by Firdaus Fraz
Session timeout configuration for Oracle Identity Manager 11gR2PS1 using an Oracle WebLogic deployment plan
Oracle Identity Manager
Session timeout, as its name implies, is the period of time after which the session object of a web application expires. The timeout period can be a fixed period (hard timeout) or an inactivity period (soft timeout) during which the user does not refresh or request a page. Once the session has reached the timeout, the user is required to re-authenticate to access the web application. Hard session timeout is a defined timeout period of the session ID irrespective of user activity; if the application has a hard session timeout of, say, nine hours, the user will be asked to re-authenticate after nine hours even if the session was used actively.
Hard and soft session timeout configuration is a security control measure that protects the user session from such security attacks as cross-site request forgery (CSRF), session fixation, etc.
There are few ways to configure hard and soft session timeout for applications. Here, we will discuss primarily the soft session timeout configuration for Oracle Identity Manager (OIM) version 11gR2PS1.
If an application is protected by an Access Management solution, the application session timeout must be configured through the Access Management tier.
For a standalone application (not using single sign-on), the (inactivity) session timeout configuration can be done through the application deployment descriptor files —
web.xml orweblogic.xml (if the application is deployed in WebLogic Application Server) — or it can be configured using a WebLogic deployment plan.
This article discusses the session timeout configuration for OIM web applications using a WebLogic deployment plan.
OIM version 11gR2 PS1's session timeout configuration is defined in the web.xml files of its self-service and system admin web application.
You can change the session timeout by directly editing the web.xml file in both the self-service application archive (
oracle.iam.console.identity.self-service.ear) and the sys admin application archive (
oracle.iam.console.identity.sysadmin.ear) and then redeploying the applications.
However, since this approach requires manipulating the application archives, it is not recommended. Instead, we must perform the session timeout configuration using a WebLogic deployment plan.
The web.xml is available at the following path (and at a similar path for the sysadmin.ear):
The session timeout configuration is as below. The value "15" refers to the number of minutes. The default value in sysadmin.ear is 35 minutes.
<session-config> <session-timeout>15</session-timeout> </session-config>
The session timeout for a J2EE application can be configured in its deployment descriptor files, web.xml or weblogic.xml. The configuration done in web.xml takes precedence over weblogic.xml.
WebLogic lets you define environment-dependent parameters in a deployment plan xml file, so you do not need to change the application archives if parameter values vary from development to test to production environment. You need only have different deployment plan xmls for each execution environment.
The configurations that have been defined in the deployment descriptor files of the application archives can be overridden via a WebLogic deployment plan.
The WebLogic deployment plan can be generated using the WebLogic tool
weblogic.PlanGenerator or via the WebLogic admin console.
The configurations that you want to administer via the WebLogic deployment plan must be defined as variables in the deployment xml file. The variables can be configured through the Weblogic Administration Console.
The variable name for session timeout in web.xml is
session-timeout (defined in number of minutes) and the variable name in weblogic.xml is
timeout-secs (defined in number of seconds).
By default, if you generate a WebLogic deployment plan to configure session timeout, it assumes that timeout has been defined in weblogic.xml, and overwrites the configuration in weblogic.xml by the value that you provide for session timeout using the WebLogic Administration Console.
However, in our case, because the OIM application defines timeout at the J2EE application level (i.e., in web.xml files), we will customize the WebLogic deployment Plan.xml file to override the web.xml configuration. Since the configuration in web.xml is in minutes, the value that you provide through the WebLogic Administration Console for session timeout will be considered in minutes when you use this custom deployment plan.
The following steps guide you through the process of generating a WebLogic deployment plan (Plan.xml) that includes the session timeout variable configuration and of customizing the Plan.xml to override the session timeout configuration available in OIM application web.xml files.
The WebLogic deployment plan xml can be stored anywhere on the file system on the WebLogic installation machine.
Note: This is a custom solution and OIM patches/upgrades may overwrite the changes.
<module-descriptor external="false"> <root-element>web-app</root- element> <uri>WEB-INF/web.xml</uri> <variable-assignment> <name>SessionDescriptor_timeoutSecs_13732841600120</name> <xpath>/web-app/session-config/session-timeout</xpath> <operation>replace</operation> </variable-assignment> </module-descriptor>
Firdaus Fraz is Principal Solutions Architect with the Oracle Fusion Middleware Identity Management A-Team. In this role she works with IDM customers and partners world wide to provide guidance on implementation best practices, architecture, use-case design, and troubleshooting.