I am facing a login-logout related issue in j2ee web application secured with openAM for single single on. I have intigrated openAM with my j2ee web application. I have used openAM 12.0.0 and tomcat_v6-7-Agent-3.3.0 agent, tomcat's version is 7.0.53
Everything works properly other than one case. there is no issue with typical login and logout with openAM. After logged out clicking "Return to Login page" redirects me to OpenAM's login page for my application. after giving correct userID and password, it should take me homepage of my application. but blank page appears indicating 403 Forbidden error.
it works properly when I logout and open another tab and try to login, instead of clicking "Return to login page" appeared after logout.
I guess, the problem is related with "Return to login page" link which might be configured in openAM default. So I want to know how can I define or change OpenAm's "Retun to Login page".
If a user click on logout button on my application then it go directly OpenAM's Logout endpoint "/openam/UI/logout". I have also cleared corresponding cookies before redirecting to logout URL.
after second time login (with 'return to login page' link) it shows 403 error. But after that if I open a new tab, and then try to access the page (after login which page should appear) , it works fine. that means login process has been complete successfully. and the user has been authorized when I tried to login.
by the way, I have checked my policy and it's pattern matches with the URL. In "Specify Resource" in policy configuration at OpenAM console , I have added
http://myapp.kpp.com:8080/deploymentDescriptor/*
as well as
http://myapp.kpp.com:8080/deploymentDescriptor*?*
but I cant find the reason why 403 error after 2nd time login (login->logout->return to login Page->login) Thanks in advance.
How do you log out from your application? Do you go directly to the OpenAM's logout endpoint (i.e. "/openam/XUI/#logout/")? What's the URL that's resulting in the 403 Forbidden error?
If your Tomcat agent is in policy mode (ALL, J2EE_POLICY, or URL_POLICY), make sure that users are authorized to access the landing page (the page where you're getting redirected after logging out). In other words, make sure you have a policy in place whose pattern matches that URL.