StumbleUpon | Hobbadehoy's favorites

Loading...

20 May 2009

SUN Access Manager (OpenSSO) timeout and AJAX (XMLHTTPRequest)

Do you have the answer to the following?

  • Can SUN Access Manager / OpenSSO policy agents be configured with a different url for timeouts then log in?
  • Can SUN Access Manager / OpenSSO policy agents be configured to give a redirect according to the standard of XMLHttpRequest when a XMLHttpRequest is recieved and the user needs to log in?


I think I have the answers. And that is: NO and NO!


I have the following setup:



The SUN Access Manager and the Reverse proxy with policy agent have different DNS names:
accessmanager.mydomain.net and reverseproxy.mydomain.net

The SUN Access Manager policy agent is setup with a loginurl that is used both in the case when a user dosn't have a session and when the user session has timed out.
The application that I secure use ajax and the XMLHttpRequest protocol.

What happens when the user session times out?

  1.  The user clicks a form object in the web application and a XMLHttpRequest is sent to reverseproxy.mydomain.net
  2. The Policy Agents checks the session and uses the log in url defined in the AMAgent property file. Normally this is a url to accessmanager.mydomain.net

In Internet explorer the user will get a security warning and a javascript error.

  • Why? 
    • because the XMLHttpRequest requires that the URI in the request and response is the same.
    • because the response has the Content-Type text/html and not application/x-javascript


How do you redirect the user to access manager?

  • You must use Content-Type application/x-javascript and the response must be a javascript window.location tag


The SUN Access Manager Policy Agent dosn't support this. 

  • A work around can be:
    • The login url in the AMAgent file must have a url with URI reverseproxy.mydomain.net pointing to a html page on the Reverse Proxy
    • The response from this url must be a http 200 response with Content-Type application/x-javascript containing a javascript window.location tag.
Something like this:

This post will be updated with more details laiter. Now it's time for holidays.

Labels: ,

Posted by Arne Berner at 20.5.09

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)