8.1.4 Setting Up a Test for the J2EE Policy Agent 1

The BEA Policy Agent comes with a sample application that was deployed in To Deploy the J2EE Policy Agent 1 Sample Application and To Deploy the J2EE Policy Agent 2 Sample Application. The application was created to help test policies and will be used for that purpose in this section. Use the following list as a checklist for this task.

• To Create a Test Policy in the OpenSSO Enterprise Root Realm

• To Configure OpenSSO Enterprise Properties for the J2EE Policy Agent 1 Sample Application

• To Verify that J2EE Policy Agent 1 is Configured Properly

For more information on the sample application, see readme.txt in the /export/J2EEPA1/j2ee_agents/weblogic_v10_agent/sampleapp directory.

To Create a Test Policy in the OpenSSO Enterprise Root Realm

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Policies tab.

   The Policies page is displayed.

5. Click New Policy.

6. Enter URL Policy for Application Server-1 in the Name field.

7. Under Rules, click New.

8. On the resulting page, select URL Policy Agent (with Resource Name) and click Next.

9. On the resulting page, provide the following information and click Finish.

   Name:

   agentsample

   Resource Name:

   http://pr-1.example.com:1081/agentsample/*

   ---

   Note –

   Make sure the hostname is typed in lowercase.

   ---

   GET

   Mark this check box and verify that Allow is selected.

   POST

   Mark this check box and verify that Allow is selected.

   The rule agentsample is now added to the list of Rules.

10. Under Subjects, click New.

11. On the resulting page, select Access Manager Identity Subject and click Next.

12. On the resulting page, provide the following information and click Search.

    Name:

    agentsampleGroup

    Filter:

    Select Group.

    Manager-Group and Employee-Group are displayed in the Available list.

13. Select Manager-Group and Employee-Group and click Add.

    Manager-Group and Employee-Group are displayed in the Selected list.

14. Click Finish.

15. Click OK.

    The new policy is displayed in the list of policies.

16. Click Back to Access Control.

17. Log out of the OpenSSO Enterprise console.

To Configure OpenSSO Enterprise Properties for the J2EE Policy Agent 1 Sample Application

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the J2EE tab.

   j2eeagent-1 is displayed under the Agent table.

6. Click j2eeagent-1.

   The j2eeagent-1 properties page is displayed.

7. Click the Application tab.

   The Application properties page is displayed.

8. Provide the following information.

   Login Form URI:

   Enter the following and click Add.

   /agentsample/authentication/login.html

   Not Enforced URI Processing:

   Enter each of the following and click Add.

   /agentsample/public/*

   /agentsample/images/*

   /agentsample/styles/*

   /agentsample/index.html

   /agentsample

   Resource Access Denied URI:

   Enter each of the following and click Add.

   Map Key: agentsample

   Corresponding Map Value: /agentsample/authentication/accessdenied.html

9. Click Save.

   The j2eeagent-1 properties page is displayed.

10. Map the attributes from the OpenSSO Enterprise embedded data store to those used by the Application Server with the following sub procedure.

    1. From the j2eeagent-1 properties page, click Back to Main Page.

    2. Click the Subjects tab.

    3. Click the Group tab.

    4. Click Employee-Group in the list of Groups.

    5. Copy and save id=Employee-Group,ou=group,dc=opensso,dc=java,dc=net, the value of the Universal ID attribute.

    6. Click Back to Subjects.

       You are returned to the Group tab.

    7. Click Manager-Group in the list of Groups.

    8. Copy and save id=Manager-Group,ou=group,dc=opensso,dc=java,dc=net, the value of the Universal ID attribute.

    9. Click Back to Subjects.

    10. Click the Agents tab.

    11. Click the J2EE tab.

        j2eeagent-1 is displayed under the Agent table.

    12. Click j2eeagent-1.

        The j2eeagent-1 properties page is displayed.

    13. Click the Application tab.

        The Application properties page is displayed.

    14. Provide the identifiers previously saved as the manager and employee map keys and corresponding map values for Privileged Attribute Mapping and click Save.

        Map Key: [id=Manager-Group,ou=group,dc=opensso,dc=java,dc=net] Corresponding Map Value: am_manager_role

        Map Key: [id=Employee-Group,ou=group,dc=opensso,dc=java,dc=net] Corresponding Map Value: am_employee_role

11. Log out of the OpenSSO Enterprise console.

To Verify that J2EE Policy Agent 1 is Configured Properly

Use these steps to access the agent sample application and test policies against it.

1. Access http://pr-1.example.com:1081/agentsample/index.html, the sample application URL, from a web browser.

   The Sample Application welcome page is displayed.

2. Click the J2EE Declarative Security link.

3. On the resulting page, click Invoke the Protected Servlet.

   You are redirected to the OpenSSO Enterprise login page.

4. Log in to OpenSSO Enterprise as testuser1.

   Username

   testuser1

   Password

   password

   If you can successfully log in as testuser1 and the J2EE Policy Agent Sample Application page is displayed, the first part of the test has succeeded and authentication is working as expected.

5. Click the J2EE Declarative Security link again.

6. On the resulting page, click Invoke the Protected Servlet.

   If the Success Invocation message is displayed, the second part of the test has succeeded as the sample policy for the manager role has been enforced as expected.

7. Click the J2EE Declarative Security link to return.

8. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

   If the Failed Invocation message is displayed, the third part of the test has succeeded as the sample policy for the employee role has been enforced as expected.

9. Close the browser.

10. In a new browser session, access http://pr-1.example.com:1081/agentsample/index.html, the sample application URL, again.

    The Sample Application welcome page is displayed.

11. Click the J2EE Declarative Security link.

12. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

    You are redirected to the OpenSSO Enterprise login page.

13. Log in to OpenSSO Enterprise as testuser2.

    Username

    testuser2

    Password

    password

    ---

    Note –

    The Failed Invocation message is displayed. This is a known issue.

    ---

14. Click the J2EE Declarative Security link.

15. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

    The Successful Invocation message is displayed as the sample policy for the employee role has been enforced as expected.

16. Click the J2EE Declarative Security link to return.

17. On the resulting page, click Invoke the Protected Servlet.

    If the Access to Requested Resource Denied message is displayed, this part of the test has succeeded as the sample policy for the manager role has been enforced as expected.

18. Close the browser.