Use the following as your checklist for setting up a test for the J2EE Policy Agent 1:
The BEA Policy Agent comes with a sample application specifically created to help you test your access policies. Locate the sample application file here: opt/j2ee_agents/am_wl9_agent/sampleapp. For more information, see the file /opt/j2ee_agents/am_wl9_agent/sampleapp/readme.txt.
Go to the Application Server 1 URL:
http://ProtectedResource-1.example.com:7001/console
Log in to the Application Server using the following information:
weblogic
w3bl0g1c
In the Application Server console, on the Summary of Deployments page, click “Lock & Edit.”
Under Domain Structure, click Deployments.
Under Deployments, click Install.
On the Install Application Assistant page, click the protectedresource-1.example.com link.
In the list for Location: protectedresource-1.example.com, click the root directory.
Navigate to the application directory: /opt/j2ee_agents/am_wl9_agent/sampleapp/dist
Select agentsample, and then click Next.
In the Install Application Assistant page, choose “Install this deployment as an application,” and then click Next.
In the list of Servers, mark the checkbox for ApplicationServer-1, and then click Next.
On the “Optional Settings” page, click Next to accept the default settings.
On the Review Your Choices” page, click Finish.
The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-1.
In the “Settings for agentsample” page, click Activate Changes.
Under Domain Structure, click Deployments.
In the Deployments list, mark the checkbox for agentsample, and then click Start > Servicing All Requests.
On the Start Deployments page, click Yes.
The state of the deployment changes from Prepared to Active.
Log out of the Application Server 1 console.
You will use these roles to verify that the sample application has been successfully installed and configured.
Start the Directory Server 1 console, and log in:
cn=Directory Manager
d1rm4n4ger
http://DirectoryServer-1.example.com:1391
In the Directory Server console, expand the example.com suffix.
Click Server Group > am-users, and then click Open.
Click the Directory tab.
Right-click dc=company, dc=com, and then click New > Role.
In the Create New Role page, in the Role Name field, enter manager, and then click OK.
Right-click dc=company, dc=com, and then click New > Role.
In the Create New Role page, in the Role Name field, enter employee, and then click OK.
On the Directory Tab, for the suffix dc=company, dc=com, you should see the two users you just added: manager and employee.
Double-click the manager role.
In the Edit Role page, click Members and then click Add.
In the Search Users and Groups dialog, click Search.
In the list of results, select Test User 1 and then click OK.
In the Edit Role page, click OK.
Double-click the employee role.
In the Edit Role page, click Members and then click Add.
In the Search Users and Groups dialog, click Search.
In the list of results, select Test User 2 and then click OK.
In the Edit Role page, click OK.
Log out of the Directory Server console.
In the Access Manager 1 console, on the Access Control tab, click the example.com link.
Click the Policies tab.
Under Policies, click the “Referral URL Policy for users realm” link.
This is the policy that was created when setting up the Web Policy Agent.
On the Edit Policy page, under Rules, click New.
On the page “Step 1 of 2: Select Service Type for the Rule,” select “URL Policy Agent (with resource name),” and then click Next.
On the page “Step 2 of 2: New Rule,” provide the following information, and then click Next:
URL Policy for ApplicationServer-1
http://ProtectedResource-1.example.com:1081/agentsample/*
Click Finish.
In the Access Manager 1 console, on the Access Control tab, click the users link.
Click the Policies tab.
Under Policies, click New Policy.
In the Name field, enter URL Policy for ApplicationServer-1.
Under Rules, click New.
On the page “Step 1 of 2: Select Service Type for the Rule,” click Next.
The default “URL Policy Agent (with resource name)” should be selected.
On the page “Step 2 of 2: New Rule,” provide the following information:
agentsample
In the list, select http://ProtectedResource-1.example.com:1081/agentsample/*
The following is automatically entered when you select the Parent Resource Name above:
http://ProtectedResource-1.example.com:1081/agentsample/*
Mark this check box, and verify that the Allow value is selected.
Mark this check box, and verify that the Allow value is selected.
Click Finish.
The rule agentsample is now added to the list of Rules.
Under Subjects, click New.
On the page “Step 1 of 2: Select Subject Type,” select Access Manager Identity Subject, then click Next.
On the page “ Step 2 of 2: New Subject — Access Manager Identity Subject,” provide the following information:
agentsampleRoles
Select role.
Click Search.
In the Available list, the select manager and employee roles, and then click Add.
The roles are now displayed in the Selected list.
Click Finish.
Click Create.
The new policy is included in the list of Policies.
Log in as a root user to Protected Resource 2.
# cd /opt/j2ee_agents/am_wl9_agent/agent_001/config |
Make a back up the AMAgent.propertiesfile.
In the AMAgent.properties file, set the following properties:
com.sun.identity.agents.config.notenforced.uri[0] = /agentsample/public/* com.sun.identity.agents.config.notenforced.uri[1] = /agentsample/images/* com.sun.identity.agents.config.notenforced.uri[2] = /agentsample/styles/* com.sun.identity.agents.config.notenforced.uri[3] = /agentsample/index.html com.sun.identity.agents.config.notenforced.uri[4] = /agentsample com.sun.identity.agents.config.access.denied.uri = /agentsample/authentication/accessdenied.html com.sun.identity.agents.config.login.form[0] = /agentsample/authentication/login.html com.sun.identity.agents.config.login.url[0] = http://LoadBalancer-3.example.com:7070/amserver/UI/Login?realm=users |
Save the file.
Restart the Application Server 2.
Stop Application Server 2 .
# cd /usr/local/bea/user_projects/domains/ ProtectedResource-2/bin # ./stopManagedWebLogic.sh ApplicationsServer-2 t3://localhost:7001
Stop the administration server.
# ./stopWebLogic.sh
Start the administration server.
# nohup ./startWebLogic.sh & # tail -f nohup.out
Start Application Server 2.
# nohup ./startManagedWebLogic.sh ApplicationServer-1 http://ProtectedResource-1.example.com:7001 &
Use these steps to access the agent sample application, and then test policies against that sample application.
Go to the Sample Application URL:
http://protectedresource-1.example.com:1081/agentsample/index.html
The Sample Application welcome page is displayed.
Click J2EE Declarative Security > “Invoke the Protected Servlet”
The Policy Agent redirects to the Access Manager login page.
Log in to the Access Manager console using the following information:
testuser1
password
If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.
Click the “J2EE Declarative Security” link.
On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.
If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.
Click the “J2EE Declarative Security” link to go back.
Click the “Invoke the Protected EJB via an Unprotected Servlet” link.
If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.
Close the browser.
In a new browser session, go to the Sample Application URL:
http://protectedresource-1.example.com:1081/agentsample/index.html
The Sample Application welcome page is displayed.
Click the “J2EE Declarative Security” link.
On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.
The Policy Agent redirects to the Access Manager login page.
Log in to the Access Manager console using the following information:
testuser1
password
If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.
Click the “J2EE Declarative Security” link to go back.
On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Uprotected Servlet” link.
The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.