Monday, March 8, 2010

Programmatic Authorization Policy Mangament with OPSS

In the simplistic cases, often the authorization policy management is done using the provided tooling. OPSS provided tooling in the form of EM(GUI) and WLST (script) to manage policy.

For more advanced needs, OPSS also provides API for programmatic policy management.The Policy API is protected by codesource permission. Hence applications using the API will need to have the required permission. See the example 18.3.4.2 in FMW Security guide on the code necessary to use the API. What the example assumes is that proper policy access permission is granted before hand. I.e the application code running the example has PolicyStoreAccessPermission( "context=APPLICATION,name=applicationStripe" , "grant")

Here is the example of OPSS WLST command that needs to be run to grant the requirement Permission. Replace all bold entries with values appropriate for your environment. The first entry is the path to the application jar that is making the programmatic API call, the second bold entry is the application stripe.

grantPermission -codeBaseURL "file:/scratch/foo/abc.jar" -permClass oracle.security.jps.service.policystore.PolicyStoreAccessPermission -permTarget "context=APPLICATION,name=myAppName" -permActions "grant"

See this link for details on running FMW WLST commands.

There are two basic ways an application can use the example 18.3.4.2. One is to modify the application policy for itself, the other is to modify the application policy for another application.
The later might be the case when you have authorization management of the application structured as another application. In the second case, the code source for the second application needs to be granted the PolicyStoreAccess permission.



3 comments:

nothing said...

Hi
I try to develop an application in ADF and I need to declare Application-Role, Permission, Principal programmatically and store them in policy store.
I found an example in chapter 19 of E10043-12 but it just creates Application-Role!! . I need know how can I detect my TaskFlow, PageDefination and other resources of my application at RunTime to protect them after deployment through a custom security console. In other word i try to find a way in which i store my pageDef or TaskFlow name in database or detect them programmatically in runtime and Grant Permission to my users or enterprise role for access/denied to my application pages, TaskFlow and also if possible entities and their attributes.

<a href="http://docs.oracle.com/cd/E23943_01/core.1111/e10043/intregrating.htm#BABECICC]>
chapet 19 of E10043-12
</a>

Thank you so much

nothing said...

Hi
I try to develop an application in ADF and I need to declare Application-Role, Permission, Principal programmatically and store them in policy store.
I found an example in chapter 19 of E10043-12 but it just creates Application-Role!! . I need know how can I detect my TaskFlow, PageDefination and other resources of my application at RunTime to protect them after deployment through a custom security console. In other word i try to find a way in which i store my pageDef or TaskFlow name in database or detect them programmatically in runtime and Grant Permission to my users or enterprise role for access/denied to my application pages, TaskFlow and also if possible entities and their attributes.

<a href="http://docs.oracle.com/cd/E23943_01/core.1111/e10043/intregrating.htm#BABECICC]>
chapet 19 of E10043-12
</a>

webwing said...

This is a great post...
top web design companies | affordable seo services