Sunday, March 30, 2014

OPSS APIs to access Policy Store

Scenario - Though EM console of weblogic server provides a sophisticated UI to access policy store and perform actions, there was once a scenario where we had to find a way to provide a set of permissions to a specific role through code.

Solution - Weblogic provides OPSS APIs to access the policy store and i feel its not well documented, So here we go with a util to get your Application's Policy -

package com.webcentersamples.sampleapp.samples.utils;

import oracle.security.jps.JpsContext;
import oracle.security.jps.JpsContextFactory;
import oracle.security.jps.JpsException;
import oracle.security.jps.internal.api.runtime.ServerContextFactory;
import oracle.security.jps.service.policystore.ApplicationPolicy;
import oracle.security.jps.service.policystore.PolicyStore;

public class PolicyStoreUtils {
    private static PolicyStoreUtils policyStoreUtils;
    private static PolicyStore policyStore;
    private static ApplicationPolicy applicationPolicy;
    private PolicyStoreUtils() {
        super();
    }
    public static synchronized PolicyStoreUtils getInstance() {
        if (policyStoreUtils == null) {
            policyStoreUtils = new PolicyStoreUtils();
        }
        return policyStoreUtils;
    }
    /**@SBathala - This method uses internal classes.
     *It returns complete policy store where you could search for your own application's policy
     * @return
     * @throws JpsException
     */
    public static synchronized PolicyStore getPolicyStore() throws JpsException {
        if (policyStore == null) {
            ServerContextFactory serverCtxFactory =
                (ServerContextFactory)JpsContextFactory.getContextFactory();
            JpsContext jpsCtx =
                serverCtxFactory.getContext(ServerContextFactory.Scope.SYSTEM);
            policyStore = jpsCtx.getServiceInstance(PolicyStore.class);

        }
        return policyStore;
    }
    /** @SBathala - This method gets you the Application Policy of the application you want from the Policy Store .
     * @param applicationStripe -
     * It could be fetched from EM Console.
     * Step 1 - Choose your application
     * Step 2 - Choose the 'Application Policies' from the drop down in top bar.
     * Step 3 - Note down the Application stipe name mentioned there, Usually it will be of tis format
     * <Your_Application_Name>#<Deployed_Version_Number>
     * Eg : MyApp#V2.0
     * @throws JpsException
     */
    public static synchronized getApplicationPolicy(String applicationStripe) throws JpsException {
        if (applicationPolicy == null) {
            applicationPolicy =
                    getPolicyStore().getApplicationPolicy(applicationStripe);
        }
        return applicationPolicy;
    }
}

Once you get the Application policy, You could do whole lot of operations such as search/add/remove application roles,  grant/revoke permissions etc..

Note - The user should have the following permission in JAZN to access the policy store else the methods will throw exceptions..

 <permission>         <class>oracle.security.jps.service.policystore.PolicyStoreAccessPermission</class>
                <name>context=APPLICATION,name=[YOUR_APP_STRIPE_NAME]></name>
                <actions>*</actions>
              </permission>





11 comments:

  1. This is a very helpful post. But at runtime I am getting the below error. java.security.AccessControlException: access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:icswebapp Actions:getApplicationPolicy)

    Is there more setup needed to get this to work? Please help

    ReplyDelete
    Replies
    1. Hi Caroline, Glad i could help.

      Yes the user who access it should have admin access in your application.

      Delete
  2. The weblogic user I am using has all privilages in the application. Still I am getting the below errors.

    WSM-02084 : Access denied. Permission "oracle.wsm.security.PolicyManagerPermission" is required to access the wsm policy manager "UsageTracker" method "recordUsage".

    and

    java.security.AccessControlException: access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:icswebapp Actions:getApplicationPolicy)

    ReplyDelete
    Replies
    1. Please email me your sample application, I can take a look.

      Delete
  3. sent you the sample application.

    ReplyDelete
  4. I was able to fix the permission issue by modifying the jazn-data.xml file.

    Do you know how to query the approles for a particular user like "weblogic"

    ReplyDelete
    Replies
    1. Hello Caroline

      How did you fix the permission issue exacty? I'm migrating my app to 12.1.3 and I get this error when I deploy the app in integrated WLS.

      Thank you

      Delete
    2. Hi Caroline,

      Sorry for late response, am not sure if you have figured it out, but just to answer your question you can get approles of logged in user from ADFContext.getCurrent().getSecurityContext().getSubject().getPrincipals();


      and if you want other users than use this, but make sure you are an admin -
      private Subject getUserSubject(String userName) throws Exception
      {
      Subject subject = new Subject();


      IdentityStore idmStore = ADAttributesUtility.getInstance().getIdentityStore();
      User user = idmStore.searchUser(userName);
      Principal userPrincipal = PrincipalFactory.getInstance().createWLSUser(user.getName(), user.getGUID(), user.getUniqueName());

      subject.getPrincipals().add(userPrincipal);
      // Query users from ID store using user/role API, for enterprise roles
      RoleManager rm = idmStore.getRoleManager();
      SearchResponse result = null;

      result = rm.getGrantedRoles(user.getPrincipal(), false);
      // Add group principals to the subject
      while (result != null && result.hasNext())
      {
      Identity role = result.next();
      Principal groupPrincipal = PrincipalFactory.getInstance().createWLSGroup(role.getName(), role.getGUID(), role.getUniqueName());

      subject.getPrincipals().add(groupPrincipal);
      }

      // The subject now contains both user and group principals.
      // In the WebLogic Server, this setting is done by a login module
      return subject;
      }

      Delete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Hello!

    In Webcenter Security settings there are different Permissions sets and Permissions, for example:

    Portal Server
    * Manage All
    * Manage Configuration
    * View

    Portals
    * Manage All
    * Manage Configuration
    * Manage Membership
    * Create Portals

    Portal Templates
    * Manage All
    * Create Portal Templates

    etc. How can I get through API list of these permissions and permission sets, how can I manage them?

    ReplyDelete
    Replies
    1. Hi Sorry for late response, Am not sure if you have solved it, let me know if you are still stuck, i can explain..

      Delete