View Only

Tech Tip - CA Single Sign-On: request.getRemoteUser() returns null

By wonsa03 posted Jun 22, 2016 01:26 AM

Recommend

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 22nd June 2016

Issue:

The REMOTE_USER HTTP header value is set to null as user accessed the protected resources from backend Weblogic server. Web Agent is installed on the frontend SunOne webserver.

Siteminder response is invoked accordingly but the header dump page shows REMOTE_USER HTTP header is associated with null value.

== Settings ==

ACO parameters:

SetRemoteUser = Yes
RemoteUserVar = REMOTE_USER

Web Agent response attribute type -- WebAgent-HTTP-Header-Variable associate it with an OnAuthAccept rule.

Environment:

Webserver: SunOne 6.1 with Weblogic 9.2 SP2 plugin

Webagent: 6QMR5 HF21

Cause:

Weblogic returns "null" in response to getRemoteUser() call to guard against a security vulnerability – identity spoofing.

Workaround:

Start Weblogic with the following run time argument:

-Dweblogic.http.enableRemoteUserHeader=true

Important Note: Please be informed that by enabling this feature, the system would be vulnerable to the REMOTE_USER HTTP header spoofing.

0 comments

0 views