Sunday, March 30, 2014

OPSS APIs to access Policy Store

Scenario - Though EM console of weblogic server provides a sophisticated UI to access policy store and perform actions, there was once a scenario where we had to find a way to provide a set of permissions to a specific role through code.

 Solution - Weblogic provides OPSS APIs to access the policy store and i feel its not well documented, So here we go with a util to get your Application's Policy -

 package com.webcentersamples.sampleapp.samples.utils;

 import oracle.security.jps.JpsContext;
import oracle.security.jps.JpsContextFactory;
import oracle.security.jps.JpsException;
import oracle.security.jps.internal.api.runtime.ServerContextFactory;
import oracle.security.jps.service.policystore.ApplicationPolicy;
import oracle.security.jps.service.policystore.PolicyStore;

 public class PolicyStoreUtils {
    private static PolicyStoreUtils policyStoreUtils;
    private static PolicyStore policyStore;
    private static ApplicationPolicy applicationPolicy;
    private PolicyStoreUtils() {
        super();
    }
    public static synchronized PolicyStoreUtils getInstance() {
        if (policyStoreUtils == null) {
            policyStoreUtils = new PolicyStoreUtils();
        }
        return policyStoreUtils;
    }
    /**@SBathala - This method uses internal classes.
     *It returns complete policy store where you could search for your own application's policy
     * @return
     * @throws JpsException
     */
    public static synchronized PolicyStore getPolicyStore() throws JpsException {
        if (policyStore == null) {
            ServerContextFactory serverCtxFactory =
                (ServerContextFactory)JpsContextFactory.getContextFactory();
            JpsContext jpsCtx =
                serverCtxFactory.getContext(ServerContextFactory.Scope.SYSTEM);
            policyStore = jpsCtx.getServiceInstance(PolicyStore.class);

         }
        return policyStore;
    }
    /** @SBathala - This method gets you the Application Policy of the application you want from the Policy Store .
     * @param applicationStripe -
     * It could be fetched from EM Console.
     * Step 1 - Choose your application
     * Step 2 - Choose the 'Application Policies' from the drop down in top bar.
     * Step 3 - Note down the Application stipe name mentioned there, Usually it will be of tis format
     * <Your_Application_Name>#<Deployed_Version_Number>
     * Eg : MyApp#V2.0
     * @throws JpsException
     */
    public static synchronized getApplicationPolicy(String applicationStripe) throws JpsException {
        if (applicationPolicy == null) {
            applicationPolicy =
                    getPolicyStore().getApplicationPolicy(applicationStripe);
        }
        return applicationPolicy;
    }
}

Once you get the Application policy, You could do whole lot of operations such as search/add/remove application roles,  grant/revoke permissions etc..

Note - The user should have the following permission in JAZN to access the policy store else the methods will throw exceptions..

 <permission>         <class>oracle.security.jps.service.policystore.PolicyStoreAccessPermission</class>
                <name>context=APPLICATION,name=[YOUR_APP_STRIPE_NAME]></name>
                <actions>*</actions>
              </permission>





Posted by at
Labels: , ,

11 comments:

  1. UnknownJuly 31, 2015 at 9:54 AM

    This is a very helpful post. But at runtime I am getting the below error. java.security.AccessControlException: access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:icswebapp Actions:getApplicationPolicy)

    Is there more setup needed to get this to work? Please help

    ReplyDelete
    Replies
    1. Satish BathalaJuly 31, 2015 at 1:42 PM

      Hi Caroline, Glad i could help.

      Yes the user who access it should have admin access in your application.

      Delete
  2. UnknownAugust 3, 2015 at 10:03 AM

    The weblogic user I am using has all privilages in the application. Still I am getting the below errors.

    WSM-02084 : Access denied. Permission "oracle.wsm.security.PolicyManagerPermission" is required to access the wsm policy manager "UsageTracker" method "recordUsage".

    and

    java.security.AccessControlException: access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:icswebapp Actions:getApplicationPolicy)

    ReplyDelete
    Replies
    1. Satish BathalaAugust 3, 2015 at 10:54 AM

      Please email me your sample application, I can take a look.

      Delete
  3. UnknownAugust 3, 2015 at 3:41 PM

    sent you the sample application.

    ReplyDelete
  4. UnknownAugust 4, 2015 at 2:54 PM

    I was able to fix the permission issue by modifying the jazn-data.xml file.

    Do you know how to query the approles for a particular user like "weblogic"

    ReplyDelete
    Replies
    1. AnonymousJanuary 21, 2016 at 1:35 AM

      Hello Caroline

      How did you fix the permission issue exacty? I'm migrating my app to 12.1.3 and I get this error when I deploy the app in integrated WLS.

      Thank you

      Delete
    2. Satish BathalaFebruary 3, 2016 at 6:35 PM

      Hi Caroline,

      Sorry for late response, am not sure if you have figured it out, but just to answer your question you can get approles of logged in user from ADFContext.getCurrent().getSecurityContext().getSubject().getPrincipals();


      and if you want other users than use this, but make sure you are an admin -
      private Subject getUserSubject(String userName) throws Exception
      {
      Subject subject = new Subject();


      IdentityStore idmStore = ADAttributesUtility.getInstance().getIdentityStore();
      User user = idmStore.searchUser(userName);
      Principal userPrincipal = PrincipalFactory.getInstance().createWLSUser(user.getName(), user.getGUID(), user.getUniqueName());

      subject.getPrincipals().add(userPrincipal);
      // Query users from ID store using user/role API, for enterprise roles
      RoleManager rm = idmStore.getRoleManager();
      SearchResponse result = null;

      result = rm.getGrantedRoles(user.getPrincipal(), false);
      // Add group principals to the subject
      while (result != null && result.hasNext())
      {
      Identity role = result.next();
      Principal groupPrincipal = PrincipalFactory.getInstance().createWLSGroup(role.getName(), role.getGUID(), role.getUniqueName());

      subject.getPrincipals().add(groupPrincipal);
      }

      // The subject now contains both user and group principals.
      // In the WebLogic Server, this setting is done by a login module
      return subject;
      }

      Delete
  5. VPAugust 17, 2015 at 1:44 AM

    This comment has been removed by the author.

    ReplyDelete
  6. VPAugust 17, 2015 at 1:45 AM

    Hello!

    In Webcenter Security settings there are different Permissions sets and Permissions, for example:

    Portal Server
    * Manage All
    * Manage Configuration
    * View

    Portals
    * Manage All
    * Manage Configuration
    * Manage Membership
    * Create Portals

    Portal Templates
    * Manage All
    * Create Portal Templates

    etc. How can I get through API list of these permissions and permission sets, how can I manage them?

    ReplyDelete
    Replies
    1. Satish BathalaFebruary 3, 2016 at 6:28 PM

      Hi Sorry for late response, Am not sure if you have solved it, let me know if you are still stuck, i can explain..

      Delete

Subscribe to: Post Comments (Atom)