Integration Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Securing Microsoft Office SharePoint Server (MOSS) Resources

The Oracle Entitlements Server integrates with Microsoft Office SharePoint Server (MOSS) to provide protection of pages hosted on the SharePoint portal. This integration solution provides a fine grained entitlements solution for SharePoint.

This document describes software requirements, installation and configuration procedures, and setup steps.



Integration with SharePoint is provided through plugins which intercept calls within the SharePoint server and send the same to a Web Service SSM that acts as the Policy Decision Point (PDP).

With this integration, protection of the following SharePoint components will be externalized using OES:


Software Requirements

The following software must be installed for this integration to work properly.

Table 9-1 Required Software and Version
Operating System
Microsoft Windows Server 2003 SP1/SP2
Microsoft .NET
Microsoft .NET Framework v3.5
Application Server
IIS 6 (For SharePoint 2007)
SharePoint Server
Microsoft Office SharePoint Server 2007*
Oracle Entitlements Server
OES 10gR3 or ALES 3.0 CP2 or Higher


Install the SharePoint SSM

The SharePoint SSM is included in the IIS SSM. To install it, launch the SSM installation program (OES10gR3_ssm_win32.exe) and select the IIS SSM when prompted.

The SSM is installed in <BEA_HOME>/ales32-ssm/iis-ssm/sharepoint-ssm. This directory contains the directories/files listed in Table 9-2.

Table 9-2 SharePoint SSM Directories and Files
Directory or File
The base directory containing the adm and lib directories and the Word readme of this document.
Directory containing files used for configuration and error page display.
Directory containing shared libraries (.DLLs), executables (.EXE), Java packages (.JARs) which serve as functional modules. It also contains [ALESAuthorizationFeature] directory which contains XML files used for deployment on the SharePoint server.
[lib] BEA.SharePoint.dll
Assembly (DLL) containing the SharePoint integration classes. The components packaged within this assembly include:
Authorization Web Control
Custom tag library
HTTP Module
ALES Authorizer (with supporting classes)
[lib] Feature.xml
This XML file is the deployment descriptor of the feature used to deploy the authorization web control.
[lib] Elements.xml
This XML file contains various elements deployed within the feature which is essentially the control in this case.
[Runtime] Log4net.xml
This XML file contains the logging pattern, log file location, etc. for the output logs.
[lib] MOSSResourceDiscovery.exe
This executable is the administration script used to extract the resources from SharePoint and dump them into policy files that may be imported into OES.
[Discovery] AdmUrls.txt
This file contains the set of administrative URL’s which are replicated by default for each new web created in SharePoint.
[Pages] custError.aspx
The customize error page which is displayed when a user is not authorized to view a page.
[lib] ALES_MOSS_Installer.exe
This executable is the installation script used to install the solution.
This configuration file is used by the installation script.
[lib] SampleIdentityAsseter.jar
This is the Sample Identity asserter used to test the solution with the default Windows based authentication used at SharePoint.
[lib] ssmwsCustomAssertion.jar
This is the custom credential holder used at WS-SSM to test the solution.


Configure the SharePoint SSM

This section describes how to configure the SharePoint SSM. It assumes the deployer has administrative privileges on the Windows server where SharePoint is installed.

  1. Assembly Deployment
  2. Open C:\WINDOWS\assembly in a separate Windows Explorer window. Then drag and drop the following files into this folder.


    This will register these assemblies in the windows GAC (Global Assembly Cache) and make them available to all .NET applications on the host.

  3. Update Master Page
  4. The SharePoint default.master page template (which is used by the various sites to create master pages of their own) has to be updated with the declaration of the delegate control. The location of the default.master page template is C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\GLOBAL. The declaration for specifying the delegate control which is specified in the HTML HEAD section of this master page is as follows:

    <SharePoint:DelegateControl runat="server" ControlId="PageHeader"/>

    In addition to this any custom master pages used for the SharePoint sites will have to be updated with the delegate control declaration. This can be easily done via the Microsoft Office SharePoint Designer.

  5. Custom Error Page
  6. Copy <BEA_HOME>\ales32-ssm\iis-ssm\sharepoint-ssm\adm\Pages\custError.aspx to the following SharePoint server directory:

    C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS

  7. Restart IIS
  8. For detailed instructions on restarting IIS, see:

  9. SharePoint Resource List
  10. To identify the SharePoint resources to be defined in OES and included in policy definitions, run MOSSResourceDiscovery.exe that is provided in the SharePoint SSM. This will generate three files (object, objattr and decl) in a policy format that can then be used as input to the policy loader.

    1. Open a command line window on the SharePoint Server and run <BEA_HOME>\ales32-ssm\iis-ssm\sharepoint-ssm\lib\MOSSResourceDiscovery.exe.
    2. When prompted, enter the following:
      • Path to an existing folder where the policy files will be created which the tool will create the policy files, for example C:\moss-ales-policy.
      • Path to <BEA_HOME>\ales32-ssm\iis-ssm\sharepoint-ssm\adm\Discovery\AdmUrls.txt, which is used to extract the admin URLs.
      • URL of the top level web (also known as home web) in SharePoint, e.g. http://<sharepoint_server_name>.
      • Root resource under which the rest of the SharePoint resources will be defined in OES, e.g. //app/policy/MOSS.

Note that MOSSResourceDiscovery.exe takes a while to complete.The following is a sample successful execution of this process.

Welcome to the MOSS Resource Discovery
Enter the folder path where you want to create object,objAttr and decl file
Enter Path where Admin Url file is located
Enter SharePoint site URL and DONOT append url with /. e.g. http://sharepoint01

Enter Resource Base and DONOT append resource base with /. e.g. //app/policy/MicrosoftSharePoint

Resource Discovery starts....
Resource Discovery completed.
Web Parts Resource Hierarchy


Configure the Web Service SSM

The SharePoint SSM uses the Web Service SSM to make calls for policy authorization. Therefore, the Web Service SSM instance must be correctly configured as described in Configuring SSMs Using the ConfigTool in the SSM Installation and Configuration Guide.

After configuring the Web Service SSM, ensure that the ConfigTool created the root resource and bound it to the Web Service SSM. To verify this, log in to the Entitlements Administration Application and select the DefaultApp application in the left pane. Then click the Resources tab in the right pane. The root resource should appear directly under the Resources node. Select it and click Modify to make sure the SSM Bound field is set to the Web Services SSM.

If the application root resource is not present, it can be created it as follows:

  1. Under DefaultOrg, select DefaultApp in the left pane and click the Resources tab in the right pane.
  2. Select the Resource node and click New at the bottom of the pane.
  3. On the New Resource dialog, complete the fields as described below and click OK:
  1. Click Save Changes at the top of the main window.


Import SharePoint Resources

After generating the SharePoint resource list, the resources must be imported into the OES.

To import the resources, do the following:

  1. In the Web Service SSM’s config\webservice-ssm\ales-policies directory, make a copy of load.conf file and save it in <BEA_HOME>\ales32-ssm\iis-ssm\sharepoint-ssm\adm. Then modify the file as described in Setting Configuration Parameters in the Policy Managers Guide.
  2. Enter the following:
  3. Run policyloader.bat <BEA_HOME>\ales32-ssm\iis-ssm\sharepoint-ssm\adm\load.conf

After the resources are imported, use the Entitlements Administration Application to define the the authorization policies to control access to these resources.


Configure the SharePoint Server

This section contains instructions for configuring the SharePoint server to connect to the Web Service SSM:

Automated Configuration

The installation of SharePoint code can be accomplished as follows:

  1. Execute the following script:
  2. BEA_HOME\ales32-ssm\iis-ssm\sharepoint-ssm\lib\ALES_MOSS_Installer.exe

  3. Complete the prompts as described in Table 9-3.
  4. Table 9-3 ALES_MOSS_Installer.exe
    Web Service URL
    The URL of the Web Service SSM.
    Example: http://<hostname>:<port>/ServiceRegistry
    Web service SSM ID
    The Web Service SSM’s configuration ID.
    Name of the token in the user’s HTTP session used to assert the identity of the user.
    The name of the token key used to assert the identity of the user. This depends on the type of identity assertion being used.
    Note: The default in Sharepoint is LOGON_USER . If SharePoint is configured to use a different authentication model, this token will be different.
    Token name used for identity assertion
    The name of the identity assertion type of the assertion token used in the ALES Identity Asserter that is configured for the Web Service SSM.
    Note: If using BEA_HOME\ales32-ssm\iis-ssm\sharepoint-ssm\lib\SampleIdentityAsserter.jar as the identity asserter on the Web Service SSM.
    Fully-qualified path to the web configuration file (web.config) of the MOSS web application
    Fully-qualified path to web.config, for example C:\Inetpub\wwwroot\wss\VirtualDirectories\80\web.config
    Please enter the WS - SSM resource base
    Name of the root SharePoint resource.
    This resource was created as described in Configure the Web Service SSM.
    Fully-qualified path to the log4Net XML configuration file (log4Net.xml)
    Fully-qualified path to the log4net configuration file. A default log4Net.xml is present in the <BEA_HOME>\ales32-ssm\iis-ssm\sharepoint-ssm\adm\Runtime directory.
    It needs to be updated based on required log level, log file location and logging format. Give grant permission to “Everyone” to the folder in which the log file will be generated. This is because the logs are written from each SharePoint user’s security context.
    Please enter the Top level SharePoint site URL
    Enter the URL in the format: http://<sharepoint_server_name>/
    Note: Be sure to include the ‘/’ at the end of the URL.

  5. When prompted, confirm you want to continue the installation. When you do so, the web configuration file is updated with the necessary information and the IIS server is restarted.
  6. When prompted to activate the authorization feature on the SharePoint sites and sub sites, enter the URL of the site or sub site.
  7. Note: This can also be accomplished by selecting Site Settings > Modify All Site Settings> Site Features page for the web.

    The installer then echoes entries you made and prompts you to verify the entries. Upon verification, the following messages appear:

    Please wait while the installation proceeds ......

    Changes are being made in config file...
    Config file has been updated
    Feature directory has been deployed

    Server is being restarted....
    Attempting stop...
    Internet services successfully stopped
    Attempting start...
    Internet services successfully restarted

    Feature is being installed
    Operation completed successfully.
    Feature has been installed
  8. When prompted, verify that you want to activate the authorization feature on individual sites.
  9. When prompted, enter the SharePoint site, enter the address in the following format:
  10. http://<sharepoint_server_name>:<port>/<site_name>
  11. When prompted to exit, enter 0.


Manual Installations

This section describes how to manually configure the SharePoint server (without using ALES_MOSS_Installer.exe).

Modify SharePoint Web Configuration

The SharePoint web configuration file must be updated to include information about the assembly deployed above. Following is a list of changes that need to be performed:

  1. Open the following file in an editor:
  2. C:\Inetpub\wwwroot\wss\VirtualDirectories\80\web.config

    WARNING: On Windows, use Notepad. Using Wordpad will add '?' characters to the file.

  3. In the appSettings section, specify the properties as described in Table 9-4.
  4. Table 9-4 AppSettings
    Registry URL of Web Service SSM (e.g.
    Configuration ID of Web Service SSM
    Name of the token used for getting the users assertion from the session
    Name of the identity assertion type defined in identity asserter which is configured in Web Service SSM
    Distribution point of SharePoint resource tree bound to Web Service SSM
    Fully qualified path to the log4Net XML configuration file.
    Top level SharePoint site, e.g. http://spsvr2/
    (Here the trailing ‘/’ is important)
    Flag to disable the ALES integration
    Note: When set to true, the Oracle SharePoint modules do load and no policies are evaluated. Therefore, no runtime authorization is performed against OES.
    For Web Parts, authorization is performed at runtime. If an authorization policy is set to a DENY view on a web part and DisableALES=true, the runtime authorization is not performed. Hence, web part will still be presented (since the policy is ignored).
    However in the case of List items, the permission will already be applied on SharePoint and DisableALES=true will affect this. Hence, the List item will be hidden.

  5. Add the following entries to <SafeControls>:
  6. <SafeControl Assembly="BEA.SharePoint, Version=, Culture=neutral, PublicKeyToken=68b08a2fa869dfdc" Namespace="BEA.SharePoint.Controls" TypeName="*" Safe="True" />

    <SafeControl Assembly="BEA.SharePoint, Version=, Culture=neutral, PublicKeyToken=68b08a2fa869dfdc" Namespace="BEA.SharePoint.Modules" TypeName="*" Safe="True" />

  7. Add the following entry to the httpModules section.
  8. <add name="CustHTTPModule" type="BEA.SharePoint.Modules.CustHTTPModule, BEA.SharePoint, Version=, Culture=neutral, PublicKeyToken=68b08a2fa869dfdc " />

  9. (Required only if custom content is published) The SafeMode section’s PageParserPaths may be updated with the Virtual path in which custom content is required to be published. The custom content may be authorized via the tag library provided with the solution. An example of such a change is shown below:
  10. <PageParserPaths>|
    <PageParserPath VirtualPath="/Pages/*" CompilationMode="Always" AllowServerSideScript="true" IncludeSubFolders="true"/>
  11. Restart IIS server.

Deploy OES Authorization in SharePoint

Perform the following steps to the deploy the OES authorization feature in SharePoint:

  1. Copy the BEA_HOME\ales32-ssm\iis-ssm\sharepoint-ssm\lib\ALESAuthorizationFeature directory to the following directory on the SharePoint server:
  2. C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\FEATURES
  3. To install the feature, open a command prompt and execute the following:
  4. C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN\STSADM.EXE” – o installfeature – name ALESAuthorizationFeature
  5. Once installed, the feature may be activated for each web and sub-web (activated separately for webs and sub-webs) using Site Settings>Modify All Site Settings>Site Features page or by the command line as shown:
  6. “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN\stsadm.exe" -o activatefeature -name ALESAuthorizationFeature -url http://sharepoint01/News

When authorization is activated against a sub-site, access to all the web parts in the sub-site’s web pages is secured. For example, if the authorization feature is deployed on http://eagle/Reports, access is controlled on all web parts under this sub-site.

If an authorization policy denies access to the //app/policy/MOSS/Reports/Pages/Default.aspx/Announcements resource, the Announcements web part will not appear when http://eagle/Reports/Pages/Default.aspx is opened.

Modify SSM Configuration

Perform the following steps:

  1. Shut down Web Service SSM and copy BEA_HOME\ales32-ssm\iis-ssm\sharepoint-ssm\lib\SampleIdentityAsseter.jar to the BEA_HOME\ales32-ssm\webservice-ssm\lib\providers\css directory.
  2. Configure the new identity assertion type (“sampletoken”) at the Web Service SSM as described in Sample Identity Asserter Configuration.
  3. Note: The credential holder class ( TestCredHolderImpl) is packaged in BEA_HOME\ales32-ssm\iis-ssm\sharepoint-ssm\lib\ssmwsCustomAssertion.jar.
  4. Restart Web Service SSM so that it can pick up the latest configuration and deploy the provider.

Create SharePoint Resources in OES

If resources (like web’s, lists etc.) are created in SharePoint after resource discovery is performed, these resources must be defined in OES.

The following section describes this manual creation of resources corresponding to webs, lists, items and web parts. As the resource model is based on URL’s, the web page URL’s would be used to create resources in OES. These resources must be defined under the root resource that was created by the config tool.


A SharePoint web is defined in OES using the web’s URL. If the web URL is http://<SharePoint_Server_Name>/web1, a child resource named web1 under the root resource.

The administrative URL's corresponding to the web are listed in BEA_HOME\ales32-ssm\iis-ssm\sharepoint-ssm\adm\Discovery\AdmUrls.txt. Because these URL's are invoked on administrative actions performed on the web and its children, they should be created as child resources of the web1 resource.

Lists & Items

Web creation will also create a set of lists depending upon the template used. These lists are incorporated into the resource tree. How they are defined depends on whether they are document or non-document lists.

For Document Lists...

For a List view URL of http://<SharePoint_Server_Name>/web1/TestDocLib/Forms/AllItems.aspx, create the resource hierarchy shown in Figure 9-1.

Figure 9-1 Document Lists Resource Hierarchy

Document Lists Resource Hierarchy

For Non-Document Lists...
  1. For a List view page of http://<SharePoint_Server_Name>/web1/Lists/Announcements/AllItems.aspx, create the resource tree shown in Figure 9-2.
  2. Figure 9-2 Non-Document List Resource Hierarchy

    Non-Document List Resource Hierarchy

  3. Click on any item in a list and note the ID parameter in the URL, for example:
  4. http://<SharePoint_Server_Name>/web1/Lists/Announcements/DispForm.aspx?ID=2&Source=http%3A%2F%2Fsharepoint01%2Fweb1%2FLists%2FAnnouncements%2FAllItems%2Easpx

    The ID is used as a name of the non-document item and must be defined as a child resource of both EditForm.aspx and DispForm.aspx. This must be performed for all items within a non-document list.

    Note: An easy way to finding the ID’s of an item is to hover the mouse over the item link and note the ID from the URL displayed on the browser’s status bar.

Pages in SharePoint exist either in document libraries or in the web base. The page may be defined in OES by creating a resource for each section of the URL.

Web Parts

Corresponding to a web, there may be a set of pages created for publishing content. A web part is one of the easiest and best way in which content is published in SharePoint. For authorization on web parts, the web parts may be created as resources in OES. Web Parts are created as sub resources of the page resource and the name of the resource is the display name of the web part.

An example as it would be displayed in the Administration Console is shown in Figure 9-3.

Figure 9-3 Web Parts Resource Hierarchy

Web Parts Resource Hierarchy


Sample Identity Asserter Configuration

This section provides instructions for testing the solution with SharePoint’s out-of-box windows-based authentication.

Note: The solution employs simple username assertion, which does not provide sufficient security for production environments.

Policy Updates

The users present in the directory used for authentication by SharePoint (AD by default) should be created in OES. The user name should be in lower-case. Policies should be created for these users and distributed to the Web Service SSM.


  1. In the Entitlements Administration Application select the SharePoint organization in the left pane and click the Identities tab in the right pane.
  2. If necessary, create a SharePoint identity directory. Under this directory create a user using the format <computer_name>\<user_name>, for example, eagle\administrator.
  3. Note: This is a user containing a backslash (\) in the name. Make sure to use all lowercase letters.
  4. Define an authorization policy that denies access on a web part in a web page.
  5. For example, the following policy denies the eagle\administrator user access to //app/policy/MOSS/Reports/Pages/default.aspx/Announcements. As a result of this policy, the user will not see the ‘Announcements’ web part when accessing http://eagle/Reports/Pages/Default.aspx.

    Deny (view, //policy/MOSS/Reports/PAges/default.aspx/Announcements, //user/asi/eage\\administrator/)

SSM Configuration Updates

Perform the following steps:

  1. On the SSM machine, copy BEA_HOME\ales32-ssm\iis-ssm\sharepoint-ssm\lib\SampleIdentityAsserter.jar to the following directory on the Administration Server machine:
  2. BEA_HOME\ales32-admin\lib\providers\css
  3. Restart the Administration Server and log into the Administration Console.
  4. In the left pane, expand the Security Configuration node and select the Web Service SSM used for securing SharePoint.
  5. In the right pane, select Java SSM 3.0, WS SSM 3.0 in the Configuration Version dropdown list and click Apply.
  6. Remaining in the right pane, select the Provider tab and then open the Authentication tab.
  7. On the Authentication tab, choose Configure a new Sample Identity Asserter2. For this identity asserter, choose the sampletoken as an Active type and make sure the “Base64Decoding required checkbox is not selected. Then click Create and Apply.
  8. Return to the Authentication tab and click on Reorder the Configured Authentication Providers. Then make sure the SampleIdentityAsserter2 is at the top of list and click Apply.
  9. If any other authentication provider has been configured for the Web Service SSM, display the provider’s General tab and select OPTIONAL in the Control Flag field. Then click Apply.

Adding New Identity Assertion Types

To add support for new assertion types "sampletoken" to the Web Services SSM:

  1. To add the JAR file containing the holder class to the Web Service SSM's classpath, open BEA_HOME/ales32-ssm/webservice-ssm/instance-name/config/WLESws.wrapper.conf in an editor and add a line like the following:
  2. BEA_HOME/ales32-ssm/iis-ssm/sharepoint-ssm/lib/ ssmwsCustomAssertion.jar

    Note: The lines must increment sequentially.

  3. To modify the mapping file for incoming messages, open BEA_HOME/ales32-ssm/webservice-ssm/lib/com/bea/security/ssmws/soap/castor.xml in an editor and add a line like the following:

<class name="">
<map-to cst:xml="sampletoken" />
<field name="cookie" type="java.lang.String" >
<bind-xml node="text"/>

  1. To modify the mapping file for outgoing messages, open BEA_HOME/ales32-ssm/webservice-ssm/lib/com/bea/security/ssmws/credentials/castor.xml in an editor and add a line like the following in the <mapping> element:
  2. <class name="">
    <map-to cst:xml="sampletoken"
    <field name="cookie" type="java.lang.String" >
    <bind-xml node="text"/>

  3. Restart Web Service SSM.
  4. When the Web Services SSM is started, it will use the new holder implementation and the mapping entries to convert back and forth between the token's XML and Java representations.

SharePoint Configuration Updates

For using the identity asserter configured above, the following updates are required in the appSettings section of the SharePoint web configuration file (C:\Inetpub\wwwroot\wss\VirtualDirectories\80\web.config directory of the SharePoint deployment).

The value of the token key should be set to LOGON_USER. This is a header set by SharePoint that has the user id of the currently logged-in user (in the form of <MachineName\<UserName>, for example, EAGLE\Administrator). The value of this header is passed in the call to the Web Service SSM for asserting the identity of users coming to SharePoint.

The value of the IdentityAsserterName key should be set to sampletoken. This is the active token type for the identity asserter BEA_HOME\ales32-ssm\iis-ssm\sharepoint-ssm\lib\SampleIdentityAsseter.jar configured above.

After updating the web configuration, restart IIS.


Uninstall OES-SharePoint Integration

This section details the steps to be performed to uninstall OES from SharePoint.

  1. Remove any entries that were added to C:\Inetpub\wwwroot\wss\VirtualDirectories\80 directory\web.config as described in Modify SharePoint Web Configuration.
  2. Delete the following file:
  3. C:\Inetpub\wwwroot\wss\VirtualDirectories\80\web.config.preALESMOSSInteg

  4. To deactivate the authorization feature, open a command line and enter:
  5. C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN\STSADM.EXE" -o deactivatefeature -name ALESAuthorizationFeature -url http://sharepoint01/News -force

  6. Repeat the previous step against all the sub-sites where the authorization feature was activated.
  7. To uninstall the authorization feature, open a command line and enter:
  8. C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN\STSADM.EXE” – o uninstallfeature – name ALESAuthorizationFeature -force

  9. Delete the ALESAuthorizationFeature directory from C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\FEATURES.
  10. Delete the custom error page (custError.aspx) from the C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS directory.
  11. If the tag library is used in SharePoint pages, use the SharePoint designer to remove them.
  12. Use a text editor (for the default template) or the SharePoint Designer (for custom master pages) to remove the delegate control entry made in the master pages.
  13. In the C:\WINDOWS\assembly directory, right-click BEA.SharePoint.dll and select uninstall.

  Back to Top       Previous  Next