The Oracle Entitlements Server integrates with Microsoft Office SharePoint Server (MOSS) to provide protection of pages hosted on the SharePoint portal. This integration solution provides a fine grained entitlements solution for SharePoint.
This document describes software requirements, installation and configuration procedures, and setup steps.
Integration with SharePoint is provided through plugins which intercept calls within the SharePoint server and send the same to a Web Service SSM that acts as the Policy Decision Point (PDP).
With this integration, protection of the following SharePoint components will be externalized using OES:
The following software must be installed for this integration to work properly.
The SharePoint SSM is included in the IIS SSM. To install it, launch the SSM installation program (OES10gR3_ssm_win32.exe) and select the IIS SSM when prompted.
The SSM is installed in
<BEA_HOME>/ales32-ssm/iis-ssm/sharepoint-ssm. This directory contains the directories/files listed in Table 9-2.
Assembly (DLL) containing the SharePoint integration classes. The components packaged within this assembly include:
This section describes how to configure the SharePoint SSM. It assumes the deployer has administrative privileges on the Windows server where SharePoint is installed.
The SharePoint default.master page template (which is used by the various sites to create master pages of their own) has to be updated with the declaration of the delegate control. The location of the default.master page template is
C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\GLOBAL. The declaration for specifying the delegate control which is specified in the HTML HEAD section of this master page is as follows:
In addition to this any custom master pages used for the SharePoint sites will have to be updated with the delegate control declaration. This can be easily done via the Microsoft Office SharePoint Designer.
To identify the SharePoint resources to be defined in OES and included in policy definitions, run
MOSSResourceDiscovery.exe that is provided in the SharePoint SSM. This will generate three files (object, objattr and decl) in a policy format that can then be used as input to the policy loader.
<BEA_HOME>\ales32-ssm\iis-ssm\sharepoint-ssm\adm\Discovery\AdmUrls.txt, which is used to extract the admin URLs.
Note that MOSSResourceDiscovery.exe takes a while to complete.The following is a sample successful execution of this process.
Welcome to the MOSS Resource Discovery
Enter the folder path where you want to create object,objAttr and decl file
Enter Path where Admin Url file is located
Enter SharePoint site URL and DONOT append url with /. e.g. http://sharepoint01
Enter Resource Base and DONOT append resource base with /. e.g. //app/policy/MicrosoftSharePoint
Resource Discovery starts....
Resource Discovery completed.
The SharePoint SSM uses the Web Service SSM to make calls for policy authorization. Therefore, the Web Service SSM instance must be correctly configured as described in Configuring SSMs Using the ConfigTool in the SSM Installation and Configuration Guide.
After configuring the Web Service SSM, ensure that the ConfigTool created the root resource and bound it to the Web Service SSM. To verify this, log in to the Entitlements Administration Application and select the DefaultApp application in the left pane. Then click the Resources tab in the right pane. The root resource should appear directly under the Resources node. Select it and click Modify to make sure the SSM Bound field is set to the Web Services SSM.
If the application root resource is not present, it can be created it as follows:
After generating the SharePoint resource list, the resources must be imported into the OES.
To import the resources, do the following:
config\webservice-ssm\ales-policiesdirectory, make a copy of
load.conffile and save it in
>\ales32-ssm\iis-ssm\sharepoint-ssm\adm. Then modify the file as described in in the Policy Managers Guide.
After the resources are imported, use the Entitlements Administration Application to define the the authorization policies to control access to these resources.
This section contains instructions for configuring the SharePoint server to connect to the Web Service SSM:
The installation of SharePoint code can be accomplished as follows:
The name of the token key used to assert the identity of the user. This depends on the type of identity assertion being used.
The name of the identity assertion type of the assertion token used in the ALES Identity Asserter that is configured for the Web Service SSM.
This resource was created as described in Configure the Web Service SSM.
Fully-qualified path to the log4net configuration file. A default log4Net.xml is present in the
Please wait while the installation proceeds ......
Changes are being made in config file...
Config file has been updated
Feature directory has been deployed
Server is being restarted....
Internet services successfully stopped
Internet services successfully restarted
Feature is being installed
Operation completed successfully.
Feature has been installed
This section describes how to manually configure the SharePoint server (without using ALES_MOSS_Installer.exe).
The SharePoint web configuration file must be updated to include information about the assembly deployed above. Following is a list of changes that need to be performed:
Note: When set to true, the Oracle SharePoint modules do load and no policies are evaluated. Therefore, no runtime authorization is performed against OES.
For Web Parts, authorization is performed at runtime. If an authorization policy is set to a DENY view on a web part and DisableALES=true, the runtime authorization is not performed. Hence, web part will still be presented (since the policy is ignored).
<PageParserPath VirtualPath="/Pages/*" CompilationMode="Always" AllowServerSideScript="true" IncludeSubFolders="true"/>
Perform the following steps to the deploy the OES authorization feature in SharePoint:
BEA_HOME\ales32-ssm\iis-ssm\sharepoint-ssm\lib\ALESAuthorizationFeaturedirectory to the following directory on the SharePoint server:
C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\FEATURES
C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN\STSADM.EXE” – o installfeature – name ALESAuthorizationFeature
“C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN\stsadm.exe" -o activatefeature -name ALESAuthorizationFeature -url http://sharepoint01/News
When authorization is activated against a sub-site, access to all the web parts in the sub-site’s web pages is secured. For example, if the authorization feature is deployed on
http://eagle/Reports, access is controlled on all web parts under this sub-site.
If an authorization policy denies access to the
//app/policy/MOSS/Reports/Pages/Default.aspx/Announcements resource, the Announcements web part will not appear when
http://eagle/Reports/Pages/Default.aspx is opened.
Perform the following steps:
|Note:||The credential holder class (
If resources (like web’s, lists etc.) are created in SharePoint after resource discovery is performed, these resources must be defined in OES.
The following section describes this manual creation of resources corresponding to webs, lists, items and web parts. As the resource model is based on URL’s, the web page URL’s would be used to create resources in OES. These resources must be defined under the root resource that was created by the config tool.
A SharePoint web is defined in OES using the web’s URL. If the web URL is
http://<SharePoint_Server_Name>/web1, a child resource named web1 under the root resource.
The administrative URL's corresponding to the web are listed in
\ales32-ssm\iis-ssm\sharepoint-ssm\adm\Discovery\AdmUrls.txt. Because these URL's are invoked on administrative actions performed on the web and its children, they should be created as child resources of the web1 resource.
Web creation will also create a set of lists depending upon the template used. These lists are incorporated into the resource tree. How they are defined depends on whether they are document or non-document lists.
For a List view URL of
http://<SharePoint_Server_Name>/web1/TestDocLib/Forms/AllItems.aspx, create the resource hierarchy shown in Figure 9-1.
http://<SharePoint_Server_Name>/web1/Lists/Announcements/AllItems.aspx, create the resource tree shown in Figure 9-2.
|Note:||An easy way to finding the ID’s of an item is to hover the mouse over the item link and note the ID from the URL displayed on the browser’s status bar.|
Pages in SharePoint exist either in document libraries or in the web base. The page may be defined in OES by creating a resource for each section of the URL.
Corresponding to a web, there may be a set of pages created for publishing content. A web part is one of the easiest and best way in which content is published in SharePoint. For authorization on web parts, the web parts may be created as resources in OES. Web Parts are created as sub resources of the page resource and the name of the resource is the display name of the web part.
An example as it would be displayed in the Administration Console is shown in Figure 9-3.
This section provides instructions for testing the solution with SharePoint’s out-of-box windows-based authentication.
|Note:||The solution employs simple username assertion, which does not provide sufficient security for production environments.|
The users present in the directory used for authentication by SharePoint (AD by default) should be created in OES. The user name should be in lower-case. Policies should be created for these users and distributed to the Web Service SSM.
<computer_name>\<user_name>, for example,
|Note:||This is a user containing a backslash (\) in the name. Make sure to use all lowercase letters.|
For example, the following policy denies the
eagle\administrator user access to
//app/policy/MOSS/Reports/Pages/default.aspx/Announcements. As a result of this policy, the user will not see the ‘Announcements’ web part when accessing
Perform the following steps:
BEA_HOME\ales32-ssm\iis-ssm\sharepoint-ssm\lib\SampleIdentityAsserter.jarto the following directory on the Administration Server machine:
Reorder the Configured Authentication Providers. Then make sure the
SampleIdentityAsserter2is at the top of list and click Apply.
To add support for new assertion types "sampletoken" to the Web Services SSM:
BEA_HOME/ales32-ssm/webservice-ssm/instance-name/config/WLESws.wrapper.confin an editor and add a line like the following:
BEA_HOME/ales32-ssm/webservice-ssm/lib/com/bea/security/ssmws/soap/castor.xmlin an editor and add a line like the following:
<map-to cst:xml="sampletoken" />
<field name="cookie" type="java.lang.String" >
BEA_HOME/ales32-ssm/webservice-ssm/lib/com/bea/security/ssmws/credentials/castor.xmlin an editor and add a line like the following in the <mapping> element:
<field name="cookie" type="java.lang.String" >
For using the identity asserter configured above, the following updates are required in the appSettings section of the SharePoint web configuration file (
C:\Inetpub\wwwroot\wss\VirtualDirectories\80\web.config directory of the SharePoint deployment).
The value of the token key should be set to
LOGON_USER. This is a header set by SharePoint that has the user id of the currently logged-in user (in the form of
<MachineName\<UserName>, for example,
EAGLE\Administrator). The value of this header is passed in the call to the Web Service SSM for asserting the identity of users coming to SharePoint.
The value of the IdentityAsserterName key should be set to
sampletoken. This is the active token type for the identity asserter
\ales32-ssm\iis-ssm\sharepoint-ssm\lib\SampleIdentityAsseter.jar configured above.
After updating the web configuration, restart IIS.
This section details the steps to be performed to uninstall OES from SharePoint.
C:\Inetpub\wwwroot\wss\VirtualDirectories\80 directory\web.config as described in Modify SharePoint Web Configuration.
C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\FEATURES.
custError.aspx) from the
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTSdirectory.
BEA.SharePoint.dlland select uninstall.