Come hear about our vision of Service oriented security and how OPSS is being used at Oracle. Looks like my session is one of the last sessions of this years OOW, so if you still hanging out, stop by Thursday 23th, 3:30 pm at Hotel Nikko Ballroom III
See more security sessions at this link.
Tuesday, September 21, 2010
Monday, April 26, 2010
Security Vs Identity Services
Often I hear these terms used interchangeably. I see them differently. Security services provide the basic building blocks like crypto, hashing etc. Identity Services provide stuff like Enterprise SSO, Audit, Authorization etc. While in Java language there is an admirable collection of APIs/libraries for Security, identity services don't have much.
What do you think? Do you make this distinction?
What do you think? Do you make this distinction?
Monday, March 22, 2010
OPSS podcast - Service Oriented Security
While I give you many tips and tricks on this blog, hear Rohit Gupta's podcast to learn the vision behind OPSS.
Wednesday, March 17, 2010
OPSS Scripts for Programmatic Policy Mgmt.
In the last post I gave example of WLST command necessary to grant code source permission to an application that will allow the application to use OPSS policy management API to modify the policy.
Here are more details.
I am using JDev build Build JDEVADF_11.1.1.2.0_GENERIC_091029.2229.5536.
The JDev is installed at the default location on my windows machine. Ran wlst command at C:\Oracle\Middleware\oracle_common\common\bin>wlst.cmd
In the WLST shell type
grantPermission(codeBaseURL="file:///C:/Documents and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j2ee/drs/PolicySource/-", permClass="oracle.security.jps.service.policystore.PolicyStoreAccessPermission", permTarget="context=APPLICATION,name=PolicySource#V2.0", permActions="*")
1. The first bold entry is the exploded path where the application is during application development.
2. The second bold entry is the application stripe which by default is applicationame+"#"+"application version". By some quirk, each application version in JDev starts its counter at 2.
3. The third bold entry is the action, in this case I have a wild card to indicate all actions on the policy. However, in any non trivial environment you should use specific actions like "alterAppRole" as specified in the API javadoc.
Here are the command line output
wls:/DefaultDomain/serverConfig> grantPermission(codeBaseURL="file:///C:/Documen
ts and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j
2ee/drs/PolicySource/-", permClass="oracle.security.jps.service.policystore.Poli
cyStoreAccessPermission", permTarget="context=APPLICATION,name=PolicySource#V2.0
", permActions="*")
{appStripe=null, permActions=*, principalName=null, permClass=oracle.security.jp
s.service.policystore.PolicyStoreAccessPermission, principalClass=null, permTarg
et=context=APPLICATION,name=PolicySource#V2.0, codeBaseURL=file:///C:/Documents
and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j2ee
/drs/PolicySource/-}
Here are more details.
I am using JDev build Build JDEVADF_11.1.1.2.0_GENERIC_091029.2229.5536.
The JDev is installed at the default location on my windows machine. Ran wlst command at C:\Oracle\Middleware\oracle_common\common\bin>wlst.cmd
In the WLST shell type
grantPermission(codeBaseURL="file:///C:/Documents and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j2ee/drs/PolicySource/-", permClass="oracle.security.jps.service.policystore.PolicyStoreAccessPermission", permTarget="context=APPLICATION,name=PolicySource#V2.0", permActions="*")
1. The first bold entry is the exploded path where the application is during application development.
2. The second bold entry is the application stripe which by default is applicationame+"#"+"application version". By some quirk, each application version in JDev starts its counter at 2.
3. The third bold entry is the action, in this case I have a wild card to indicate all actions on the policy. However, in any non trivial environment you should use specific actions like "alterAppRole" as specified in the API javadoc.
Here are the command line output
wls:/DefaultDomain/serverConfig> grantPermission(codeBaseURL="file:///C:/Documen
ts and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j
2ee/drs/PolicySource/-", permClass="oracle.security.jps.service.policystore.Poli
cyStoreAccessPermission", permTarget="context=APPLICATION,name=PolicySource#V2.0
", permActions="*")
{appStripe=null, permActions=*, principalName=null, permClass=oracle.security.jp
s.service.policystore.PolicyStoreAccessPermission, principalClass=null, permTarg
et=context=APPLICATION,name=PolicySource#V2.0, codeBaseURL=file:///C:/Documents
and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j2ee
/drs/PolicySource/-}
Monday, March 8, 2010
Programmatic Authorization Policy Mangament with OPSS
In the simplistic cases, often the authorization policy management is done using the provided tooling. OPSS provided tooling in the form of EM(GUI) and WLST (script) to manage policy.
For more advanced needs, OPSS also provides API for programmatic policy management.The Policy API is protected by codesource permission. Hence applications using the API will need to have the required permission. See the example 18.3.4.2 in FMW Security guide on the code necessary to use the API. What the example assumes is that proper policy access permission is granted before hand. I.e the application code running the example has PolicyStoreAccessPermission( "context=APPLICATION,name=applicationStripe" , "grant")
Here is the example of OPSS WLST command that needs to be run to grant the requirement Permission. Replace all bold entries with values appropriate for your environment. The first entry is the path to the application jar that is making the programmatic API call, the second bold entry is the application stripe.
grantPermission -codeBaseURL "file:/scratch/foo/abc.jar" -permClass oracle.security.jps.service.policystore.PolicyStoreAccessPermission -permTarget "context=APPLICATION,name=myAppName" -permActions "grant"
See this link for details on running FMW WLST commands.
There are two basic ways an application can use the example 18.3.4.2. One is to modify the application policy for itself, the other is to modify the application policy for another application.
The later might be the case when you have authorization management of the application structured as another application. In the second case, the code source for the second application needs to be granted the PolicyStoreAccess permission.
For more advanced needs, OPSS also provides API for programmatic policy management.The Policy API is protected by codesource permission. Hence applications using the API will need to have the required permission. See the example 18.3.4.2 in FMW Security guide on the code necessary to use the API. What the example assumes is that proper policy access permission is granted before hand. I.e the application code running the example has PolicyStoreAccessPermission( "context=APPLICATION,name=applicationStripe" , "grant")
Here is the example of OPSS WLST command that needs to be run to grant the requirement Permission. Replace all bold entries with values appropriate for your environment. The first entry is the path to the application jar that is making the programmatic API call, the second bold entry is the application stripe.
grantPermission -codeBaseURL "file:/scratch/foo/abc.jar" -permClass oracle.security.jps.service.policystore.PolicyStoreAccessPermission -permTarget "context=APPLICATION,name=myAppName" -permActions "grant"
See this link for details on running FMW WLST commands.
There are two basic ways an application can use the example 18.3.4.2. One is to modify the application policy for itself, the other is to modify the application policy for another application.
The later might be the case when you have authorization management of the application structured as another application. In the second case, the code source for the second application needs to be granted the PolicyStoreAccess permission.
Subscribe to:
Posts (Atom)