Accessing HTTP Response Header Using JavaScript
We were working on an application which has been built using JavaScript framework. It is a very common scenario now a days to have a JavaScript based UI application which interacts with REST services, and our application was not much different from them. Like most of the cases, we also had a requirement of security implementation for the application.
We decided to use Oracle Access Manager (OAM) in a Detached Credential Collector (DCC) setup. To learn more about DCC setup, you can always refer to Oracle Docs. Below image shows you a very high-level overview about the setup, but excluding the REST resource part.
Flow can be described as below:
1. Browser makes a request to the app and it hits the WebGate.
2. WebGate checks if the user is authenticated. If not, then a request goes to OAM and user gets a login screen of OAM to authenticate.
3. Post authentication, request goes back to OHS along with a response header parameter. (There is a bit of configuration associated to it for sending header parameter from OAM to OHS. But, that's not in the scope of this post)
4. WebGate (OHS) then forwards the request towards application server. WebGate converts the response header parameter received from OAM to a request header parameter for all subsequent calls which it make to the downstream systems and stores it in user session.
5. Application server gives response back to OHS.
6. OHS sends request back to browser along with the JavaScript resources.
So why didn't we receive the same value in our JavaScript UI application? Because of these reasons:
1. JavaScript was running in a browser on user's machine and not on the server.
2. Due to security reasons, OHS also strips off some HTTP parameters and prevent it to go to client side.
In a nutshell, you will not be able to access response header parameters, set by OAM after successful authentication, from your JavaScript application running on your browser.
There is a very interesting article by Oracle A-Team on SSO implementation for SPA which you can read here.
We decided to use Oracle Access Manager (OAM) in a Detached Credential Collector (DCC) setup. To learn more about DCC setup, you can always refer to Oracle Docs. Below image shows you a very high-level overview about the setup, but excluding the REST resource part.
Flow can be described as below:
1. Browser makes a request to the app and it hits the WebGate.
2. WebGate checks if the user is authenticated. If not, then a request goes to OAM and user gets a login screen of OAM to authenticate.
3. Post authentication, request goes back to OHS along with a response header parameter. (There is a bit of configuration associated to it for sending header parameter from OAM to OHS. But, that's not in the scope of this post)
4. WebGate (OHS) then forwards the request towards application server. WebGate converts the response header parameter received from OAM to a request header parameter for all subsequent calls which it make to the downstream systems and stores it in user session.
5. Application server gives response back to OHS.
6. OHS sends request back to browser along with the JavaScript resources.
Pretty simple till now. Isn't it? As it is a JavaScript application, it runs on user's browser and not on server. This is a very important point considering the topic of this post.
As part of our requirement, we were trying to access the HTTP response parameter which OAM was setting from our UI application. But when we tried to do so, we didn't manage to get any value for it.
But to verify, if at all this parameter had a value, we decided to deploy a JSP on the application server. And yes, the parameter indeed had a value which was visible on the JSP.
So why didn't we receive the same value in our JavaScript UI application? Because of these reasons:
1. JavaScript was running in a browser on user's machine and not on the server.
2. Due to security reasons, OHS also strips off some HTTP parameters and prevent it to go to client side.
In a nutshell, you will not be able to access response header parameters, set by OAM after successful authentication, from your JavaScript application running on your browser.
There is a very interesting article by Oracle A-Team on SSO implementation for SPA which you can read here.
Comments
Post a Comment