Sun Java System Access Manager 7 2005Q4 Release Notes

CR# 6770231: Access Manager 7 Patch 12 validates goto URLs

After installing patch 12, Access Manager 7 2005Q4 server can validate a goto URL after a user logs in. This fix prevents a hacker from sending the user to an imposter site in order to steal the user's personal information.

To set valid goto URLs, follow these steps:

  1. After you install patch 12, make sure you run the or updateschema.bat script and then restart the Access Manager web container.

  2. Log in to the Access Manager Administration Console.

  3. Click Configuration, Authentication, and then Core.

  4. Under Valid goto URL domains, add each valid goto domain name, as follows:

    • A domain name starting with a dot (.) such as allows all hosts in the domain to be used in a success redirect URL.

    • A domain name that does not start with a dot (.) such as allows the host to be used in a success redirect URL. For example, would be valid, but would not be valid.

    • If you don't add the entire domain to the list, you must add each individual agent host name being used.

    • You do not need to add domains for agents in CDSSO mode, because they are protected automatically.

  5. Click Save.

  6. Restart the Access Manager web container.

If you subsequently want to disable the goto URL validation, remove all entries from the Valid goto URL domains list. If a goto URL is found to be invalid, the user will be redirected to the default success login URL.