Configuring Single Sign-On Using Oracle Access Manager 10g 16-77 WebGates have default Cache Directives Pragma=no-cache and CacheControl=no-cache that might cause a problem with Internet Explorer v7 when a URL to an .xls workbook is directly pasted into the browser’s address bar. Solution If the message appears when the URL to workbook is explicitly pasted to Internet Explorer v7 address bar, Oracle recommends removing the cache directives from respective WebGate configuration pages in the Access System Console. To remove cache directives from respective WebGate configurations 1. From the Access System Console, click the Access System Configuration tab. 2. Click AccessGate Configuration, click Go on the search page, and then click the link to the desired AccessGate configuration page. 3. On the Details for AccessGate page, click Modify. 4. On the Modify AccessGate page, locate Web Server Client label and clear the following fields: ■ CachePragmaHeader ■ CacheControlHeader 5. Click Save.

16.8.18 About Protected_JSessionId_Policy

OAM Policies are evaluated based on the URIs passed to it. With earlier releases, there was no policy for protecting ;jsessionid. When an application resource URL was accessed and the JSESSIONID cookie was not found, WebLogic Server wrote the URL by including the JSESSIONID as part of the URL. If the URL in question was protected, Oracle Access Manager and OSSO Web agents could have issues matching the re-written URL. In this release, a new policy is available that uses a pattern ;jessionid= for all URIs under the context-root. Therefore, any URI under the context-root, with ;jsessionid=string appended to it, is considered protected. The context-root itself must be listed as a resource. The URL pattern is ;jsessionid=. The Default authentication rule is a protected authenticating scheme. The Default authorization expression is also used. When ordering policies, this policy must be first. Suppose you have one protected resource named testprotectedUri and a public resource named test. When you create a public policy with the pattern jessionid; and apply this policy to both the above resources the public policy should have precedence over the public resource. ■ When test;jessionid=blah is requested, OAM first checks for a default rule for test;jessionid=blah. Without such a rule, OAM then checks for a rule for . Without this rule, the URI, test;jessionid=blah is considered to be unprotected. ■ When testprotectedUri;jessionid=blah is requested, OAM checks for a default rule to protect this. Without such a rule, OAM then checks for a rule for test. With test in the Resources list, OAM further determines which policy to apply. In this case, the jessionid policy is applied and the request deemed to be protected.