Enabling Policy in a Service
You can protect services using the OpenSSO Enterprise Policy Service only if the service schema configures to the sms.dtd and contains values for the <Policy> schema and sub elements. If you want to create a custom policy agent or require more fine-grained enforcement than the OpenSSO Enterprise Policy Service offers, you can add the <Policy> schema to an OpenSSO Enterprise formatted service file, enabling it for interaction with your policy agent and the Policy Service. (For more information, see Sun OpenSSO Enterprise 8.0 C API Reference for Application and Web Policy Agent Developers.) Once enabled, the service will be displayed as a Service Type when creating policies and referrals. (See Rules.)
Tip –
By default, OpenSSO Enterprise policy agents protect only URL resources in tandem with the URL Policy Agent Service (for which a policy evaluator is created and used to get policy decisions). The most common scenario is to use the policy agents developed specifically for OpenSSO Enterprise and the URL Policy Agent Service. For more information, see Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents or Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents.
To Add a New Policy Enabled Service contains more information.
To Add a New Policy Enabled Service
-
Develop the new service in an XML file based on the sms.dtd.
amWebAgent.xml is the XML service file for the URL Policy Agent service and can be used as a template to create a policy-enabled service file. It is located in the templates directory of the exploded opensso.zip. Here is another sample template.
<?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE ServicesConfiguration PUBLIC "=//iPlanet//Service Management Services (SMS) 1.0 DTD//EN" "jar://com/sun/identity/sm/sms.dtd"> <ServicesConfiguration> <Service name="SampleWebService" version="1.0"> <Schema i18nFileName="SampleWebService" i18nKey="SampleWebService"> <Policy> <AttributeSchema name="GET" type="single" syntax="boolean" uitype="radio" i18nKey="get"> <IsResourceNameAllowed/> <BooleanValues> <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue> <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue> </BooleanValues> </AttributeSchema> <AttributeSchema name="POST" type="single" syntax="boolean" uitype="radio" i18nKey="post"> <IsResourceNameAllowed/> <BooleanValues> <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue> <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue> </BooleanValues> </AttributeSchema> <AttributeSchema name="PUT" type="single" syntax="boolean" uitype="radio" i18nKey="put"> <IsResourceNameAllowed/> <BooleanValues> <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue> <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue> </BooleanValues> </AttributeSchema> <AttributeSchema name="DELETE" type="single" syntax="boolean" uitype="radio" i18nKey="delete"> <IsResourceNameAllowed/> <BooleanValues> <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue> <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue> </BooleanValues> </AttributeSchema> </Policy> </Schema> </Service> </ServicesConfiguration> -
Save the XML file to the /config/xml/ directory of the exploded opensso.zip.
For example, /config/xml/newServiceWithPolicy.xml
-
Load /config/xml/newServiceWithPolicy.xml using the ssoadm command line utility.
See Chapter 1, ssoadm Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference for more information.
-
Define policy to protect the resource as documented in Creating Policies and Referrals.
- © 2010, Oracle Corporation and/or its affiliates