ALES Integration Guide

Securing Applications Developed Using BEA Workshop for WebLogic

This section describes how to use ALES with BEA Workshop for WebLogic Platform and discusses how to use the ALES Annotations Plugin and the ALES Tag Library.



The ALES Annotations Plugin or ALES Tag Library for Workshop can be used to secure applications being deployed in WebLogic Workshop.


ALES Annotations Plugin

The ALES Annotations Plugin can be used to annotate EJB objects in Workshop with security related metadata. The metadata can then help you to:

Integration Tasks

This section provides instructions for creating an EJB with ALES annotations and then securing it with ALES policy. The integration tasks provided here are based on those instructions.

  1. Set up the plugin in Workshop as described in Set Up the ALES Annotations Plug-in
  2. Annotate the EJB and export the policy file to ALES. For an example, see Using ALES Annotations in a WebLogic Bean Class.
  3. Define ALES policies for securing the EJB as described in Define Policies for the Imported Policy File.

Set Up the ALES Annotations Plug-in

The ALES Annotations plugin is provided in two JAR files for use with Workshop 9.2 or 10.0:


To install the plugin:

  1. Copy the appropriate file from BEA_HOME/ales30-admin/lib/eclipsePlugins to the following directory:
  2. BEA_HOME/WORKSHOP_HOME/workshop4WP/eclipse/plugins
  3. Restart Workshop.
  4. You should see the ALES Annotations facet in a new or existing WebLogic EJB project.

    Figure 4-1 Project Facets

    Project Facets

Using ALES Annotations in a WebLogic Bean Class

This section contains the following topics:

Create a WebLogic SessionBean

The first step in this example is to use Workshop to create a WebLogic Session Bean:

  1. Create a new project named EjbExample.
  2. Select EjbExample in the left panel, right click the src node and select New > Package. Then name the package beans.
  3. Right click on beans and select New > WebLogic Session Bean. Then set the file name to AccountService.

Add ALES Annotations to the WebLogic Bean Class

To add security annotations to the AccountService class:

  1. In the edit window for the Weblogic Session Bean class, import the following two classes:
  2. import;

  3. To define the Bean class AccountService as an ALES resource:
    1. Before the class definition, add the annotation @ALESResource. The ALESResource – Annotation property appears in the Annotations viewer.
    2. Under ALESResource, right click attributes and click Add Member Attributes may now be assigned to this resource.
    3. Figure 4-2 Assigning ALESAttributes

      Assigning ALESAttributes

  4. Expand the ALESAttribute node under ALESResource > attributes in the right panel and set the name and value of the ALESAttribute to beantype = account.
  5. Similarly, we can define any methods inside this class as ALES resources and assign ALES attributes to them using the ALES Annotations plug-in. For example, annotate the ejbCreate() method to define it as an ALES resource with the ALESAttribute operation = create.
  6. @ALESResource(attributes={@ALESAttribute(name = "operation", value = "create")})

Add ALES Information to the Project

To define ALES-specific properties for the project:

  1. In Workshop’s left pane, right -lick the EjbExample project node and click Properties. The Properties window appears.
  2. Figure 4-3 ALES Annotation Project Properties

    ALES Annotation Project Properties

  3. Select ALES annotations and configure the following four properties:
    • SSM configuration—SSM to bind to the EJB application with; for example,wls-ssm.
    • EJB application—EJB application to deploy; for example, BankingApp.
    • EJB module—EJB module to deploy; for example, AccountModule.
    • Policy file—absolute path of the policy file to export the ALES annotations.

Export the Policy File from Workshop

After annotating the project in the example, the security policy file can be exported from Workshop and then imported into ALES:

  1. In the Package Explorer or Navigator panel of Workshop, right-click the EjbExample project node, select Export > ALES Export Policy File, and then click Next.
  2. Figure 4-4 ALES Policy File Export Window

    ALES Policy File Export Window

  3. In the ALES Policy File Export window, specify the project name and the pathname for the policy file (for example, EjbExamplePolicy.xml).
  4. If the Leave unspecified checkbox is checked, the policy file will includes tokens for SSM configuration, EJB application, and EJB module instead of the values you specified for them. Later, the EJB application deployer can replace these tokens. This functionality is useful when the developer does not know all the deployment parameters of the target machine, or the EJB application is going to be deployed on multiple machines with different configurations.

Import the Policy File into ALES

This section describes how to use the ALES policyIX utility to load the ALES Annotations policy file created in Export the Policy File from Workshop into ALES.

  1. If you have not already done so, start the ALES Administration Server and load the admin policies running the install_ales_schema script.
  2. If Leave unspecified was selected when the policy file was created, the file includes tokens instead of specific values for the SSM configuration, EJB application, and EJB module. Before importing the policy, you must replace these tokens with the actual values. In ALES_ADMIN_HOME/config/, replace the tokens with the corresponding values:
    •—SSM configuration
    •—EJB application
    • ap.ejb.mod—EJB module
    • exported.res.file—pathname of the policy file
    • After replacing the tokens, run ALES_ADMIN_HOME/bin/annotation_transform to create the policy file using the actual values. The file will have the same name as the exported.res.file parameter with the extension .import appended.

  3. Use the policyIX utility to import the policy file. For example:
  4. C:\ALES_ADMIN_HOME/bin> policyIX -import config.xml EjbExamplePolicy.xml

    For more information, see policyIX in the Administration Reference.

After importing the policy, use the ALES Administration Console to view the resources and resource attributes. Under wls-ssm/BankingApp/ejb/AccountModule, you can see:

Define Policies for the Imported Policy File

After importing the policy file into ALES, you may create policies that define access rules for the resources defined with ALES annotations. For example, the following rule grants the execute privilege to the AccountManagerRole for all the resources under BankingApp if beantype=”account”:

grant( //priv/execute, //app/policy/wls-ssm/BankingApp, //role/AccountManagerRole) if beantype="account"

Since all methods inherit attributes of the bean class, the resource AccountService and all its methods satisfy the constraint, defining this rule enables the AccountManagerRole to execute all AccountService methods.

The following rule allows a user with the Customer role to execute any method in the banking application, but only if the method is annotated with the attribute accessLevel="customer". The rule also allows the user to create an instance of the EJB by calling create method of the corresponding EJB's home interface:

grant( //priv/execute, //app/policy/wls-ssm/BankingApp, //role/Customer) if accessLevel="customer" or operation="create"


ALES Tag Library for Workshop

The ALES Tag Library for Workshop can be used to add ALES security functionality to Java Server Pages (JSPs).

Tag libraries provide a way to abstract functionality used by a JSP page, which allows for less-complex JSP pages. A tag library packages functions into a tag handler class. A JSP does not have to directly invoke this tag handler. Instead, you place simple tags in your JSP pages. When the container executes a JSP at runtime and comes across a tag, the tag handler is invoked and provides the desired functionality.


The requirements for using the ALES Tag Library are:

ALES Tag Library Tags

The following tags are available in the ALES Tag Library for Workshop. See ALES Tag Library Reference for additional information and attributes.

Integration Tasks

This section provides instructions for adding ALES tags to a JSP page. The integration tasks provided here are based on those instructions.

  1. Add the ALES Tag Library to Workshop as described in Add the Tag Library to Workshop
  2. Add ALES tags to the JSP pages as described in Using ALES Tags in JSP Pages.
  3. In ALES, define the policies for securing the JSP components as described in .Define the Policies to Secure JSP Components
  4. Distribute the policy data to the WLS SSM as described in Deploy the JSP Application.

Add the Tag Library to Workshop

A file named alestags.jar contains the ALES tag library and supporting classes. This file is packaged in one of the following WebLogic version-specific files located in the BEA_HOME\ales30-admin\lib\eclipsePlugins directory:

Follow these steps to integrate the tag library JAR file:

  1. Copy com.bea.wlw.ales.tags_9.2.0.jar or com.bea.wlw.ales.tags_10.0.0.jar from BEA_HOME\ales30-admin\lib\eclipsePlugins to the following directory:
  2. BEA_HOME\<workshop_version>\workshop4WP\eclipse\plugins


    <workshop_version>—the Workshop directory for versions 9.x or 10.0

  3. Restart Workshop.
  4. If creating a new project:
    1. Create and provide a name for a new dynamic web project.
    2. Then click and select the ALES Tag Support project facet and click Finish.
    3. Click Window->Show View->JSP Design Palette to display the JSP Design Palette.
  5. If adding to an existing project:
    1. Right-click on the project and select properties.
    2. Click the project facets properties in the left navigation bar of the popup.
    3. Click add/remove facets.
    4. Select the ALES Tag Support project facet and click finish.
    5. Click Window->Show View->JSP Design Palette to display the JSP Design Palette.

At the conclusion of these steps, alestags.jar should be located in the web-inf/lib directory and the JSP Design Palette should display the ALES Tags.

Using ALES Tags in JSP Pages

The ALES tags can wrap the JSP components and they will be rendered if allowed. There is also an else tag for the case where a component is denied.

Listing 4-1 shows an example of using ALES tags in a JSP page.

Listing 4-1 Example JSP Page With ALES Tags

<%@ taglib prefix="ales" uri=""%>

<%@ taglib prefix="c" uri=""%>

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "">



<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">



<ales:setSecurityContext value="/testtagapp">

<ales:attribute name="foo" value="1"/>



<ales:isAccessAllowed resource="/isAllowed" action="view">

<ales:then>You are allowed to see the secret text</ales:then>

<ales:else>DenyReason: <c:out value='${responses["denyreason"]}'/> </ales:else>




In Listing 4-1 the <@taglib prefix=”ales” uri=> line signifies that all tags prefixed with ales: will call the ALES tag library.

The ales:isAccessAllowed tag takes a resource and an action.

Resources on the JSP page are relative to the WLS SSM’s binding node. In addition, one of the parameters you pass in to the (optional) setSecurityContext tag is a resource URI. This URI is relative and pre-pended to the SSM binding node at runtime. In the example, the resource URI is testtagapp.

Therefore, after adding the binding node and resource URI, the fully qualified resource name at runtime is //app/policy/<binding_node>/testtagapp/isAllowed.

Define the Policies to Secure JSP Components

Use the ALES Administration Console or Entitlements Management Tool to create policies for the resources on the JSP page.

Based on the example, we would create a resource //app/policy/<binding_node>/testtagapp/isAllowed where <binding_node> would be the SSM’s binding node from Step 1. We could then write policies based on that resource to determine what users are allowed to see the secret text.

The parameter passed in to the (optional) ALES setSecurityContext tag is a resource URI, which is a value to be used as a prefix for all other resources on the page. For example: <setSecurityContext value=”/mybank/loanApplicationForm”/>.

This URI is relative and prepended with the SSM binding node at runtime. This resource URI uniquely identifies the resources.

Any attributes set within setSecurityContext are passed to every ALES API call. For example, if you set foo=1 in the security context and then use the isAccessAllowed tag, foo=1 would be available to policies as an application context variable.

Use the resources and actions specified in the tags when creating the ALES policy definitions. Be aware that the fully qualified name of the resource is:

//app/policy/<binding node>/<SecurityContext-Value>/resource

Using Policies to Return Response Attributes

There is nothing unique about ALES policies that protect a resource referenced in a JSP file by a tag library (beyond the general requirement that the resource names and actions you specify in tags must correlate with the policy). However, by using result and response attributes such as isAccessAllowed.resultVar, the policy can be used to return and then test those response attributes.

As described in Using Response Attributes, response attributes are typically specified using built-in evaluation functions that report name/value pairs. There are two functions for returning attributes: report() and report_as(). These functions always return TRUE (if there are no errors), and the information is passed to the application as response attributes.

The JSP Standard Tag Library (JSTL) provides a set of core functionality common to most web applications, including generic iterators and Boolean checks. As such, the ALES tag library does not implement its own set of iterators. The data returned by the ALES tags to the JSP can be processed using the JSTL.

Therefore, a JSP file can contain a JSTL tag used in the following way:

<ales:isAccessAllowed resource=”/creditScore” action=”view” resultVar=”canViewCreditScore”>



<c:if test=”${canViewCreditScore == true}”>

Show customer credit score


Deploy the JSP Application

When the WebLogic Server container on the local system executes a JSP at runtime and encounters an ALES tag, the tag handler is invoked and interacts with the WLS 9.x SSM to determine if access is allowed to the resource, get the user roles, and so forth.

You do not need to supply an authenticated subject to the ALES tags for Workshop. This is because WebLogic Server determines and authenticates the subject and then makes the authenticated subject available for authorization decisions. No special action in the JSP page is required.

JSP pages contain ALES tags can be tested even if the SSM is not deployed. ALES tags will allow both ‘allow’ and ‘deny’ cases to display on the page and data retrieval methods return empty results.


ALES Tag Library Reference

This section describes reference and usage information for the ALES tag library.


The isAccessAllowed tag calls the ALES runtime to determine if the user is allowed to perform the requested action on the requested resource. If true is returned, it allows the container to continue processing the body of the tag.

For convenience, the result of calling isAccessAllowed can be placed within the resultVar for later use.

isAccessAllowed looks for the ARME configuration file in the system properties. If not found, all elements in the body tag are displayed.

Table 4-1 isAccessAllowed
Return Type
The resource used when calling isAccessAllowed
The action used when calling isAccessAllowed. The default action is view
The name of the scripting variable used to tell if access is allowed.
The scope of the resultVar (page, request, session, or application). The default scope is page.
Collection of Strings
The name of the variable used for returning responses from calling isAccessAllowed
The scope of the variable containing responses from is access allowed (page, request, session, or application). The default scope is page.

isAccessAllowed Concepts

Listing 4-2 shows the concepts of using isAccessAllowed in a JSP.

Listing 4-2 Using isAccessAllowed in a JSP

<%-- set up the global context for this jsp page --%>

<ales:setSecurityContext value=”/mybank/loanApplicationForm”>

<%-- An attribute to pass to the ALES application context for all calls on this page--%>

<attribute name=”loanAppId” value=”<%= request.getParameter(\”appId\”)%>”/>


<ales:isAccessAllowed resource=”/creditScore” action=”view” resultVar=”canViewCreditScore”>

<%-- An attribute to pass to the ALES application context for this call--%>

<attribute name=”customerId” value=”<%=request.getParameter(\”customerId\”)%>





<B>You are not authorized to view the customer’s credit score</B>



Alternatively, after the isAccessAllowed tag with the resultVar canViewCreditScore attribute, you could use a JSTL tag in the following way:

<c:if test=”${canViewCreditScore == true}”>
  Show customer credit score


The isAccessNotAllowed tag calls the ALES runtime to determine if the user is allowed to perform the requested action on the requested resource. If true is returned, it allows the container to continue processing the body of the tag.

For convenience, the result of calling isAccessAllowed can be placed within the resultVar for later use.

isAccessNotAllowed looks for the authorization and role mapping engine (ARME) configuration file in the system properties. If not found, all elements in the body tag are displayed.

Table 4-2 isAccessNotAllowed
Return Type
The resource used when calling isAccessAllowed
The action used when calling isAccessAllowed. The default action is view
The name of the scripting variable used to tell if access is allowed.
The scope of the resultVar (page, request, session, or application). The default scope is page.
Collection of Strings
The name of the variable used for returning responses from calling isAccessAllowed
The scope of the variable containing responses from is access allowed (page, request, session, or application). The default scope is page.

isAccessNotAllowed Concepts

Listing 4-3 shows the concepts of using isAccessNotAllowed in a JSP.

Listing 4-3 Using isAccessNotAllowed in a JSP

<%-- set up the global context for this jsp page --%>

<ales:setSecurityContext value=”/mybank/loanApplicationForm”>

<%-- An attribute to pass to the ALES application context for all calls on this page--%>

<attribute name=”loanAppId” value=”<%= request.getParameter(\”appId\”)%>”/>


<ales:isAccessNotAllowed resource=”/creditScore” action=”view” resultVar=”canNotViewCreditScore”>


<B>You are not authorized to view the customer’s credit score</B>



<%-- An attribute to pass to the ALES application context for this call--%>

<attribute name=”customerId” value=”<%= request.getParameter(\”customerId\”)%>




Alternatively, after the isAccessNotAllowed tag using the resultVar canNotViewCreditScore attribute, you could use a JSTL tag in the following way:

<c:if test=”${canNotViewCreditScore == false}”>
  Show customer credit score


The isAccessAllowedQueryResources tag calls the ALES runtime using the query resource extra attribute. This tag does not have a body associated with it. Instead, it returns a set of data that can be consumed by the JSP.

The grantedVar attribute sets a variable containing the granted response set from the ARME. The deniedVar attribute sets a variable containing the denied response set from the ARME.

If the ARME configuration file is not found, this tag does not set any data for the JSP to consume.

Table 4-3 isAccessAllowedQueryResources
Return type
The resource used when calling isAccessAllowed
The action used when calling isAccessAllowed. The default action is view
Collection of Strings
The name of the variable used for returning responses from calling isAccessAllowed
The scope of the variable containing responses from is access allowed (page, request, session, or application). The default scope is page.
Collection of Strings
The set of granted responses returned from the ARME
The scope of the grantedVar variable (page, request, session, or application). The default scope is page.
Collection of Strings
The set of denied responses returned from the ARME
The scope of the deniedVar variable (page, request, session, or application). The default scope is page

isAccessAllowedQueryResources Concepts

Listing 4-4 shows the concepts of using isAccessAllowedQueryResources in a JSP.

Listing 4-4 Using isAccessAllowedQueryResources in a JSP

<%-- Get a list of currencies that a trader can exchange to put inside a dropdown list --%>

<ales:isAccessAllowedQueryResources resource=” /mybank/currencyTrader/availableCurrencies” grantedVar=”grantedCurrencies”>

<attribute name=”currencyToTradeFrom” value=”USD”/>


<%--This fake sample tag takes in a collection of strings and lists them in a drop down--%>

<myuitag:dropdownlist values=”${%grantedCurrencies%}”/>


The getUserRoles tag queries the ALES system for the set of roles that a user currently has in the system for the requested action and requested resource. It will return the collection of role names as a variable defined by the resultVar attribute.

Table 4-4 getUser Roles
Return Type
The resource used when calling getRoles
The action used when calling getRoles. The default action is view
Collection of Strings
The name of the variable to set that contains the list of user’s roles
The scope of the variable containing responses from is access allowed (page, request, session, or application). The default scope is page.

getUserRoles Concepts

Listing 4-5 shows the concepts of using getUserRoles in a JSP.

Listing 4-5 Using getUserRoles in a JSP

<%-- Get the list of roles the user has for a particular resource --%>

<ales:getUserRoles resource=”/mybank/loanApprovalForm” resultVar=”userRoles”>

<attribute name=”customerId” value=”${currentCustomerId}”/>


<%--iterate over each role and print it out--%>

<c:forEach var=”userRole” items=”${userRoles}”>

<c:out value=”${userRole}”/>



The isUserInRole tag is a conditional and cooperative tag. If the user is in the role specified, the body of the tag will be processed. If the user has the role passed into the tag Attribute, the body of the tag will be processed. In addition. the resultVar can be used for later processing.

Table 4-5 isUserInRole
Return Type
The name of the role to check against the user
The name of the resource to check the user’s roles against. The default value will be the current JSP page
The action against the resource to check the user’s role against. The default value will be view
A variable to hold the result from isUserInRole for use later

isUserInRole Concepts

Listing 4-6 shows the concepts of using getUserRoles in a JSP.

Listing 4-6 Using isUserInRole in a JSP

<%-- Check if the user is in the appropriate role before showing the buttons on the page --%>

<isUserInRole role=”Administrator” Resource=”/myBankingApp/loanApproval/submit”>

<fake:submitButton …/>



The setSecurityContext tag is used to set the base resource for all elements on a JSP page. If you use setSecurityContext, the value of this tag will be prepended to all other resource attributes on the page. In addition, variables that should be set globally for the application context can be set in the body of this tag.

Any attributes set within the tag are passed to every ALES API call. For example if you set foo=1 in the security context and then use the isAccessAllowed tag, foo=1 would be available to policies as an application context variable.

Table 4-6 setSecurityContext
Return Type
The value of the security context will be used to specify the prefix for all ales tags that have a resource attribute on the page.

setSecurityContext Concepts

Listing 4-7 shows the concepts of using setSecurityContext in a JSP.

Listing 4-7 Using setSecurityContext in a JSP

<%-- Set the security context for this page --%>

<ales:setSecurityContext value=”/mybank/loanApplicationForm”/>

<ales:attribute name=”customer_name”




The recordEvent tag is an input tag that causes an audit message to be written to the audit log of ALES. The body of this tag can also take an attribute tag, as described in Attribute. All attributes are added to the audit context as additional information for the audit event.

Table 4-7 recordEvent
Return Type
The severity of the audit message. The possible values are: ERROR, FAILURE, or INFORMATIONAL. The default value is INFORMATIONAL
The message to be passed to the audit log

recordEvent Concepts

Listing 4-8 shows the concepts of using recordEvent in a JSP.

Listing 4-8 Using recordEvent in a JSP

<c:if test=${trade_submitted == true}>

<%--record that the trade has been successfully committed to the system—%>

<ales:recordEvent message=”Trade successfully submitted to the system”>

<%--include the person who submitted this trade in the audit log--%>

<attribute name=”traderId” value=”<%traderId%>”/>

<%--Include the trading confirmation number in the audit log--%>

<attribute name=”trade_confirmation” value=”<%trade_confirmation%>




The attribute tag can be used by any of the other ALES tags to pass extra attributes down in the ALES application context. Any of these variables can then be used to write constraints against in ALES policies.

Table 4-8 attribute
Return Type
The name of the attribute to set in the ALES application context
The value of the attribute to set in the ALES application context

attribute Concepts

Listing 4-9 shows the concepts of using attribute in a JSP.

Listing 4-9 Using attribute in a JSP

<%-- set up the global context for this jsp page --%>

<ales:setSecurityContext value=”/mybank/loanApplicationForm”>

<%-- An attribute to pass to the ALES application context for all calls on this page--%>

<attribute name=”loanAppId” value=”<%= request.getParameter(\”appId\”)%>”/>


<ales:isAccessAllowed resource=”/creditScore” action=”view” resultVar=”canViewCreditScore”>

<%-- An attribute to pass to the ALES application context for this call--%>

<attribute name=”customerId” value=”<%=request.getParameter(\”customerId\”)%>



<B>You are not authorized to view the customer’s credit score</B>


