Administrators can add a resource to an application domain, search a defined resource type, or create a defined resource type.
When adding a resource to an Application Domain, Administrators must choose from a list of defined Resource Types.
Oracle-provided resource types include:
HTTP
wl_authen
TokenServiceRP
Administrators can configure additional resource types, and define operations on both Oracle-provided and custom resource types. A particular resource can be defined to use a subset of the declared operations, or all of them (which includes any new operators defined on the resource's type subsequently.Administrators cannot remove custom resource types or operations for which resources have been created. Oracle-provided resource types and operations are marked as read-only within the policy store and cannot be removed.
Note:
Changes to the operation list of a resource type is not allowed if a resource of that type exists.
Table 22-1 compares resource types and operations.
Table 22-1 Comparison: Resource Types for Access Manager versus 10g
Access Manager 11g | Oracle Access Manager 10g |
---|---|
HTTP: The default resource type used with HTTP and HTTPS protocols. When adding an HTTP type resource to an Application Domain, Administrators must choose from a list of existing host identifiers and add the resource URL. This resource type is read-only. Default operations associated with the HTTP resource type need not be defined by an Administrator. Instead, policies developed and applied to the resource apply to all operations: Operations: Oracle-provided resource types are read-only; associated operations are pre-defined. Policies developed and applied to HTTP type resources apply to all operations.
See Also: "Resource Type Page". |
HTTP: The HTTP resource type is read-only. Operations: Oracle-provided resource types are read-only; associated operations are pre-defined. Policies developed and applied to the resource apply to all operations.
|
wl_authen: Resources for representing WebLogic Authentication schemes is also read-only (default operations cannot be modified or deleted.) This non-HTTP resource type is available to use with resources deployed in a WebLogic container in a domain that does not include Access Manager. The protected resource is accessed through its URL on the Oracle WebLogic Server. Type wl_authen resources, require a custom Access Client. |
N/A |
TokenServiceRP: Resources for representing Token Service Relying Party. The Operation for this resource type is Issue. |
N/A |
Custom Resource Types: Have no associated host identifier. A custom "EJB" resource type can be created on demand for use in SSO integrations. |
EJB: A custom resource type used in SSO integrations with WebLogic and WebSphere for authenticating the user. During authentication, the user's groups were fetched and populated in the Subject Principal as roles. Subsequent authorization was executed inside the application server based on user roles. No authorization calls were made using resource operations. |
Non-HTTP resource types have no associated host identifier. When adding non-HTTP resources to an Application Domain, Administrators must enter the Type name into the Resource URL field as a pointer. The name cannot match any host Identifier (and vice versa). This is not a relative HTTP URL. |
In the Oracle Access Management Console, resource types are organized with other Components under the Policy Configuration tab. The navigation tree shows Oracle-provided resource types: HTTP, wl_authen, and TokenServiceRP.
Note:
Pre-defined resource types cannot be deleted. Pre-defined operations are shown with a lock icon and cannot be deleted. Additional operations can be created, edited, or deleted as needed.
The HTTP
resource type, shown in Figure 22-1, is used for Web applications protected by Access Manager and accessed using internet protocols (HTTP or HTTPS).
Figure 22-1 Default HTTP Resource Type Definition
The wl_authen
resource type is shown in Figure 22-2. It is used for Fusion Middleware applications that use one of the following Access Manager Identity Assertion Provider configurations described in the Securing Applications with Oracle Platform Security Services:
Identity Asserter
Identity Asserter with Oracle Web Services Manager
Authenticator function
Figure 22-2 Default Resource Type wl_authen
The TokenServiceRP
resource type represents the Token Service Relying Party, as shown in Figure 22-3. The operation for this resource type is Issue. For more information, see "Managing TokenServiceRP Type Resources".
Figure 22-3 Default Resource Type TokenServiceRP Resource Type
Table 22-2 describes the elements in each resource type definition.
Table 22-2 Resource Type Definition
Element | Description |
---|---|
Name |
Required. A unique name of up to 30 alpha or numeric characters. Note: A non-HTTP Resource Type name cannot match a Host Identifier (and vice versa). |
Description |
Optional. Use this field to describe the purpose of this resource type using up to 200 alpha or numeric characters. For example: Resources representing WebLogic Authentication schemes. |
Operations |
Optional. Policies that govern a particular resource apply to all specified operations defined for the resource. Add (or remove) operations for this resource type as a string and the operations will be available when you define a resource of this type within an Application Domain. There is no limit to the number of operations that can be added to the resource type.
Remote Registration: During automatic policy creation, specified operations are supported. During automatic policy creation with no operations specified, then All operations defined for that type are supported. Migration: During an upgrade to Access Manager 11.1.2 (from 10g or from 11.1.1.3 or from 11.1.1.5), resource definitions and HTTP default operations are handled automatically. However, you must create any custom resource types to replace 10g-provided EJB custom resource types which are no longer provided by Oracle. See See Also: "Resource Types and Their Use" and "Resources in an Application Domain". |
Following topics describe how to create, modify, and delete a resource type.
Users with valid Administrator credentials can to locate a defined resource type.
See Also:
Users with valid Administrator credentials can create a defined resource type.
For instance, you can define a custom resource type that applies to as few as one or two (or more) operations. Any defined custom resource type is listed with default resource types when adding resources to an authentication or authorization policy.