How Tos

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Resource Discovery

The most challenging aspect of writing policy for an application is discovering all the application resources that must be secured. This process is greatly simplified by running the SSM in 'discovery' mode and then performing one or more user sessions that reflect actual use in the application. Based on the activities performed during the user session, ALES will generate an initial policy set to files that can then be imported into ALES.

Note: Do not use discovery mode in a production environment. Use it only during development to create the initial security policy.


Enabling Discovery Mode

Resource discovery is enabled by setting the ASI Authorization and ASI Role Mapping providers to run in discovery mode. In this mode, these providers always return 'true' when evaluating user requests and generate the initial policy files based on those requests.

To enable discovery mode, modify the command line that starts the SSM by adding the following system properties:

The system properties are set using the -D switch in the appropriate file. As an example, to enable resource discovery for the WLS SSM, add the following lines to the SSM’s set-wls-env.bat file:



For each SSM, Table 9-1 indicates the name and location of the file that must be modified.

Table 9-1 Setting System Properties for Discovery Mode
SSM Type
File Name
Default Location
set-env.bat (.sh )
Web Services
WebLogic Server 8.1
set-wls-env.bat (.sh)
WebLogic Server 9.x/10.x
set-wls-env.bat (.sh)


Running in Discovery Mode

After enabling discovery mode as described in the previous section, start the secured application. Then perform a user session by logging in to the application, exercising requests for resources, and invoking application functions.

It is important to note that the generated files are meant to serve as a starting point for defining a policy set to fully secure the application. In particular, note the following:

When generating the files, user requests are transformed into a policy import format. Under this format, a request consists of four elements: Subject, Resource, Action, Attributes. Each element has different restrictions on the allowable character set. The providers automatically normalize any invalid characters to produce a valid entry. See Character Restrictions in Policy Data for further details.


Importing the Policy

The files generated by discovery mode will be located in the SSM's domain directory. To import them into ALES, use the Policy Import tool.

Once imported, the policy can be managed using the Entitlements Management Tool.

  Back to Top       Previous  Next