Saturday, July 5, 2014

Allowing unauthenticated access to Webcenter Content/UCM public documents via OAM SSO

Recently we had a requirement at a client wherein Public Documents in UCM be accessed via a SSO URL (using the OHS Port) without the user being challenged for credentials.

Sounds pretty straighforward right ? Since anyways using the default managed server port of 16200 of the Content Server , anyways those documents don't popup asking for user credentials.
Well , wasn't that simple really! Took us(myself , Sachin Saxena et al) a few days to exactly figure this out and now we have Oracle's stamp on it as well !
Following were the examples of documents which needed to be publically accessible
1)http://<host>:7778/cs/idcplg?idcService=GET_FILE&dID=1445&dDocName=DEV_COMPLOGO_31364&allowInterrupt=1
(Accessing public document  called 'DEV_COMPLOGO_31364' having Public Security group via IdcService)
2)http://<host>:7778/cs/groups/public/documents/digitalmedia/b2dv/xzmx/~edisp/dev_complogo_31364.jpg
(This has a definite URL Pattern of /cs/groups/public)
3)Also this general service/document search page needs to open up without authentication.
http://<host>:7778/cs/idcplg?IdcService=GET_DOC_PAGE

**Oracle Access Manager (OAM) basically protects URLs or definite URL parameters , it cannot go inside an end-user application and check security assigned to a resource to determine if that should be challenged for credentials.
(Example in this case is that it cannot go and check the authorization / security Group using IdcService URL for the file DEV_COMPLOG_31364)**

Hence we have only two options here -
1)Either the URL pattern /cs/groups/public can be marked as unprotected in OAM Application Domain and hence user won't be challenged when using Pattern 2 as above.
2)Create a mapping folder pattern in UCM , like pretty URL to access even webDav content)
3)You can configure the IdcService url pattern to be public via OAM. (something like http://oamserver.com/cs/idcplg as url and query parameters as IdcService=GET_FILE) .But by exposing that people can still construct url of private documents if they know the dID and bypass OAM as the pattern is public. But once they reach UCM, ucm security will deny them access as they are not authenticated/have required permissions [Courtesy : Shidharth Mishra]

References
1)Oracle SR [Closed]            2) Forums