samplepolicy

details for creating the sample application policies

This is a step in the getting started guide. See Opensso policy agent sample application for more detail on the sample application.

Use this with the readme
This next step contains some EXTRA INFORMATION to set up the policy.
It has some screen shots and details about the stpes to set up the policy as described in the readme. The readme instructions are brief, so the next step expands on them.

Quickstart Guide to Set up Policy for J2EE Agent Sample app

For these instructions, they are similiar wit all agents, though this example was done using the GlassFish application server.

The opensso.war server was installed on a domain of glassfish at port 2840.
The policy agent and sample app were deployed on a separate domain of glassfish at port 2680.
Both agent and opensso server were on the same machine (on different domains and ports of app server) and both used hostname my.test.domain.com
These values will be used in the example URLs on this page.

Lets get started.

The agent sample application which you will deploy and use later, requires that the Access Manager is set up with some security policies and other security info that will be used when the sample app is later running. The steps are mentioned in the download of the J2Ee agent sample/readme.txt but I will repeat them here with some small modifications that match the developer test drive we are doing here. These steps will be using the Access Manager console and UI, which you deployed as part of opensso.war. This is a good exercise since this is similiar to what you would need to do to secure your own applications by configuring and creating a security policy.

Create User Subjects

1) Login to the Access Manager console. Point your browser to http://<your_localhost_alias>:<your_domain2_http_port>/opensso, which in the settings I chose would be http://my.test.domain.com:2840/opensso, and login as username=amAdmin and the password=adminadmin

2) This will take you to the Access Manager console default home page which lists the opensso realm. Click on the opensso realm (it is circled in red in the screenshot below)

3) This will take you to another page, and on this page, click on the "Subjects" tab.
Now, we will create user names and passwords for the following subjects in the opensso realm:

  • andy/andy
  • bob/bob
  • chris/chris
  • dave/dave
  • ellen/ellen
  • frank/frank
  • gina/gina

4) This takes you to the Subjects page. On this page click on the "New" button as we will create a new subject to create new users for each of the usernames and passwords listed here.

5. Now for each of the users listed below, you will do step 4 above and then this step 5. This create the following user as part of the opensso realm.
On this New User page, fill in the username and password for a user, for example I use "andy" for every field, and then click the OK button, which will take you back to the page in step 4.

So repeat steps 4 and 5 until all the users in this list have the following username and passwords.

  • andy/andy
  • bob/bob
  • chris/chris
  • dave/dave
  • ellen/ellen
  • frank/frank
  • gina/gina

6) Now that you entered all those users as subjects in the openssorealm, your subject page should look like this, with all these users listed. Now click the Back to Realms button.

Assign Users to Roles

Create three new roles (employee, manager, and everyone) and then assign some users as follows
employee: andy, bob, chris, dave, ellen, frank
manager: andy, bob, chris
everyone: andy, bob, chris, dave, ellen, frank, gina

I will walk through the creation of the employee role and then adding the users andy, bob, chris, dave, ellen, frank to the role. You need to do the same process for the manager role and everyone role as well.
1) From the Realms page, shown in image above, click on the openso realm, which will take you to the open-sso Properties page.
2) From the Properties page(shown above ), click on the Subjects Tab, which will take you to the User page (shown one image above)
3) From the User page, click on the Role Tab

4)Now, on the Role page, click the New button.

5) Now on the New Role page, enter the value employee in the ID field and then click the OK button

6) Now on the Role page, click on the employee role

7) Now from the Edit Role -employee page, click the User tab

8) Add these users(andy, bob, chris, dave, ellen, frank) to the employee role. Click on the desired name in the Available box, then click the add button, and the name is moved to the Selected box. After these 6 names have been selected, the page should look like this image below. After selecting the users to add to the employee role, click on the save button.

After clicking on the Save button, a notice appears on this page informing you that the profile has been saved. At this point, you can click Back to Subjects button. Make sure you previously clicked on the Save button.

9) Now you are back to the Role page, shown in step 4 above (new-role.gif). Now click on the Back to Realms button.

10) Now you are back on the opensso Realm page, shown in step2) above.
You need to do the same process to create the manager role and everyone role, and add the users in the list above to these roles.
manager: andy, bob, chris
everyone: andy, bob, chris, dave, ellen, frank, gina

Just repeat steps 2 through 9 to add these users to the new roles.

Customer Group Setup

create a group called customer and then add two users, chris and ellen, to it.
customer: chris, ellen
I will walk through this process. Since we have used the UI a bit, I will skip the screen shots since the process is similiar to what we have already done. Setting up a group is very similiar to setting up a role.

1) From the Realms page, click on the opensso Realm (see image of Realms page above-- post-login-realms.gif)
2) On the opensso Properties page click on the Subjects tab (see image of opensso Properties page above choose-subject-tab.gif)
3) On the subject User page, click on the Group tab
4) On the Group page, click on the New button.
5) On the New Group page, enter customer as the value in the ID field, then click the OK button.
6) Now you are back on the Group page and the customer group is listed in the groups. Click on the customer group.
7) On the Edit Group -customer page, click on the User tab.
8) On the user Edit Group -customer page, select chris and ellen and add them to the customer group. Then click the Save button.
Now your Edit Group page should look like this image below, showing chris and ellen in the selected box.

Make sure you clicked the Save button so that the users are added to the customer group.

4. Create the following URL Policies:
Now we will create two policies for the openso realm. Later the sample application will use these policies for its security model. These policies specific here will determine which URL are protected and what authenticated subjects can access them. Note that since these policies are specific to the sample application, the URLs being protected are specific to the deployment environment of the sample application, hence the URLs specified here will include the hostname and port of the sample application. For our sample application, we previously created domain3 in the application server and assigned ports for its services. (Recall I said to remember the http port number for domain3, which in our case is port=2680. Our fully qualified host name is the localhost alias we set previous, my.test.domain.com. So all the URLs specified here will start with http://my.test.domain.com:2680. You would want to use your own host and port information if your environment is different..

Here is policy 1 description which we need to set up.
Policy 1:
in the rules part of allow:
For each of these URLs, create a new rule and choose GET and POST
http://<hostname>:<port>/agentsample/jsp/*
http://<hostname>:<port>/agentsample/invokerservlet
http://<hostname>:<port>/agentsample/protectedservlet
http://<hostname>:<port>/agentsample/securityawareservlet
http://<hostname>:<port>/agentsample/unprotectedservlet

[in the scenario I am using these exact URLs would be ...
MAKE SURE the host is correct and the port is the http port for domain2
http://my.test.domain.com:2680/agentsample/jsp/*
http://my.test.domain.com:2680/agentsample/invokerservlet
http://my.test.domain.com:2680/agentsample/protectedservlet
http://my.test.domain.com:2680/agentsample/securityawareservlet
http://my.test.domain.com:2680/agentsample/unprotectedservlet
]
Subject: entire-organization which is all authenticated users
On policy 1, for the subjects choose "Authenticated Users"

Now I will step you through the process of creating policy 1 with the Access Manager UI console.
1) Navigate to the Realms page, and click on the opensso realm.
2) On the opensso Properties page, click on the Policies tab.
3) On the opensso Policies page, click on the New Policy button.
4) On the New Policy page, first enter policy1 in the Name field. After naming the policy, now we will create a new rule for each URL to protect. So now in the Rules section, click on the New button. The image below shows this.

5) On the Select Service Type for the Rule page, notice that URL policy agent is selected as the service type, and now click the Next button.

6) On the step 2 of New rule page, fill in the details for the first URL rule we want to protect, http://my.test.domain.com:2680/agentsample/jsp/* and give it a name. The name does not matter too much, and in this example I chose to name this URL rule "JSP pages". Then in the action section, choose both GET and POST to be allowed. After filling in these details, click finish to complete this rule. The image below shows what you page should look like before clicking the Finish button.

7) Now you are back on the New Policy page. Repeat these steps and create new rules for policy1 for the urls listed. For convience here are the remaining URL rules:
http://<hostname>:<port>/agentsample/invokerservlet
http://<hostname>:<port>/agentsample/protectedservlet
http://<hostname>:<port>/agentsample/securityawareservlet
http://<hostname>:<port>/agentsample/unprotectedservlet

8) Now you are back on the New Policy page for creating policy1. We have specified all the rules for the URL patterns to protect. Now we need to assocaite some subjects with this policy. For policy1, we want the subjects to be all authenticated users.
On New policy page for policy1, go to the Subjects section of the page(below the Rules section) and click the New button

9) On the Step 1 of 2: Select Subject Type page, choose Authenticated Users button. Then click Next.

10) On the Step 2 of 2 New Subject page, enter organization for the name of the subjects.
Since you chose authenticated users, the name does not matter much.

11) On the New Policy page for policy 1, click the OK button to save all these changes you made to the policy1. Make sure you click OK so you dont lose your work.
Policy 1 is all done.

Create the second Policy

Now lets create the second policy.
Policy 2:
allow:
http://<hostname>:<port>/agentsample/urlpolicyservlet
or in my case http://my.test.domain.com:2680/agentsample/urlpolicyservlet
Group: choose "Access Manager Identity Subject" and add in the customer group.
then search on customer group, and choose customer.

1) I will list several steps here since we should be familiar with this sequence of pages. This process is very similiar to the creating the policy for policy1, with some small differences. First create a new policy called policy2, and then add a new rule for the URL pattern http://<hostname>:<port>/agentsample/urlpolicyservlet. Now, associate some subjects with policy2. When you click New in the Subjects section of the new policy page for policy2 it takes you to the Step 1 of 2 Select Subject Type page(same as when creating policy1)and here be sure to choose "Access Manager Identity Subject" before clicking next.

2) On the Step 2 of 2 New Subject Access Manager Identity Subject page, enter customer group in the name field, in the Filter box choose Group, click the Search button which should cause the group customer to show up in the Available box, in the Available box, select customer, click the Add button, and customer should now show up in the Selected box. Now click finish. See the image below for details.

3) On New Policy page for policy2 click OK button to save the information you added to policy2. Make sure to click OK to save your work.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact