The most challenging aspect of writing policy for an application is discovering all the application resources that must be secured. This process is greatly simplified by running the SSM in 'discovery' mode and then performing one or more user sessions that reflect actual use in the application. Based on the activities performed during the user session, OES will generate an initial policy set to files that can then be imported into OES.
Note: | Do not use discovery mode in a production environment. Use it only during development to create the initial security policy. |
Resource discovery is enabled by setting the ASI Authorization and ASI Role Mapping providers to run in discovery mode. In this mode, these providers always return 'true' when evaluating user requests and generate the initial policy files based on those requests.
To enable discovery mode, modify the command line that starts the SSM by adding the following system properties:
com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.discoverymode=true
com.bea.security.providers.authorization.asi.RoleProviderImpl.discoverymode=true
The system properties are set using the -D switch in the appropriate file. As an example, to enable resource discovery for the WLS SSM, add the following lines to the SSM’s set-wls-env.ba
t file:
set WLES_JAVA_OPTIONS=%WLES_JAVA_OPTIONS% -Dcom.bea.security.providers.authorization.asi.AuthorizationProviderImpl.discoverymode=true
set WLES_JAVA_OPTIONS=%WLES_JAVA_OPTIONS% -Dcom.bea.security.providers.authorization.asi.RoleProviderImpl.discoverymode=true
For each SSM, Table 6-1 indicates the name and location of the file that must be modified.
After enabling discovery mode as described in the previous section, start the secured application. Then perform a user session by logging in to the application, exercising requests for resources, and invoking application functions.
It is important to note that the generated files are meant to serve as a starting point for defining a policy set to fully secure the application. In particular, note the following:
When generating the files, user requests are transformed into a policy import format. Under this format, a request consists of four elements: Subject, Resource, Action, Attributes. Each element has different restrictions on the allowable character set. The providers automatically normalize any invalid characters to produce a valid entry. See Character Restrictions in Policy Data for further details.
The files generated by discovery mode will be located in the SSM's domain directory. To import them, use the Policy Import tool.
Once imported, the policy can be managed using the Entitlements Administration Application.