Ramandeep Singh Nanda
Published

Fri 23 May 2014

←Home

ADF dynamically managing application policies

Recently a user contacted me with the requirement that he needed to assign enterprise groups to application roles dynamically. Normally, people can manage this through enterprise manager, but there might have been a specific requirement for that user.  I have already written various posts on ADF security which cover utility methods that use OPSS API’s to perform operations on the enterprise OID, OpenLdap etc.  In this post i will cover this specific requirement; although the given code is very crude, it is there only to serve as an example and the process is what matters.

The code is shown below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
package model;

import oracle.security.jps.service.policystore.ApplicationPolicy;
import oracle.security.jps.service.policystore.PolicyStore;
import java.security.Principal;

import java.util.Hashtable;

import oracle.adf.share.logging.ADFLogger;

import oracle.security.idm.IMException;
import oracle.security.idm.IdentityStore;
import oracle.security.idm.IdentityStoreFactory;
import oracle.security.idm.IdentityStoreFactoryBuilder;
import oracle.security.idm.Role;
import oracle.security.idm.RoleManager;
import oracle.security.idm.User;
import oracle.security.idm.UserManager;
import oracle.security.idm.providers.oid.OIDIdentityStoreFactory;
import oracle.security.jps.JpsContext;
import oracle.security.jps.JpsContextFactory;
import oracle.security.jps.JpsException;
import oracle.security.jps.internal.idstore.ldap.LdapIdentityStore;
import oracle.security.jps.service.idstore.IdentityStoreException;
import oracle.security.jps.service.idstore.IdentityStoreService;
import oracle.security.jps.service.policystore.ApplicationPolicy;
import oracle.security.jps.service.policystore.PolicyObjectNotFoundException;
import oracle.security.jps.service.policystore.PolicyStore;
import oracle.security.jps.service.policystore.PolicyStoreException;
import oracle.security.jps.service.policystore.info.common.InvalidArgumentException;

public class DemoJpsMethods {
    public static final ADFLogger DemoJpsLogger=ADFLogger.createADFLogger(DemoJpsMethods.class);
    public static final String DEV_GROUP="DevGroup";
    public static final String TRAINING_GROUP="TrainingGroup";
    public static final String DEV_APP_ROLE="DevAppRole";
    public static final String TRAINING_APP_ROLE="TrainingAppRole";
    public DemoJpsMethods() {
        super();
    }

    /**
     * Dummy method just for testing so not parameterized
     */
    public void addUserToAppGroup(){
            JpsContext ctxt = IdentityStoreConfigurator.jpsCtxt;
            LdapIdentityStore idstoreService =
                (LdapIdentityStore)ctxt.getServiceInstance(IdentityStoreService.class);
            IdentityStore idmStore=null;
        try {
            idmStore = idstoreService.getIdmStore();

        } catch (IdentityStoreException e) {
            throw new RuntimeException(e);
        }
        User tom=null;
        User helen=null;
        UserManager um=null;
        RoleManager rm=null;
        Role trainingRole=null;
        Role devRole=null;

        try {
            um= idmStore.getUserManager();
            rm=idmStore.getRoleManager();
        } catch (IMException e) {
            try {
                idmStore.close();
            } catch (IMException f) {
            }
            throw new RuntimeException(e);
        }
        try {
            trainingRole =
                      idmStore.searchRole(IdentityStore.SEARCH_BY_NAME, TRAINING_GROUP);
            devRole =
                          idmStore.searchRole(IdentityStore.SEARCH_BY_NAME, DEV_GROUP);
        } catch (IMException e) {
            DemoJpsLogger.severe("Rethrow exception because roles ARE NOT found");
            try {
                idmStore.close();
            } catch (IMException f) {
            }
            throw new RuntimeException(e);
        }


        try {
            tom = idmStore.searchUser("tom");
            helen = idmStore.searchUser("helen");


            //if it comes till here user is found

        } catch (IMException e) {
            DemoJpsLogger.severe("Ignore exception because user is likely not found");
        }
        //User not found create ?
        if(tom==null){
            try {
                tom= um.createUser("tom", "Welcome_1".toCharArray());

            } catch (IMException e) {
                try {
                    idmStore.close();
                } catch (IMException f) {
                }
                throw new RuntimeException(e);

            }

        }
        //User not found create ?
        if(helen==null){
            try {
                helen=um.createUser("helen", "Welcome_1".toCharArray());

            } catch (IMException e) {
                try {
                    idmStore.close();
                } catch (IMException f) {
                }
                throw new RuntimeException(e);
            }

        }
        try {
            rm.grantRole(trainingRole,tom.getPrincipal());
            rm.grantRole(devRole,helen.getPrincipal());
        } catch (IMException e) {
            try {
                idmStore.close();
            } catch (IMException f) {
            }
            throw new RuntimeException(e);
        }

        if(idmStore!=null){
                try {
                    idmStore.close();
                } catch (IMException f) {
                }
            }



    }
    public void addAppGroupToAppRole() {
            JpsContext ctxt = IdentityStoreConfigurator.jpsCtxt;
        LdapIdentityStore idstoreService =
            (LdapIdentityStore)ctxt.getServiceInstance(IdentityStoreService.class);
        IdentityStore idmStore=null;
        try {
            idmStore = idstoreService.getIdmStore();
        } catch (IdentityStoreException e) {
            throw new RuntimeException(e);
        }
        PolicyStore ps = ctxt.getServiceInstance(PolicyStore.class);
            ApplicationPolicy policy;
        Role trainingRole=null;
        Role devRole=null;
        try {
            trainingRole =
                      idmStore.searchRole(IdentityStore.SEARCH_BY_NAME, TRAINING_GROUP);
            devRole =
                          idmStore.searchRole(IdentityStore.SEARCH_BY_NAME, DEV_GROUP);
        } catch (IMException e) {
            try {
                idmStore.close();
            } catch (IMException f) {
            }
            throw new RuntimeException(e);
        }



        try {
            policy = ps.getApplicationPolicy("DemoAppSecurity#V2.0");
            policy.addPrincipalToAppRole(trainingRole.getPrincipal(), TRAINING_APP_ROLE);
            policy.addPrincipalToAppRole(devRole.getPrincipal(), DEV_APP_ROLE);
        }  catch (PolicyStoreException e) {
            throw new RuntimeException(e);
        } catch (IMException e) {
            throw new RuntimeException(e);
        }

        if(idmStore!=null){
                try {
                    idmStore.close();
                } catch (IMException f) {
                }
            }

    }



    /**
     * This nested private class is used for configuring and initializing the context factory
     * @author Ramandeep Nanda
     */
    private static final class IdentityStoreConfigurator {
                              private static final JpsContext jpsCtxt=initializeFactory();


                             private static JpsContext initializeFactory(){
                                       String methodName = Thread.currentThread().getStackTrace()[1].getMethodName();
                                       JpsContextFactory tempFactory;
                                       JpsContext jpsContext;
                                             try {
                                                                 tempFactory=JpsContextFactory.getContextFactory();
                                                                 jpsContext=tempFactory.getContext();
                                                             }
                                       catch (JpsException e) {
                                               DemoJpsLogger.severe("Exception in "+methodName + " " +e.getMessage() +" ", e);
                                       throw new RuntimeException("Exception in "+methodName + " " +e.getMessage() +" ", e);
                                       }
                                      return jpsContext;
                                     }



    }
}


So basically there are two methods, the first one just creates the user and assigns them to the enterprise groups, the second one is the one we’re interested in because this one first accesses the application policy and then dynamically assigns the enterprise group to the application role .


We are not done just yet, there are a few steps you need to configure which are mentioned below.


  • Assign PolicyStoreAccessPermission to weblogic user in system-jazn-data.xml.
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    <grant>
                <grantee>
                    <principals>
                        <principal>
                            <class>weblogic.security.principal.WLSUserImpl</class>
                            <name>weblogic</name>
                        </principal>
                    </principals>
                </grantee>
                <permissions>
                    <permission>
                        <class>oracle.security.jps.service.policystore.PolicyStoreAccessPermission</class>
                        <name>context=SYSTEM</name>
                        <actions>*</actions>
                    </permission>
                </permissions>
            </grant>
    

  • Although i have added the application stripe grant in the application jazn-data.xml, you need to be aware of that. It is mentioned below:
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    <grant>
            <grantee>
                 <principals>
                      <principal>
                           <class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
                           <name>weblogic</name>
                      </principal>
                 </principals>
            </grantee>
            <permissions>
                 <permission>
                      <class>oracle.security.jps.service.policystore.PolicyStoreAccessPermission</class>
                      <name>context=APPLICATION,name=DemoAppSecurity#V2.0</name>
                      <actions>*</actions>
                 </permission>
            </permissions>
       </grant>
    


  • Run the application and log in with weblogic user i.e login.html page

  • There will be two buttons one creates and adds a user to a group, second adds enterprise group to app role

  • For first, You need an ldap browser to view the changes, use the embedded ldap connection details.

  • For second, you need just to view the system-jazn-data.xml file, here you will see enterprise group added to app role.


The application can be downloaded from here. Application Link

Go Top
comments powered by Disqus