14 Replies Latest reply: Apr 13, 2012 8:58 AM by Purva Kulkarni-Kale RSS

    OAM 11g Custom error code handling during login

    776607
      Hi,

      I have a requirement to handle the error codes during authentication in OAM 11g. After login in login.jsp (default or custom jsp) based on the LDAP error codes from directory server (OID\OVD), I need to display a custom error message like "Please enter correct user name\pasword" in place of "Invalid username\password" and like that.

      Please guide me as to how I can achieve this in the login step, may be on the same page or on a different jsp error page, but how to handle the LDAP error codes and display the error messages accordingly?

      Appreciate any help in this regard..

      Thanks
      Nagendra
        • 1. Re: OAM 11g Custom error code handling during login
          Presto
          http://docs.oracle.com/cd/E15586_01/doc.1111/e15478/oam_set.htm#CHDIBJFH

          If you're using a custom login page, you can see p_error_code in the URL which should tell you OAM-2, OAM-5 (incorrect password, user locked, etc).
          • 2. Re: OAM 11g Custom error code handling during login
            Nagendra S-OC
            Hi Prestro,

            Thanks a lot for the response.

            Yes We are using the customized jsp page, which actually prints the errorResponse and clientResponse which is retrived as

            String errorResponse = request.getParameter(GenericConstants.PLUGIN_ERROR_RESPONSE);
            String clientResponse = request.getParameter(GenericConstants.PLUGIN_CLIENT_RESPONSE);

            but this prints the actuall error message at runtime like LDAP Error: 49 or LDAP Error -53, We need to print a custom error message instead of this.

            The page alsp has
            String errCode = request.getParameter(GenericConstants.ERROR_CODE);
            String secondaryErrMessage = request.getParameter(GenericConstants.SECONDARY_ERROR_MESSAGE);

            when i look at the GenericConstants.class file under oracle\security\am\common\utilities\constant package in SamleLoginWar.war file, it has the mappings like this

            public static final String PLUGIN_ERROR_RESPONSE = "PLUGIN_ERROR_RESPONSE";
            public static final String PLUGIN_REQUEST_RESPONSE = "PLUGIN_REQUEST_RESPONSE";
            public static final String ERROR_CODE = "p_error_code";
            public static final String SECONDARY_ERROR_MESSAGE = "p_sec_error_msg";

            The things here is, how and where do we handle these valiues to print our custom messages instead of default ones.

            Thanks again for the reply and would be glad if you could help me in this again.

            Nagendra.
            • 3. Re: OAM 11g Custom error code handling during login
              884768
              GenericConstants.PLUGIN_ERROR_RESPONSE & GenericConstants.PLUGIN_CLIENT_RESPONSE are new features added in OAM 11.1.1.5.2 to allow customized error codes.

              If you just need to cater standard error messages like "invalid user name/pwd" or "account lock", p_error_code (URL parameter - OAM-2, OAM-5 ...) should be enough for you.

              In your customized login app, define your own message bundle and then map to each p_error_code.

              In the login page, get the "p_error_code" from URL paramter, and then display the message according to the defined message bundle.

              If you want to use GenericConstants.PLUGIN_CLIENT_RESPONSE, it can be implemented in similar way
              • 4. Re: OAM 11g Custom error code handling during login
                776607
                Hi Kaon,

                Thank you much for the response.

                Yes I am able to cater through the OAM server returned error messages by reading ERRO_CODE which in turn refers p_error_code and display my custom messages by mapping the codes OAM-1, OAM-2 and likewise to my custom messages in login.jsp page.

                Now then I need to read the Secondary Error Messaged returned from LDAP server and customize them too as per out requirement.
                The thing is I am unable to read the secondary error message in login page using.
                String secondaryErrMessage = request.getParameter(GenericConstants.SECONDARY_ERROR_MESSAGE);
                this is not returning any value during authentication using default LDAP authentication plugin.

                Whether the LDAP plugin is developed to return SECONDARY_ERROR_MESSAGE, PLUGIN_ERROR_RESPONSE and PLUGIN_CLIENT_RESPONSE?

                Awaiting for your response.

                Thanks
                Nagendra
                • 5. Re: OAM 11g Custom error code handling during login
                  johnmcbride
                  Hi Nagendra S,

                  Workign on a similar thing: we have an authentication module, which is two factor: one authentication to LDAP and the second authentication to a second factor web service (Symantec).

                  We wish to identify the source of error: LDAP or 3rd party MFA provider, such that we can provide a more helpful error message "username/password failed" versus "one time pin failed". With 11.1.1.5.2 upgarde - can we get more granularity to tell us what step in the authentication failed?


                  Thanks,
                  John
                  • 6. Re: OAM 11g Custom error code handling during login
                    776607
                    Hi John,

                    In order for you to get LDAP error messages, you need to get the SecondaryErrorMessage which would be read as
                    request.getParameter(GenericConstants.SECONDARY_ERROR_MESSAGE); from in the login page. this SECONDARY_ERROR_MESSAGE is the non-localised string containing the real cause of failure of authentication like javax.naming.AuthenticationException: [LDAP: error code 49 - LDAP Error 49 : [LDAP: error code 49 - Invalid Credentials]].

                    If this has to be available to be read in login page, the plugin should be developed in such a way that this is returned when the plugin is invoked.
                    I am not sure if the default LDAP or any other plugins supports this. I have an SR opened with support team to check if this really happens with the default plugins.
                    however, Oracle has provided some custom authentication plugins with the hotfix release for OAM 11.1.1.5 BP02, this is developed to server his purpose.

                    Anyone in the forum, please provide some limelight as to how we can at all achieve this in the default plugins if one has came across this requirement.

                    Thanks,
                    Nagendra
                    • 7. Re: OAM 11g Custom error code handling during login
                      Presto
                      Does anyone have any new information?

                      I don't see any references to PLUGIN_CLIENT_RESPONSE, etc. in the documentation. Where do you see those? Does the OOTB LDAP plugin support them? Thanks.
                      • 8. Re: OAM 11g Custom error code handling during login
                        776607
                        The default authentication plugin does not support PLUGIN_CLIENT_RESPONSE and PLUGIN_CLIENT_RESPONSE. These have to be handled in the custom authentication plugin itself.

                        Thanks
                        Nagendra
                        • 9. Re: OAM 11g Custom error code handling during login
                          Presto
                          Ah I see - so is it reasonable to think that one could write a custom plugin to return errors other than OAM-2, OAM-5, etc to the custom login page?
                          • 10. Re: OAM 11g Custom error code handling during login
                            776607
                            Hi,

                            One need to have the OAM server error mode as INTERNAL and in the login page, you can get the SecondaryErrorMessage by String secondaryErrMessage = request.getParameter(GenericConstants.SECONDARY_ERROR_MESSAGE);

                            and can print the same.

                            Thanks,
                            Nagendra
                            • 11. Re: OAM 11g Custom error code handling during login
                              Presto
                              I'm not sure I understand - I can retrieve the parameter GenericConstants.SECONDARY_ERROR_MESSAGE from my custom login page?
                              • 12. Re: OAM 11g Custom error code handling during login
                                Purva Kulkarni-Kale
                                Hello,

                                Error page can be customized either through plugin or using error pages
                                One can set failture and success url in authorization as well as authentication policies in OAM 11g

                                We have done the same on OAM 11.1.1.5 R1


                                Thanks,
                                Purva
                                • 13. Re: OAM 11g Custom error code handling during login
                                  Presto
                                  Can you provide any more details please?

                                  Specifically, how you did this with a plugin, do you have example code? Also, I thought the failure url is only used after the max login attempts was reached - for example after 5 failed authn attempts, go to failure url. Is that right or wrong?


                                  Thanks.

                                  Edited by: Presto on Apr 13, 2012 9:50 AM
                                  • 14. Re: OAM 11g Custom error code handling during login
                                    Purva Kulkarni-Kale
                                    Hello,


                                    I just returned failure from my plugin

                                    I created an html page containing my error message and deployed it in my tomcat

                                    provided this url in -

                                    Policy configuration->My_domain->authroization policy->failure url

                                    and it worked

                                    Thanks