CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 22nd June 2016
Issue:
The REMOTE_USER HTTP header value is set to null as user accessed the protected resources from backend Weblogic server. Web Agent is installed on the frontend SunOne webserver.
Siteminder response is invoked accordingly but the header dump page shows REMOTE_USER HTTP header is associated with null value.
== Settings ==
ACO parameters:
- SetRemoteUser = Yes
- RemoteUserVar = REMOTE_USER
Web Agent response attribute type -- WebAgent-HTTP-Header-Variable associate it with an OnAuthAccept rule.
Environment:
Webserver: SunOne 6.1 with Weblogic 9.2 SP2 plugin
Webagent: 6QMR5 HF21
Cause:
Weblogic returns "null" in response to getRemoteUser() call to guard against a security vulnerability – identity spoofing.
Workaround:
Start Weblogic with the following run time argument:
-Dweblogic.http.enableRemoteUserHeader=true
Important Note: Please be informed that by enabling this feature, the system would be vulnerable to the REMOTE_USER HTTP header spoofing.