Configuring the OAM Security Provider

The OAM Security Provider is implemented via the OAMAuthenticatorSAM class.

You configure the OAM Security Provider as a message-security-provider (HttpServlet layer interception point), either through the Administration Console or the create-message-security-provider command.

The following message-security-provider syntax configures an OAM Security provider:

<message-security-config auth-layer="HttpServlet">
<provider-config provider-type="server" provider-id="MySAM" 
class-name="com.sun.glassfish.oamsam.OAMAuthenticatorSAM">
<property name="oam.resource.hostid.variation" 
value="your-host-system.com" />
<!--property name="form.login.page" value="" /-->
</provider-config>
</message-security-config>

You must set the provider id to a unique value. The class name must be com.sun.glassfish.oamsam.OAMAuthenticatorSAM.

You can optionally set the properties shown in Table 7-2 for the OAM Security Provider.

Table 7-2 OAM Security Provider Properties

APPSERVER_SSL_MUTUAL_AUTH_PORT	Option to the SAM indicating the SSL Mutual Authentication port for the Application Server.
APPSERVER_SSL_PORT	Option to the SAM indicating the SSL port for the Application Server.
cookie.httponly	Option to the SAM indicating if the httponly flag of the ORA_GF_ObSSOCookie should be set.
cookie.path	Option to the SAM indicating the value of the path parameter of the ORA_GF_ObSSOCookie. By default the path parameter is not set.
cookie.secure	Option to the SAM indicating if the isSecure() bit of the Cookie should be set to true/false when the ORA_GF_ObSSOCookie is created after successful authentication.
error.page	Option to the SAM indicating the custom Error Page to use for Authentication/Authorization failures. Should be a path relative to current context root, and must begin with a "/".
form.login.page	Option to the SAM indicating the custom FORM Login Page to use for FORM based login. Must be a path relative to the domain's docroot. A default login FORM is used when this option is absent, or when its value is set to "" (empty string) or to the value "default".
oam.auth.cert.param	Option to the SAM indicating the parameter name for certificate credential passed to create ObUserSession.
oam.auth.hdr.external	Option to the SAM whose value indicates the name of Request Header that contains the UserId/Cookie corresponding to the ObUserSession.
oam.auth.password.param	Option to the SAM indicating the parameter name for password credential passed to create ObUserSession
oam.auth.userid.param	Option to the SAM indicating the parameter name for username credential passed to create ObUserSession.
oam.check.resource.access	Option to the SAM indicating if OAM should also perform the authorization check for the resource. The value is a flag that indicates if OAM should check (authenticate and authorize) the resource access. By default OAM would only be consulted for authentication of any credentials and establishing the SSO token. Note - The GlassFish Serverauthorization has the final say as to whether the access to the resource is finally allowed, primarily based on the group and principal of the user being in the correct JavaEE-defined Role to access the resource.
oam.header.type	Option to the SAM indicating if the External Header in the Request is to be interpreted as a Cookie or as the User Principal of an Authenticated user when the module is acting as an Identity Asserter.
oam.include.port.in.resource	Option to the SAM indicating whether the port number of a request should be used while constructing the request URI for the protected resource whose access is protected by OAM.
oam.include.query.params.in.resource	Option to the SAM indicating whether the query-parameters of a request should be used while constructing the request URI for the protected resource whose access is protected by OAM.
oam.obsso.cookie.name	Option to the SAM indicating the name of the ORA_GF_ObSSOCookie to use.
oam.res.access.protocol	Option to the SAM indicating the protocol to be used when creating the resource representation for the protected resource whose access is protected by OAM.
oam.resource.hostid.variation	Option to the SAM indicating the host-id variation to use when constructing the request URI for the protected resource whose access is protected by OAM.
oam.ext.header	Option to the SAM indicating the name of the header to use for identity assertion. This is used by the SAM to find the configured header and to extract the principals. The allowed value is OAM_REMOTE_USER.
IdentityAsserterMode	Option to the SAM that determines whether the SAM acts as an Identity Asserter. IdentityAsserterMode is used when set to true.

Skip Navigation Links
Exit Print View
	Oracle GlassFish Server 3.1 Security Guide