Skip to main content

Authorizing a Sample Java App from Oracle Entitlement Server

Create a simple authorization policy from OES and invoke authorization decision using Standard API from a Java application to allow or deny the access.


  1. Create New Application (go to Authorization management > Application > click new Application)
  2. Create New Security Module (go to System Configuration > Security Module > click New) And add Newly Created Application to it. 
  3. Create New Resource Type (go to Newly Created Application > Resource Types > Click new)
  4. Create New Resource (go to Newly Created Application > Default Policy Domain > Resources Catalog > Resources > Create New)
  5. Create New Permit Authorization Policy (go to Newly Created Application > Default Policy Domain > Application Policies > Create New)


  1. 6.      Create New Deny Authorization Policy (go to Newly Created Application > Default Policy Domain > Application Policies > Create New)



    1.     Edit the following file: OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.java.controlled.prp

    oracle.security.jps.runtime.pd.client.sm_name=SM_WB_JAVA
    NOTE: same name as created using OES Admin Console
    #  Policy dustribution mode is controlled-push
    oracle.security.jps.runtime.pd.client.policyDistributionMode=controlled-push

    #  -------- Policy Distributor connectivity information - required for controlled-push distribution mode
    oracle.security.jps.runtime.pd.client.RegistrationServerHost=localhost
    oracle.security.jps.runtime.pd.client.RegistrationServerPort=7002

    Note- SSL Port of OES Server

    # >>>>>>>>>>>>OPTIONAL PARAMETERS<<<<<<<<<<<<<<<<<
    # ------------ Only for Java SM, WS SM, and RMI SM in controlled-push mode --------------------
    #  port to listen for policy distribution. Picked automatically by SM config tool if not specified
    oracle.security.jps.runtime.pd.client.DistributionServicePort=

    oracle.security.jps.runtime.pd.client.sm_type=java


    8.  Run the config.sh (OES_CLIENT_HOME/oessm/bin)
    config.sh –smConfigId <SM_NAME_AS _IN_PRP_FILE> -prpFileName
    OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.java.controlled.prp



    9.      This will create a directory in OES_CLIENT_HOME /oes_sm_instances/< SM_NAME_AS _IN_PRP_FILE >

    10.      Create a sample application to validate the authorization request. Code Snippet is as follows-

    1.  public class HelloWBworld {
    2.   
    3.     public static void main(String[] args) {
    4.   
    5.        // user initiating Authorization request
    6.        Principal p = new WLSUserImpl("weblogic_wc");
    7.                System.out.println("HelloWBworld :: principal :: "+p);
    8.        Subject user = new Subject();
    9.        System.out.println("HelloWBworld :: Subject :: "+user);
    10.  
    11.       user.getPrincipals().add(p);
    12.               System.out.println("HelloWBworld :: Subject after add :: "+user);
    13.  
    14.       // Resource being accessed AppName/ResourceType/ResouceName
    15.       String resourceString = "HelloWBWorld/MyWBResourceType/MyWBResource";
    16. System.out.println("HelloWBworld :: resourceString :: "+resourceString);
    17.  
    18.       // Action initiated by the user
    19.       String action = "write";
    20. System.out.println("HelloWBworld :: action :: "+action);
    21.       // Environmental/Context attributes
    22.  
    23.       while (true)
    24.       {
    25.                 System.out.println("HelloWBworld :: while start ");
    26.          try {
    27.             // get Authorization response from OES
    28.             PepResponse response =
    29.                 PepRequestFactoryImpl.getPepRequestFactory()
    30.                         .newPepRequest(
    31.                                 user,
    32.                                 action,
    33.                                 resourceString,
    34.                                 null).decide();
    35.  
    36.             System.out.println("Request: {" + user + " " + action + " " + resourceString
    37.                      + "} \nResult: " + response.allowed());
    38.  
    39. //         } catch (PepException e) {
    40.          } catch (PepException e) {
    41.  
    42.             System.out.println("***** Caught exception: "
    43.                                 + e.getMessage());
    44.             e.printStackTrace();
    45.             System.exit(1);
    46.          }
    47.       }
    48.    };
    49. };
    11.      Run the program to check that it is authorizing the user initiating the resource request.




Comments

Post a Comment

Popular posts from this blog

Developing Prepopulate Adapter with OIM 11g R2

1.      Prepopulate Adapter in OIM uses the plugin point oracle.iam.request.plugins.PrePopulationAdapte r. 2.      Write the Java code which returns the value which has to be populated on the form. 3.      This code will implement the plugin point oracle.iam.request.plugins.PrePopulationAdapte r. Code Snippet: - package com.oracle.oim.utility.eventhandler; import java.io.Serializable; import java.util.Iterator; import java.util.List; import java.util.logging.Logger; import oracle.iam.identity.exception.NoSuchUserException; import oracle.iam.identity.exception.UserLookupException; import oracle.iam.identity.usermgmt.api.UserManager; import oracle.iam.identity.usermgmt.vo.User; import oracle.iam.platform.Platform; import oracle.iam.platform.authz.exception.AccessDeniedException; import oracle.iam.request.exception.RequestServiceException; import oracle.iam.request.vo.Beneficiary; import oracle.iam.request.vo.RequestData; public c
5 comments
Read more

OIM Tuning

Application Module tuning is a critical setting which will affect the UI performance. Following are the recommended application module settings for OIM and these are already set out-of-box (OOB) in later releases of OIM 11g R2. Ensure that these settings are implemented as recommended in your environment. -Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1 -Djbo.ampool.maxavailablesize=120 -Djbo.recyclethreshold=60 - Djbo.ampool.timetolive=-1 -Djbo.load.components.lazily=true - Djbo.doconnectionpooling=true -Djbo.txn.disconnect_level=1 - Djbo.connectfailover=false -Djbo.max.cursors=5 - Doracle.jdbc.implicitStatementCacheSize=5 - Doracle.jdbc.maxCachedBufferSize=19 open DOMAIN_HOME/bin/setDomainEnv.sh file for the WebLogic Server instance.find these lines: JAVA_OPTIONS="${JAVA_OPTIONS}" export JAVA_OPTIONS and change it to: JAVA_OPTIONS="-Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1 -Djbo.ampool.maxavailablesize=120 -D
Post a Comment
Read more

What is Application Instance

Application instance is a provisionable entity. It is a combination of IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism) . Creating and managing application instances are performed by using the Oracle Identity System Administration. Once Created Application Instance can be requested from the catalog. Application instances can be connected or disconnected.  Connected application  instance -It has a connector defined for the provisioning of entities. Account is created in the target system real time in case of connected Application Instance. Disconnected  application instance - It is used for the provisioning of a disconnected resource, for which  a connector is not defined, and therefore, the provisioning is performed manually by the administrator. A mail trigger system can also be attached which sends the account creation/modification/deletion mails to the application owner.
Post a Comment
Read more