Use the following as your checklist for setting up a test for the J2EE Policy Agent 2:
Deploy the sample application on Application Server 1.
Go to the Application Server 1 URL:
http://ProtectedResource-1.example.com:7001/console
Log in to the Application Server using the following information:
weblogic
w3bl0g1c
In the Application Server console, on the Summary of Deployments page, click “Lock & Edit.”
Under Domain Structure, click Deployments.
Under Deployments, click Install.
On the Install Application Assistant page, click the protectedresource-1.example.com link.
In the list for Location: protectedresource-2.example.com, click the root directory.
Navigate to the application directory: /opt/j2ee_agents/am_wl9_agent/sampleapp/dist
Select agentsample.ear, and then click Next.
In the Install Application Assistant page, choose “Install this deployment as an application,” and then click Next.
In the list of Servers, mark the checkbox for ApplicationServer-1, and then click Next.
On the “Optional Settings” page, click Next to accept the default settings.
On the Review Your Choices” page, click Finish.
The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-1.
In the “Settings for agentsample” page, click Activate Changes.
Under Domain Structure, click Deployments.
In the Deployments list, mark the checkbox for agentsample, and then click Start > Servicing All Requests.
On the Start Deployments page, click Yes.
The state of the deployment changes from Prepared to Active.
Log out of the Application Server 1 console.
Go to the following Protected Resource 1 directory:
/usr/local/bea/user_projects/domains/ProtectedResource-1/bin
Stop Application Server 1.
# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001
Stop the administration server.
#cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin ./stopWebLogic.sh
Start the administration server.
# nohup ./startWebLogic.sh & # tail -f nohup.out
Watch for startup errors.
Start Application Server 1.
# nohup ./startManageWebLogic.sh ApplicatoinServer-2 http://ProtectedResource-1.example.com:7001 & tail -f nohup.out
Run the netstat command to verify that Application Server 1 is up and listening.
# netstat -an | grep 1081 xxx.xx.72.151.1081 *.* 0 0 49152 0 LISTEN 127.0.0.01.1081 *.* 0 0 49152 0 LISTEN
In the Access Manager 1 console, on the Access Control tab, click the example.com link.
Click the Policies tab.
Under Policies, click the “Referral URL Policy for users realm” link.
This is the policy that was created when setting up the Web Policy Agent.
On the Edit Policy page, under Rules, click New.
On the page “Step 1 of 2: Select Service Type for the Rule,” select “URL Policy Agent (with resource name),” and then click Next.
On the page “Step 2 of 2: New Rule,” provide the following information, and then click Next:
URL Policy for ApplicationServer-2
http://ProtectedResource-2.example.com:1081/agentsample/*
Click Finish.
In the Access Manager 1 console, on the Access Control tab, click the users link.
Click the Policies tab.
Under Policies, click New Policy.
In the Name field, enter URL Policy for ApplicationServer-2.
Under Rules, click New.
On the page “Step 1 of 2: Select Service Type for the Rule,” click Next.
The default “URL Policy Agent (with resource name)” should be selected.
On the page “Step 2 of 2: New Rule,” provide the following information:
agentsample
Choose http://ProtectedResource-2.example.com:1081/agentsample/*
The following is automatically entered when you select the Parent Resource Name above:
http://ProtectedResource-2.example.com:1081/agentsample/*
Mark this check box, and verify that the Allow value is selected.
Mark this check box, and verify that the Allow value is selected.
Click Finish.
The rule agentsample is now added to the list of Rules.
Under Subjects, click New.
On the page “Step 1 of 2: Select Subject Type,” select Access Manager Identity Subject, then click Next.
On the page “ Step 2 of 2: New Subject — Access Manager Identity Subject,” provide the following information:
agentsampleRoles
Select role.
Click Search.
In the Available list, the select manager and employee roles, and then click Add.
The roles are now displayed in the Selected list.
Click Finish.
Click Create.
The new policy is included in the list of Policies.
Log in as a root user to Protected Resource 2.
# cd /opt/j2ee_agents/am_wl9_agent/agent_001/config |
Make a back up the AMAgent.properties file.
Set the following properties:
com.sun.identity.agents.config.notenforced.uri[0] = /agentsample/public/* com.sun.identity.agents.config.notenforced.uri[1] = /agentsample/images/* com.sun.identity.agents.config.notenforced.uri[2] = /agentsample/styles/* com.sun.identity.agents.config.notenforced.uri[3] = /agentsample/index.html com.sun.identity.agents.config.notenforced.uri[4] = /agentsample com.sun.identity.agents.config.access.denied.uri = /agentsample/authentication/accessdenied.html com.sun.identity.agents.config.login.form[0] = /agentsample/authentication/login.html com.sun.identity.agents.config.login.url[0] = http://LoadBalancer-3.example.com:7070/amserver/UI/Login?realm=users |
Save the file.
Restart the Application Server 2.
Stop Application Server 2 .
# cd /usr/local/bea/user_projects/domains/ ProtectedResource-2/bin # ./stopManagedWebLogic.sh ApplicationsServer-2 t3://localhost:7001
Stop the administration server.
# ./stopWebLogic.sh
Start the administration server.
# nohup ./startWebLogic.sh & # tail -f nohup.out
Start Application Server 2.
# nohup ./startManagedWebLogic.sh ApplicationServer-2 http://ProtectedResource-2.example.com:7001 &
Go to the Sample Application URL:
http://protectedresource-2.example.com:1081/agentsample/index.html
The Sample Application welcome page is displayed.
Click J2EE Declarative Security > “Invoke the Protected Servlet”
The Policy Agent redirects to the Access Manager login page.
Log in to the Access Manager console using the following information:
testuser1
password
If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.
Click the “J2EE Declarative Security” link.
On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.
If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.
Click the “J2EE Declarative Security” link to go back.
Click the “Invoke the Protected EJB via an Unprotected Servlet” link.
If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.
Close the browser.
In a new browser session, go to the Sample Application URL:
http://protectedresource-2.example.com:1081/agentsample/index.html
The Sample Application welcome page is displayed.
Click the “J2EE Declarative Security” link.
On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.
The Policy Agent redirects to the Access Manager login page.
Log in to the Access Manager console using the following information:
testuser2
password
If you can successfully log in as testuser2, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.
Click the “J2EE Declarative Security” link to go back.
On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Uprotected Servlet” link.
The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.