Deployment Example 1: Access Manager 7.0 Load Balancing, Distributed Authentication UI, and Session Failover

8.4 Setting Up a Test for the J2EE Policy Agent 1

Use the following as your checklist for setting up a test for the J2EE Policy Agent 1:

To Deploy the Sample Application

The BEA Policy Agent comes with a sample application specifically created to help you test your access policies. Locate the sample application file here: opt/j2ee_agents/am_wl9_agent/sampleapp. For more information, see the file /opt/j2ee_agents/am_wl9_agent/sampleapp/readme.txt.

Go to the Application Server 1 URL:

http://ProtectedResource-1.example.com:7001/console

In the Application Server console, on the Summary of Deployments page, click “Lock & Edit.”

Under Domain Structure, click Deployments.

Under Deployments, click Install.

On the Install Application Assistant page, click the protectedresource-1.example.com link.

In the list for Location: protectedresource-1.example.com, click the root directory.

Navigate to the application directory: /opt/j2ee_agents/am_wl9_agent/sampleapp/dist

Select agentsample, and then click Next.

In the Install Application Assistant page, choose “Install this deployment as an application,” and then click Next.

In the list of Servers, mark the checkbox for ApplicationServer-1, and then click Next.

On the “Optional Settings” page, click Next to accept the default settings.

On the Review Your Choices” page, click Finish.

The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-1.

In the “Settings for agentsample” page, click Activate Changes.

Under Domain Structure, click Deployments.

In the Deployments list, mark the checkbox for agentsample, and then click Start > Servicing All Requests.

On the Start Deployments page, click Yes.

The state of the deployment changes from Prepared to Active.

Log out of the Application Server 1 console.

To Create Roles in the External Data Store

You will use these roles to verify that the sample application has been successfully installed and configured.

Start the Directory Server 1 console, and log in:

Username

cn=Directory Manager

Password

d1rm4n4ger

Administration URL

http://DirectoryServer-1.example.com:1391

In the Directory Server console, expand the example.com suffix.

Click Server Group > am-users, and then click Open.

Click the Directory tab.

Right-click dc=company, dc=com, and then click New > Role.

In the Create New Role page, in the Role Name field, enter manager, and then click OK.

Right-click dc=company, dc=com, and then click New > Role.

In the Create New Role page, in the Role Name field, enter employee, and then click OK.

On the Directory Tab, for the suffix dc=company, dc=com, you should see the two users you just added: manager and employee.

Double-click the manager role.

In the Edit Role page, click Members and then click Add.

In the Search Users and Groups dialog, click Search.

In the list of results, select Test User 1 and then click OK.

In the Edit Role page, click OK.

Double-click the employee role.

In the Edit Role page, click Members and then click Add.

In the Search Users and Groups dialog, click Search.

In the list of results, select Test User 2 and then click OK.

In the Edit Role page, click OK.

Log out of the Directory Server console.

To Create a Test Referral Policy in the Base Suffix

In the Access Manager 1 console, on the Access Control tab, click the example.com link.

Click the Policies tab.

Under Policies, click the “Referral URL Policy for users realm” link.

This is the policy that was created when setting up the Web Policy Agent.

On the Edit Policy page, under Rules, click New.

On the page “Step 1 of 2: Select Service Type for the Rule,” select “URL Policy Agent (with resource name),” and then click Next.

On the page “Step 2 of 2: New Rule,” provide the following information, and then click Next:

Name:

URL Policy for ApplicationServer-1

Resource Name:

http://ProtectedResource-1.example.com:1081/agentsample/*

Click Finish.

To Create a Test Policy in the User Realm

In the Access Manager 1 console, on the Access Control tab, click the users link.

Click the Policies tab.

Under Policies, click New Policy.

In the Name field, enter URL Policy for ApplicationServer-1.

Under Rules, click New.

On the page “Step 1 of 2: Select Service Type for the Rule,” click Next.

The default “URL Policy Agent (with resource name)” should be selected.

On the page “Step 2 of 2: New Rule,” provide the following information:

Name:

agentsample

Parent Resource Name:

In the list, select http://ProtectedResource-1.example.com:1081/agentsample/*

Resource Name:

The following is automatically entered when you select the Parent Resource Name above:

http://ProtectedResource-1.example.com:1081/agentsample/*

GET

Mark this check box, and verify that the Allow value is selected.

POST

Mark this check box, and verify that the Allow value is selected.

Click Finish.

The rule agentsample is now added to the list of Rules.

Under Subjects, click New.

On the page “Step 1 of 2: Select Subject Type,” select Access Manager Identity Subject, then click Next.

On the page “ Step 2 of 2: New Subject — Access Manager Identity Subject,” provide the following information:

Name:

agentsampleRoles

Filter:

Select role.

Click Search.

In the Available list, the select manager and employee roles, and then click Add.

The roles are now displayed in the Selected list.

Click Finish.

Click Create.

The new policy is included in the list of Policies.

To Configure J2EE Properties for the Sample Application

# cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

Make a back up the AMAgent.propertiesfile.

In the AMAgent.properties file, set the following properties:

com.sun.identity.agents.config.notenforced.uri[0] =
   /agentsample/public/*
   com.sun.identity.agents.config.notenforced.uri[1] =
   /agentsample/images/*
   com.sun.identity.agents.config.notenforced.uri[2] =
   /agentsample/styles/*
   com.sun.identity.agents.config.notenforced.uri[3] =
   /agentsample/index.html
   com.sun.identity.agents.config.notenforced.uri[4] = 
   /agentsample
   com.sun.identity.agents.config.access.denied.uri =
   /agentsample/authentication/accessdenied.html
   com.sun.identity.agents.config.login.form[0] =
   /agentsample/authentication/login.html
   com.sun.identity.agents.config.login.url[0] = 
   http://LoadBalancer-3.example.com:7070/amserver/UI/Login?realm=users

Save the file.

Restart the Application Server 2.

Stop Application Server 2 .

# cd /usr/local/bea/user_projects/domains/
ProtectedResource-2/bin
# ./stopManagedWebLogic.sh ApplicationsServer-2 
t3://localhost:7001

Stop the administration server.
```
# ./stopWebLogic.sh
```

Start the administration server.

# nohup ./startWebLogic.sh &
# tail -f nohup.out

Start Application Server 2.

# nohup ./startManagedWebLogic.sh 
ApplicationServer-1 http://ProtectedResource-1.example.com:7001 &

To Verify that J2EE Policy Agent 1 is Configured Properly

Use these steps to access the agent sample application, and then test policies against that sample application.

Go to the Sample Application URL:

http://protectedresource-1.example.com:1081/agentsample/index.html

The Sample Application welcome page is displayed.

Click J2EE Declarative Security > “Invoke the Protected Servlet”

The Policy Agent redirects to the Access Manager login page.

Log in to the Access Manager console using the following information:

Username

testuser1

Password

password

If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

Click the “J2EE Declarative Security” link.

On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.

If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.

Click the “J2EE Declarative Security” link to go back.

Click the “Invoke the Protected EJB via an Unprotected Servlet” link.

If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.

Close the browser.

In a new browser session, go to the Sample Application URL:

http://protectedresource-1.example.com:1081/agentsample/index.html

The Sample Application welcome page is displayed.

Click the “J2EE Declarative Security” link.

On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.

The Policy Agent redirects to the Access Manager login page.

Log in to the Access Manager console using the following information:

Username

testuser1

Password

password

If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

Click the “J2EE Declarative Security” link to go back.

On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Uprotected Servlet” link.

The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.