Monday, March 22, 2010

OPSS podcast - Service Oriented Security

While I give you many tips and tricks on this blog, hear Rohit Gupta's podcast to learn the vision behind OPSS.

Wednesday, March 17, 2010

OPSS Scripts for Programmatic Policy Mgmt.

In the last post I gave example of WLST command necessary to grant code source permission to an application that will allow the application to use OPSS policy management API to modify the policy.

Here are more details.

I am using JDev build Build JDEVADF_11.1.1.2.0_GENERIC_091029.2229.5536.
The JDev is installed at the default location on my windows machine. Ran wlst command at C:\Oracle\Middleware\oracle_common\common\bin>wlst.cmd

In the WLST shell type
grantPermission(codeBaseURL="file:///C:/Documents and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j2ee/drs/PolicySource/-", permClass="oracle.security.jps.service.policystore.PolicyStoreAccessPermission", permTarget="context=APPLICATION,name=PolicySource#V2.0", permActions="*")


1. The first bold entry is the exploded path where the application is during application development.
2. The second bold entry is the application stripe which by default is applicationame+"#"+"application version". By some quirk, each application version in JDev starts its counter at 2.
3. The third bold entry is the action, in this case I have a wild card to indicate all actions on the policy. However, in any non trivial environment you should use specific actions like "alterAppRole" as specified in the API javadoc.

Here are the command line output

wls:/DefaultDomain/serverConfig> grantPermission(codeBaseURL="file:///C:/Documen
ts and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j
2ee/drs/PolicySource/-", permClass="oracle.security.jps.service.policystore.Poli
cyStoreAccessPermission", permTarget="context=APPLICATION,name=PolicySource#V2.0
", permActions="*")
{appStripe=null, permActions=*, principalName=null, permClass=oracle.security.jp
s.service.policystore.PolicyStoreAccessPermission, principalClass=null, permTarg
et=context=APPLICATION,name=PolicySource#V2.0, codeBaseURL=file:///C:/Documents
and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j2ee
/drs/PolicySource/-}

Monday, March 8, 2010

Programmatic Authorization Policy Mangament with OPSS

In the simplistic cases, often the authorization policy management is done using the provided tooling. OPSS provided tooling in the form of EM(GUI) and WLST (script) to manage policy.

For more advanced needs, OPSS also provides API for programmatic policy management.The Policy API is protected by codesource permission. Hence applications using the API will need to have the required permission. See the example 18.3.4.2 in FMW Security guide on the code necessary to use the API. What the example assumes is that proper policy access permission is granted before hand. I.e the application code running the example has PolicyStoreAccessPermission( "context=APPLICATION,name=applicationStripe" , "grant")

Here is the example of OPSS WLST command that needs to be run to grant the requirement Permission. Replace all bold entries with values appropriate for your environment. The first entry is the path to the application jar that is making the programmatic API call, the second bold entry is the application stripe.

grantPermission -codeBaseURL "file:/scratch/foo/abc.jar" -permClass oracle.security.jps.service.policystore.PolicyStoreAccessPermission -permTarget "context=APPLICATION,name=myAppName" -permActions "grant"

See this link for details on running FMW WLST commands.

There are two basic ways an application can use the example 18.3.4.2. One is to modify the application policy for itself, the other is to modify the application policy for another application.
The later might be the case when you have authorization management of the application structured as another application. In the second case, the code source for the second application needs to be granted the PolicyStoreAccess permission.