| Oracle® Application Server Release Notes 10g (10.1.4.0.1) for Solaris Operating System (x86) and Solaris Operating System (x86-64) Part Number B32092-01 |
|
|
View PDF |
| Oracle® Application Server Release Notes 10g (10.1.4.0.1) for Solaris Operating System (x86) and Solaris Operating System (x86-64) Part Number B32092-01 |
|
|
View PDF |
This chapter provides information about known issues and workarounds for Oracle Access Manager. The following topics are included:
This section describes the general issues and workarounds. It includes the following topics:
There is a known limitation with Java applets in JDK 1.1.7. When used with this release of Oracle Access Manager, applets with non-ASCII data can only be displayed properly on computers with a native-encoded operating system. Setting browser encoding will not work.
If you intend to use non-ASCII data, run Oracle Access Manager on computers with a native-encoded operating system.
In this release, the name "Query Builder" has been translated for different language locales in some places, and not in others. The term "Selector" is translated into respective locales everywhere.
To ensure success when upgrading older releases to Oracle Access Manager 10g (10.1.4.0.1), you must complete all preparation tasks and meet all requirements described in the Oracle Access Manager Upgrade Guide. The guide also provides step-by-step instructions that you can follow as you upgrade from releases as early as 5.2 to 10g (10.1.4.0.1).
This section describes the issues and workarounds for installation and upgrade:
Section 5.2.1, "Change the Transport Security Mode During Installation"
Section 5.2.4, "Oracle Internet Directory Servers Require Tuning After Installation"
Section 5.2.6, ""Enter Password" String Does Not Display Correctly During Installation"
Section 5.2.7, "Uninstalling a Language Pack With a "2" Designation Causes an Error"
A transport security mode is a method of communication between two points, such as a client and a server. Oracle Access Manager offers the following transport security modes for communication between components, as discussed in the Oracle Access Manager Installation Guide:
Open: Communication is not encrypted.
Simple: Communication is encrypted with Oracle Access Manager's internal CA.
Cert: Communication is encrypted with an external CA. With Cert mode, communications are encrypted using TLS v1, and both client and server must present an X.509 certificate (in base64 format) when establishing a connection.
By default, an Oracle Access Manager installation uses Open mode. This applies to directory connections and communication between Oracle Access Manager components, for example, the WebPass and Identity Server. In Open mode, the communication channel is open to eavesdroppers. Oracle recommends that you secure your network using SSL communication with the directory and Certificate mode across Oracle Access Manager components.
The next release of the Oracle Access Manager Installation Guide will include the following recommendation for transport security:
"During installation, Oracle Access Manager components default to Open mode. However, this does not provide secure communication between components such as Identity Servers and WebPass nor Access Server and WebGate, nor for LDAP connections. In Open mode, the communication channel is susceptible to eavesdropping. To provide a secure deployment, Oracle recommends that you choose Certificate (Cert) mode for transport security between Oracle Access Manager components, and SSL-enabled security between Oracle Access Manager components and directory servers."
Adding language packs to an installation directory containing space characters will not be successful. Note that this problem occurs only if both of the following are true:
The product is installed in a directory containing space characters.
A language pack is added after the initial installation.
This problem does not occur for language packs that are installed during the initial installation of the product
If you experience this problem, you can manually execute a command-line tool after running the language pack installer.
Open the obupdatelang.log file in the following directory:
<installdir>/oblix/tools/lang_tools
Navigate to the end of the file and inspect the lines starting with prog and arguments.
The command that you will run appears following the prog statement. The arguments for the command follow the arguments statement.
For example the obupdatelang.log file will contain statements similar to the following:
prog : C:\Program Files\Netpoint\identity/oblix/tools/lang_tools/obupdatelangds arguments : -c oislp -i C:\Program Files\Netpoint\identity -f C:\Program Files\Netpoint\identity\oblix\tools\lang_tools\obupdatelang_islp_AR.lst
Make note of the command and arguments, open a command prompt window, and go to the following directory:
C:\Program Files\Netpoint\identity/oblix/tools/lang_tools
Run the command, modifying the -i and -f switches so that the paths they specify are enclosed in quotes ( " ), as shown in the following example:
obupdatelangds -c oislp -i "C:\Program Files\Netpoint\identity" -f "C:\Program Files\Netpoint\identity/oblix/tools/lang_tools/obupdatelangds"
After tuning Oracle Access Manager from the iPlanet administration console, the server fails to work. For example, after changing the number of threads in the native thread pool, the server fails to restart.
Do not use the iPlanet console for tuning. This can cause the server to remove any existing Oracle Access Manager configuration information. Use the following file to load the Oracle Access Manager Web components and retain the tuning parameters: $Web_Server_home\config\magnus.conf
After installing Oracle Access Manager against an Oracle Internet Directory, you need to tune the directory to ensure adequate performance when processing search requests and other functions.
Use the following ldapmodify command to tune Oracle Internet Directory:
ldapmodify -D cn=orcladmin -w <adminPsswd> -h <host> -p <port> << eof dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory changetype: modify add: orclinmemfiltprocess orclinmemfiltprocess: (|(obuseraccountcontrol=activated)(!(obuseraccountcontrol=*))) orclinmemfiltprocess: (|(!(obuseraccountcontrol=*))(obuseraccountcontrol=activated)) eof
Where <host> and <port> refer to the Oracle Internet Directory installation host and port.
Support for the Siemens DirX directory server has been deprecated in this release. However, options to select and configure DirX appear on installation screens and on Identity System and Access System configuration pages in the System Console.
Ignore all Siemens DirX options in the product installer and configuration user interface.
When running the installer in console mode using some language packs, the prompt for entering the LDAP password may be garbled.
The solution that works in most cases is to install all of the language support available on the computer where the Oracle Access Manager installation is being performed. Be sure all of the fonts that are required for the language are installed. Log in to the machine locally and choose the language to display on the login screen.
You may be unable to remove (uninstall) a language pack with a designation 2. For example, you may not be able to uninstall using _uninstAccessLP_ko-kr2 after using _uninstAccessLP_ko-kr (and vice versa).
The following information is a workaround for this problem.
Complete the following steps. Korean (ko-kr) is used as the language in the following example; your environment will vary:
Copy _jvmAccessLP_ko-kr to a backup folder.
Run uninstaller.exe under _uninstAccessLp_ko-kr2.
It should automatically remove both _jvmAccessLP_ko-kr and _uninstAccessLP_ko-kr2.
Copy _jvmAccessLP_ko-kr back to the original Component_install_dir/WebComponent/access/ directory.
Run unistaller.exe under _uninstAccessLP_ko-kr.
It should automatically remove _jvmAccessLP_ko-kr and _uninstAccessLP_ko-kr.
Restart the Identity Server and Access Server and Web component Web servers.
This section describes removal issues and workarounds. It includes the following topic:
You must stop and restart servers after uninstalling language packs. For example, suppose you have an Identity Server and a WebPass installed with a Korean Language Pack. After uninstalling the Korean language pack on each component host, you must stop and restart both the Identity Server Service and the WebPass Web server instance. This will re-initialize corresponding components with the proper language support.
For more information about installing and removing language packs, see the Oracle Access Manager Installation Guide.
Removing (uninstalling) the language pack associated with the default Administrator language that was chosen during installation is not supported. An error occurs if you remove this language pack and you may not be able to gain access to the Identity and Access Systems.
To recover, see the discussion of language pack issues in the Troubleshooting chapter of the Oracle Access Manager Installation Guide.
If a component installation terminates (or is terminated by you) after component files were extracted to the designated installation directory, you should run the Uninstaller for that component and then remove the installation directory before attempting to reinstall in the same location. If you simply delete the installation directory and attempt to reinstall the component in the same location, the vpd.properties file is left in an inconsistent state and reinstalling will not work.
For example, suppose you terminate a WebGate installation after component files were extracted, then you remove the installation directory manually rather than using the WebGate uninstaller. In this case, the extracted files are deleted but the vpd.properties file is not. This leaves the vpd.properties file in an inconsistent state that prevents successful installation.
For more information about uninstalling, see the Oracle Access Manager Installation Guide.
This section describes issues and workarounds for the Access System. It includes the following topics:
Section 5.4.1, "WebGate Diagnostics URL Incorrectly Report the Access Server Is Down"
Section 5.4.2, "WebGate Is Unable to Connect to Its Associated Access Server"
Section 5.4.3, "Memory Usage Rises After Configuring a Directory Server Profile"
Section 5.4.4, "The Passthrough Challenge Parameter Does Not Work on a Domino Web Server"
Section 5.4.5, "Steps for Integrating the Access System with OracleAS Single Sign-On 10.1.2.0.2"
As discussed in the Oracle Access Manager Access Administration Guide, the WebGate diagnostics URL reports the status of the Access Server or Servers to which the WebGate is connected. In some cases, the landing page for this URL can report that the Access Server or Servers are down when in the servers actually are running.
This problem occurs when the number of Access Servers that are associated with a WebGate is higher than the value of WebGate's Maximum Connections property. In this type of situation, the WebGate diagnostics page displays a status of Down for all Access Servers that exceed the Maximum Connections irrespective of their status.For example, suppose that you set the Maximum Connections value for WebGate A to 1 and you associate three Access Servers with it, AAA1, AAA2, and AAA3. The diagnostics page will indicate that AAA1 is up and AAA2 and AAA3 are down. If AAA1 is down, the page will indicate that AAA2 is up and AAA3 is down.
To fix this problem, ensure that there are more connections configured between the WebGate and the Access Servers than there are Access Servers.
To configure the Maximum Connections field:
In the Access System Console, click Access System Configuration, then click AccessGate Configuration.
The Search for AccessGates page appears.
Enter search criteria on this page, or click the All button.
Click Go.
AccessGates that match your search criteria are listed on this page.
Click the link for a WebGate.
The Details for AccessGate page appears.
Click Modify.
The Modify AccessGate page displays the settings for this WebGate.
If you have installed a WebPass or a WebGate on IIS 6 and enabled logging, the WebPass or WebGate may be unable to connect to its associated Identity or Access Server. In particular, this problem occurs when you send logs to an MPFileLogWriter. It does not occur when you send logs to a FileLogWriter.
The problem occurs with the MPFileLogWriter when there is no anonymous user with access to the directory that contains the log files. MPFileLogWriter uses a file named <logfile name>.lck to synchronize multiple processes that write to the corresponding log file. The MPFileLogWriter write-locks the.lck file before writing to the oblog.log file.
Configure an anonymous user with access to the directory that contains the log files. In some circumstances, the user context used to acquire the write-lock will be the IIS Anonymous web user. By default, this user is named IUSR_<computer name>, but you can configure any anonymous user for this purpose.
After configuring a directory server profile, the memory usage for the Access Server or Policy Manager becomes too high.
When you configure a directory server profile, you are prompted to provide a maximum session time. The default value for the session time is 0 (unlimited). This may cause a performance issue, because the size of the caches for LDAP connections to the Access Server and Policy Manager increase over time. Oracle Access Manager does not control these caches directly.
To prevent the cache size from causing a performance problem, set the value of the Maximum Session Time (Minutes) for the directory server profile to a finite value, for example, 10 hours, as follows:
From the Identity System Console click System Configuration, then click Directory Profiles.
Click the link for the profile that you want to modify.
In the Max. Session Time (Min.) field, set the value to 600.
There is a problem with specifying the passthrough: challenge parameter in some form-based authentication schemes. In particular, this parameter does not work on a Domino Web server when using the POST method for form-based login.
There is no solution for this problem at this time.
The Oracle Access Manager Integration Guide provides a chapter on integrating the Access System's single sign-on with OracleAS Single Sign-On. In addition to following the information in the Oracle Access Manager Integration Guide, you must also complete the following procedure to integrate the Access System with OracleAS Single Sign-On 10.1.2.0.2.
To configure the integration:
Follow the steps in the chapter on integrating the Access System's single sign-on with OracleAS Single Sign-On in the Oracle Access Manager Integration Guide.
In the Access System Console, click System Configuration, then click Server Settings, and configure the following logout URL:
http://[host.domain]:[port]/pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F[host.domain]%3A[port]
URL-encode the p_done_url value.
See the Oracle Application Server Single Sign-On Administrator's Guide for release 10.1.2.0.2 for details on configuring the logout link for single sign-on. A sample JSP that can be used for this purpose is included at the end of this release note.
If you use the sample JSP, go to the Access System Console, click Access System Configuration, then click AccessGate Configuration, and include the following in the LogOutURLs parameter for every WebGate in your environment:
/access/oblix/lang/en-us/style2/oblixlogo.gif
The following is a sample logout.jsp file:
<!-- Copyright (c) 1999, 2003, Oracle. All rights reserved. -->
<%@page autoFlush="true" session="false"%>
<%
// Declare English Message Strings
String msg1 = "Single Sign-Off";
String msg2 = "Application Name";
String msg3 = "Logout Status";
String msg4 = "ERROR: The return URL value not found.";
String msg5 = "ERROR: Logout URL for partner applications not found.";
// Get the user language preference
String userLocaleParam = null;
java.util.Locale myLocale = null;
// Get the user locale preference sent by the SSO server
try
{
userLocaleParam = request.getParameterValues("locale")[0];
}
catch(Exception e)
{
userLocaleParam = null;
}
if( (userLocaleParam == null) || userLocaleParam.equals("") )
{
myLocale = request.getLocale();
}
else
{
if(userLocaleParam.indexOf("-") > 0 )
{
// SSO server sent the language and territory value (e.g. en-us)
myLocale = new java.util.Locale(userLocaleParam.substring(0, 2),
userLocaleParam.substring(3, 5));
}
else
{
// SSO server sent only the language value (e.g. en)
myLocale = new java.util.Locale(userLocaleParam, "");
}
}
// The following two lines will be used only for the Multilingual support
with
// proper resource bundle class supplied
// java.util.ResourceBundle myMsgBundle
// = java.util.ResourceBundle.getBundle("MyMsgBundleClassName", myLocale);
// Get the message string in the appropriate language using the message key.
// Use this string to display the message in this page.
// String mesg = myMsgBundle.getString("mesg_key");
%>
<html>
<body bgcolor="#FFFFFF">
<h1><%=msg1%></h1>
<%
String done_url = null;
int i = 0;
// Get the return URL value
try
{
done_url = request.getParameterValues("p_done_url")[0];
}
catch(Exception e)
{
done_url = "";
}
// Get the application name and logout URL for each partner application
try
{
%>
<b> <%=msg2%> <%=msg3%> </b>
<br>
// Substitute an actual host, domain, and port for
myhost.us.mydomain.com:7777
// that points to the WebGate.
<img
src="http://myhost.us.mydomain.com:7777/access/oblix/lang/en-us/style2/oblixlo
go.gif">
<%
for(;;)
{
i++;
String app_name = request.getParameterValues("p_app_name"+i)[0];
String url_name = request.getParameterValues("p_app_logout_url"+i)[0];
%>
<%=app_name%>
<img src="<%=url_name%>">
<br>
<%
}
}
catch(Exception e)
{
if(done_url == null)
{
%>
<%=msg4%> <br>
<%
}
if(i>1)
{
%>
<br> <a href="<%=done_url%>">Return</a>
<%
}
else
{
%>
<%=msg5%><br>
<%
}
}
%>
</body>
</html>
This section describes issues and workarounds for the Identity System. It includes the following topics:
Section 5.5.1, "Identity System Deletes a User Entry When an RDN is Modified"
Section 5.5.2, "Auditing for the Identity System Ceases to Work"
Section 5.5.3, "Identity Server Crashes if It Cannot Find a Style Sheet"
Section 5.5.4, "WebPass Is Unable to Connect to Its Associated Identity Server"
Section 5.5.6, "Errors Are Found in the HTTP Logs After Setting Up the Identity System"
Section 5.5.7, "Reports With Non-ASCII Characters Are Not Imported Correctly in Excel"
Section 5.5.10, "Data Is Lost When Saving an Object Profile in Org. Manager"
The Identity System deletes user entries when you attempt to modify an RDN attribute value. The RDN is the leftmost attribute in a DN. Typically, the RDN attribute is cn or Full Name.
This problem occurs when you use Oracle Internet Directory as the back-end repository.To fix this problem:
Edit the file ldapreferentialintegrityparams.xml in the following directory:
Identity_Server_installation_directory\identity\oblix\data\common
Change the value of the parameter referential_integrity_using from oblix to ds, as follows:
<NameValPair ParamName="referential_integrity_using" Value="ds"/>
Save the file.
Restart the Identity Server for the changes to take effect.
You should be able to modify the RDN attribute value without any problem.
If you have multiple instances of the Identity Server installed, make this change to every instance of the Identity Server.
When you have auditing configured for multiple Real Application Cluster (RAC) databases, auditing will work correctly for a while. However, after shutting down and restarting a RAC instance other than the one that was shut down the last time, auditing stops.To avoid this issue, restart the Identity Server.
After you customize a style sheet, the Identity Server crashes or issues an error about a Win32 exception being caught.
If you have used backslash characters as path separators in your stylesheets in xsl:include constructs, replace the backslashes with forward slash characters. For example, you would want to change the following:
<xsl:include href=".\style.xsl" /> To this:
<xsl:include href="./style.xsl" />
If you have installed a WebPass on IIS 6 and enabled logging, the WebPass may be unable to connect to its associated Identity Server. In particular, this problem occurs when you send logs to an MPFileLogWriter. It does not occur when you send logs to a FileLogWriter.
The problem occurs with the MPFileLogWriter when there is no anonymous user with access to the directory that contains the log files. MPFileLogWriter uses a file named <logfile name>.lck to synchronize multiple processes that write to the corresponding log file. The MPFileLogWriter write-locks the.lck file before writing to the oblog.log file.
Configure an anonymous user with access to the directory that contains the log files. In some circumstances, the user context used to acquire the write-lock will be the IIS Anonymous web user. By default, this user is named IUSR_<computer name>, but you can configure any anonymous user for this purpose.
After configuring a directory server profile, the memory usage for the Identity Server becomes too high.
When you configure a directory server profile, you are prompted to provide a maximum session time. The default value for the session time is 0 (unlimited). This may cause a performance issue, because the size of the caches for LDAP connections to the Identity Server increase over time. Oracle Access Manager does not control these caches directly.
To prevent the cache size from causing a performance problem, set the value of the Maximum Session Time (Minutes) for the directory server profile to a finite value, for example, 10 hours, as follows:
From the Identity System Console click System Configuration, then click Directory Profiles.
Click the link for the profile that you want to modify.
In the Max. Session Time (Min.) field, set the value to 600.
After completing the process described in the Oracle Access Manager Installation Guide chapter on setting up the Identity System, if you installed Japanese language packs you may see errors in the following log files:
ORACLE_OHS_HOME/Apache/Apache/logs/error_log.*
Where ORACLE_OHS_HOME is the installation directory for the Oracle HTTP Server. These errors have a format similar to the following example:
[Sun Jun 4 16:31:06 2006] [error] [client 12.345.678.99] [ecid: 1149406266:12.345.678.82:28663:0:3,0] File does not exist: /home/as1014/as1014coreid/COREid/webcomponent_3/identity/oblix//apps/admin/ bin/com/oblix/data/resource.class
These errors have no impact, and can be ignored.
After modifying and exporting object class attributes, a report.csv file is created. In the Japanese Locale or Simplified Chinese Locale, there are encoding problems due to a Microsoft Excel limitation that cannot process CSV files containing data in UTF-8 encoding.
To process the exported report, complete the process below.
Rename report.csv to report.txt.
Open report.txt Excel 2003 (Excel 2000 does not support UTF-8 encoding).
In the text import wizard, choose encoding as UTF- 8 and comma as the field separator.
Click Finish.
In multi-language environments, Configuration tab names in the Identity System Console (User Manager Configuration, Group Manager Configuration, Org. Manager Configuration) may be only partially translated. Only the word "Configuration" may be translated, not the application name before it.
For example, when viewing the Identity System Console using a Japanese browser, the application name "User Manager" on the User Manager Configuration tab is not translated. However in Simplified Chinese, the complete name "User Manager Configuration" is translated.
There is no solution for this problem at this time.
In the Identity System Console, the display names that appear as values for items in the list of display types (radio button, checkbox, and so on) may be corrupt due to a known limitation with Java Applets and internationalized characters. The browser's JVM displays only those characters that are in the current locale. Internationalized characters are displayed correctly in applets only if you have set the browser to the same locale.
Set the browser to the locale used when setting the display name value.
When saving new or modified information in an object profile in the Org. Manager application, some of the data is lost. This problem occurs in Org. Manager tabs that do not contain any panels.To ensure that there is no loss of data when modifying object profiles in Org. Manager, you should configure at least one panel for the tab. This panel should contain the same attributes as the Header Panel for the tab.
For example, if the header panel contains two attributes named Location Title and Location Name, you would do the following:
From the Identity System landing page, select the Identity System Console.
Click Org. Manager Configuration.
Click Tabs.
Click the link for the tab where you want to add panels.
Click View Object Profile.
Click Configure Panels.
Click Create.
On the Create Panel page, provide a panel name and add the Location Title and Location Name attributes.
This section describes issues and workarounds for the directory. It includes the following topics:
Section 5.6.1, "Error "There Is No Profile Configured for this Kind of Object""
Section 5.6.2, "Issues With the Display of Messages in Some Languages"
In Oracle Internet Directory, the orcladmin user (dn: cn=orcladmin) can be thought of as a pseudo user with administrative privileges. There is no LDAP entry corresponding to this user in Oracle Internet Directory. This user is part of special groups that are created in Oracle Internet Directory. The Identity Server requires that every user exist as an independent entry in the directory. When these special groups are viewed or modified using Group Manager, you may see following message "There is no profile configured for this kind of object."
If you have this issue, view and update these special Oracle Internet Directory groups using the Oracle Directory Manager application.
Note that there are some special groups in Oracle Internet Directory that exhibit cyclic behavior. Using Oracle Directory Manager to manage these groups is recommended, not the Group Manager or the Identity Server.
There may be an issue with the display of messages for some installations of Oracle Access Manager with Oracle Internet Directory using a native character set. For some supported languages in these environments, messages in the Oracle Access Manager message catalog that are not compatible with the native character set are not displayed properly.
Use the AL32UTF8 character set for Oracle Internet Directory instead of the native character set for the language.
When conducting searches using Novel eDirectory 8.7.3, attribute access controls and searchbase filters do not work as expected. For example, using eDirectory 8.7.3, you can configure filters to return organizational units (ou's) below the top node of the DIT, as follows:
(&(objectclass=*)(!(|(objectclass=oblixconfig)(objectclass=oblixlocation)(objectclass=genSiteOrgPerson)(objectclass=genSiteGroup)))(objectclass=*))
However, these searches return information that you were trying to exclude. For example, users may be returned.
To workaround this issue, apply the eDirectory patch 8.7.3.7. See the following URLs for details:
http://support.novell.com/servlet/downloadfile?file=/uns/ftf/edir8737ftf_1.exe
This section describes issues and workarounds for documentation and online help. It includes the following topics:
Section 5.7.2, "Help Mentions WebGateStatic.lst But No Such File Exists"
Section 5.7.3, "The obEnableCredentialCache Credential Mapping Parameter Is Misspelled"
Section 5.7.4, "Warning Regarding Retrieving Authorization Data From an External Source"
The next version of the Oracle Access Manager Installation Guide, Chapter 2, "Preparing for Installation" Table 2-3 will include Oracle Internet Directory in the Installation Preparation Checklists.
Some language versions of the online help for the Access System contains an obsolete reference to a WebGateStatic.lst file, as follows:
"To ensure that the WebGate logs out users from Identity and Access applications when they click the Logout button, set the LogOutUrls parameter in WebGateStatic.lst to the same value as the SSO Logout URL. WebGateStatic.lst is located in
WebGate_install_dir/oblix/apps/Webgate/"
As of version 10.1.4, the WebGateStatic.lst file is no longer present. Various parameters that were set in WebGateStatic.lst are now defined in the Access System Console.
The following procedure describes how to configure the LogOutURLs parameter. See the Oracle Access Manager Access Administration Guide for details.
To set the LogOutUrls parameter:
Launch the Access System Console and click Access System Configuration.
Click AccessGate Configuration in the left navigation pane.
Conduct a search for existing AccessGates and click the link for the AccessGate that you want to modify.
Modify the LogOutURLs parameter.
In the Oracle Access Manager Access Administration Guide chapter on configuring authentication, the obEnableCredentialCache parameter is misspelled as EnableCredentialCache.
Use the correct spelling, "obEnableCredentialCache" when configuring this parameter.
As described in the Oracle Access Manager Access Administration Guide, an authorization scheme can obtain data from an external source. This data is passed to a custom authorization plug-in. By obtaining external data (usually in the form of information about the user) authorization decisions can be made dynamically, based on user input.
For example, if a user goes to a form to purchase an item for $1000, this $1000 amount can be dynamically evaluated against a limit—perhaps stored in a database—to determine if the purchase is authorized.
The process of retrieving authorization data from an external source is sometimes known as a reverse action.
Note that when creating an authorization plug-in that uses a reverse action, the calls to retrieve reverse actions will not fail if no reverse actions are present. For example, the following returns NULL for a list if there is no user-agent value in RequestContext:
ObASPluginList_t list = pFnBlock->GetDataFn(pInfo->RequestContext, "user-agent");
Plug-ins should check if the data list returned for a reverse action (or anything else) is NULL before using it to retrieve individual data values. Even with a new Access Server, this situation could occur if the client did not specify a value for a reverse action.
This information will be added to the Authorization Plugin API documentation.
