/bharosauio/UpdateLoginStatusPage"/>

      <Conditions>
        <VariableValue name="$WebUIOPhase" value="one"/>
      </Conditions>

      <Filters>
        <AddHeader name="WebUIOPhase:"  value="$WebUIOPhase"/>
        <AddHeader name="userid:"       value="$userid"/>
        <AddHeader name="Login-Status:"
                   value="$Login-Credentials-Status"/>
      </Filters>

      <!-- Any interceptors for /bigbank/login.do will not run because we are doing get-server. -->
      <Target action="get-server" url="/bharosauio/login.do"/>
    </RequestInterceptor>

    <RequestInterceptor id="Phase2UpdateLoginStatusPageRequest"
                   desc="Update Bharosa Tracker with the login status">
      <RequestUrl url="/bharosauio/UpdateLoginStatusPage"/>

      <Filters>
        <AddHeader name="Login-Status:"
                   value="$Login-Credentials-Status"/>
      </Filters>

      <Target action="get-server"
              url="/bharosauio/updateLoginStatus.do"/>
    </RequestInterceptor>

    <ResponseInterceptor id="AllowLoginResponse"
                desc="Tracker returned 'allow' - continue with login">
      <ResponseUrl url="/bharosauio/UpdateLoginStatusPage"/>
      <ResponseUrl url="/bharosauio/updateLoginStatus.do"/>
      <ResponseUrl url="/bharosauio/challengeUser.do"/>
      <ResponseUrl url="/bharosauio/registerQuestions.do"/>
      <ResponseUrl url="/bharosauio/userPreferencesDone.do"/>

      <Conditions>
        <HeaderValue name="Rules-Result:" value="allow"/>
      </Conditions>

      <Filters>
        <SetVariable name="$Login-Status" value="In-Session"/>
      </Filters>

      <Target action="send-to-client"
              html="$Submit-Credentials-Response"
              display-url="$Login-Continue-Url"/>
    </ResponseInterceptor>

    <ResponseInterceptor id="Phase1FailLoginResponse"
                         desc="BigBank failed the login">
      <ResponseUrl url="/bharosauio/UpdateLoginStatusPage"/>
      <ResponseUrl url="/bharosauio/updateLoginStatus.do"/>
      <ResponseUrl url="/bharosauio/challengeUser.do"/>
      <ResponseUrl url="/bharosauio/registerQuestions.do"/>
      <ResponseUrl url="/bharosauio/userPreferencesDone.do"/>

      <Conditions>
        <VariableValue name="$WebUIOPhase" value="one"/>
        <NotVariableValue name="$Login-Credentials-Status"
                          value="success"/>
        <HeaderValue name="Rules-Result:" value="block"/>
      </Conditions>

      <Filters>
        <UnsetVariable name="$Login-Status"/>
      </Filters>

      <Target action="send-to-client"
              html="$Submit-Credentials-Response"
              display-url="$Login-Continue-Url"/>
    </ResponseInterceptor>

    <ResponseInterceptor id="FailLoginResponse"
                         desc="BigBank failed the login">
      <ResponseUrl url="/bharosauio/UpdateLoginStatusPage"/>
      <ResponseUrl url="/bharosauio/updateLoginStatus.do"/>
      <ResponseUrl url="/bharosauio/challengeUser.do"/>
      <ResponseUrl url="/bharosauio/registerQuestions.do"/>
      <ResponseUrl url="/bharosauio/userPreferencesDone.do"/>

      <Conditions>
        <HeaderValue name="Rules-Result:" value="block"/>
        <NotVariableValue name="$Login-Credentials-Status"
                          value="success"/>
      </Conditions>

      <Filters>
        <UnsetVariable name="$Login-Status"/>
      </Filters>

      <Target action="redirect-client"
              url="/bharosauio/loginPage.jsp?action=invalid_user"/>
    </ResponseInterceptor>

    <ResponseInterceptor id="BlockLoginResponse"
              desc="BigBank passed login but tracker returned 'block'">
      <ResponseUrl url="/bharosauio/UpdateLoginStatusPage"/>
      <ResponseUrl url="/bharosauio/updateLoginStatus.do"/>
      <ResponseUrl url="/bharosauio/challengeUser.do"/>
      <ResponseUrl url="/bharosauio/registerQuestions.do"/>
      <ResponseUrl url="/bharosauio/userPreferencesDone.do"/>

      <Conditions>
        <HeaderValue name="Rules-Result:" value="block"/>
      </Conditions>

      <Filters>
        <UnsetVariable name="$Login-Status"/>
      </Filters>

      <!-- /bigbank/LoginBlockedPage isn't a real page.  The request will be intercepted and redirected. -->
      <Target action="redirect-client" url="/bigbank/LoginBlockedPage"/>
    </ResponseInterceptor>

    <RequestInterceptor id="LoginBlockedPageRequest"
                        desc="logoff the session in BigBank">
      <RequestUrl url="/bigbank/LoginBlockedPage"/>

      <Target action="get-server" url="/bigbank/logout.do"/>
    </RequestInterceptor>

    <ResponseInterceptor id="Phase1LoginBlockedPageResponse"
           desc="BigBank approved; but Bharosa blocked the login"
           post-exec-action="stop-intercept">
      <ResponseUrl url="/bigbank/LoginBlockedPage"/>

      <Conditions>
        <VariableValue name="$WebUIOPhase" value="one"/>
      </Conditions>

      <Filters>
        <ClearSession/>
      </Filters>

      <Target action="redirect-client"
              url="/bharosauio/loginFail.do?action=block"/>
    </ResponseInterceptor>

    <ResponseInterceptor id="Phase2LoginBlockedPageResponse"
          desc="BigBank approved; but Bharosa blocked the login">
      <ResponseUrl url="/bigbank/LoginBlockedPage"/>

      <Filters>
        <ClearSession/>
      </Filters>

      <Target action="redirect-client"
              url="/bharosauio/loginPage.jsp?action=block"/>
    </ResponseInterceptor>

    <ResponseInterceptor id="LogoutPageResponse"
           desc="Bharosa logout selected; logoff BigBank session ">
      <ResponseUrl url="/bharosauio/logout.do"/>

      <Target action="redirect-client" url="/bigbank/logout.do"/>
    </ResponseInterceptor>

    <ResponseInterceptor id="Phase1LogoffPageResponse"
                         desc="Logoff - clear Bharosa proxy session"
                         post-exec-action="stop-intercept">
      <ResponseUrl url="/bigbank/logout.do"/>

      <Conditions>
        <VariableValue name="$WebUIOPhase" value="one"/>
      </Conditions>

      <Filters>
        <ClearSession/>
      </Filters>
    </ResponseInterceptor>

    <ResponseInterceptor id="Phase2LogoffPageResponse"
                         desc="Logoff - clear Bharosa proxy session">
      <ResponseUrl url="/bigbank/logout.do"/>

      <Filters>
        <ClearSession/>
      </Filters>

      <Target action="redirect-client"
              url="/bharosauio/loginPage.jsp"/>
    </ResponseInterceptor>
  </Application>
</BharosaProxyConfig>