Use the following list of procedures as a checklist for setting up a test for the J2EE Policy Agent 2.
To Create a Test Referral Policy in the Access Manager Root Realm
To Configure Properties for the J2EE Policy Agent 2 Sample Application
The BEA Policy Agent comes with a sample application created to help test policies. For more information, see the file readme.txt in the /export/J2EEPA2/j2ee_agents/am_wl92_agent/sampleapp directory.
Access http://ProtectedResource-2.example.com:7001/console from a web browser.
Log in to the WebLogic Server console as the administrator.
weblogic
w3bl0g1c
On the Summary of Deployments page, click Lock & Edit.
Under Domain Structure, click Deployments.
Under Deployments, click Install.
On the Install Application Assistant page, click the protectedresource-2.example.com link.
In the list for Location: protectedresource-2.example.com, click the root directory.
Navigate to the application directory (/export/J2EEPA2/j2ee_agents/am_wl9_agent/sampleapp/dist), select agentsample and click Next.
In the Install Application Assistant page, choose Install this deployment as an application and click Next.
In the list of Servers, mark the checkbox for ApplicationServer-2 and click Next.
On the Optional Settings page, click Next to accept the default settings.
On the Review Your Choices page, click Finish.
The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-2.
On the Settings for agentsample page, click Save.
On the Settings for agentsample page, click Activate Changes.
Under Domain Structure, click Deployments.
In the Deployments list, mark the checkbox for agentsample and click Start > Servicing All Requests.
On the Start Application Assistant page, click Yes.
The state of the deployment changes from Prepared to Active.
Log out of the console.
Access http://LoadBalancer-3.example.com:7070/amserver/UI/Login, the Access Manager load balancer, from a web browser.
Log in to the Access Manager console as the administrator.
amadmin
4m4dmin1
Under the Access Control tab, click the example realm link.
Click the Policies tab.
Under Policies, click the Referral URL Policy for users realm link.
On the Edit Policy page, under Rules, click New.
On the resulting page, select URL Policy Agent (with resource name) and click Next.
On the resulting page, provide the following information and click Finish.
URL Policy for ApplicationServer-2
http://protectedresource-2.example.com:1081/agentsample/*
Make sure the hostname is typed in lowercase.
On the resulting page, click Save.
This procedure assumes you have just completed To Create a Test Referral Policy in the Access Manager Root Realm.
In the Access Manager console, under the Access Control tab, click the users realm link.
Click the Policies tab.
Under Policies, click New Policy.
In the Name field, enter URL Policy for ApplicationServer-2.
Under Rules, click New.
On the resulting page, make sure the default URL Policy Agent (with resource name) is selected and click Next.
On the resulting page, provide the following information and click Finish.
agentsample
From the list, select http://protectedresource-2.example.com:1081/agentsample/*
The value of this property is populated when you select the Parent Resource Name. It should read http://protectedresource-2.example.com:1081/agentsample/*.
Mark this check box and verify that Allow is selected.
Mark this check box and verify that Allow is selected.
The rule agentsample is now added to the list of Rules.
Under Subjects, click New.
On the resulting page, select Access Manager Identity Subject and click Next.
On the resulting page, provide the following information and click Search.
agentsampleGroup
Select Group.
Manager-Group and Employee-Group are displayed in the Available list.
Select Manager-Group and Employee-Group and click Add.
The groups are now displayed in the Selected list.
Click Finish.
Click OK.
The new policy subject is included in the list of Policies.
Log out of the Access Manager console.
Modify AMAgent.properties.
Log in as a root user to the ProtectedResource–2 host machine.
Change to the config directory.
# cd /export/J2EEPA2/j2ee_agents/am_wl92_agent/agent_001/config |
Backup AMAgent.properties before you modify it.
Modify these properties in AMAgent.properties as follows.
com.sun.identity.agents.config.notenforced.uri[0] = /agentsample/public/* com.sun.identity.agents.config.notenforced.uri[1] = /agentsample/images/* com.sun.identity.agents.config.notenforced.uri[2] = /agentsample/styles/* com.sun.identity.agents.config.notenforced.uri[3] = /agentsample/index.html com.sun.identity.agents.config.notenforced.uri[4] = /agentsample com.sun.identity.agents.config.access.denied.uri = /agentsample/authentication/accessdenied.html com.sun.identity.agents.config.login.form[0] = /agentsample/authentication/login.html com.sun.identity.agents.config.login.url[0] = http://LoadBalancer-3.example.com:7070/ amserver/UI/Login?realm=users com.sun.identity.agents.config.privileged.attribute. type[0] = group com.sun.identity.agents.config.privileged.attribute. tolowercase[group] = false |
Set these remaining properties as follows.
This is specific to this deployment example. For more information see The agentadmin -getUuid command fails for amadmin user on Access Manager 7 with various agents (6452713) in Sun Java System Access Manager Policy Agent 2.2 Release Notes.
Retrieve the Universal IDs.
They were saved in To Create Manager and Employee Groups Using Access Manager for J2EE Policy Agent Test.
Convert all uppercase to lowercase and append a back slash (\) in front of each equal sign (=).
Set the properties.
com.sun.identity.agents.config.privileged.attribute. mapping[id\=manager-group,ou\=group,o\=users,ou\=services, dc\=example,dc\=com] = am_manager_role com.sun.identity.agents.config.privileged.attribute. mapping[id\=employee-group,ou\=group,o\=users,ou\=services, dc\=example,dc\=com] = am_employee_role |
Save AMAgent.properties and close the file.
Restart the Application Server 2 administration server and managed server.
Change to the bin directory.
# cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin |
Stop the managed server.
# ./stopManagedWebLogic.sh ApplicationsServer-2 t3://localhost:7001 |
Stop the administration server.
# ./stopWebLogic.sh |
Start the administration server.
# ./startWebLogic.sh & |
Start the managed server.
# ./startManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001 & |
Log out of the ProtectedResource–2 host machine.
Use these steps to access the agent sample application and test policies against it.
Access http://ProtectedResource-2.example.com:1081/agentsample/index.html, the sample application URL, from a web browser.
The Sample Application welcome page is displayed.
Click the J2EE Declarative Security link.
On the resulting page, click Invoke the Protected Servlet.
You are redirected to the Access Manager login page.
Log in to the Access Manager console as testuser1.
testuser1
password
If you can successfully log in as testuser1 and the J2EE Policy Agent Sample Application page is displayed, the first part of the test has succeeded and authentication is working as expected.
Click the J2EE Declarative Security link again.
On the resulting page, click Invoke the Protected Servlet.
If the Success Invocation message is displayed, the second part of the test has succeeded as the sample policy for the manager role has been enforced as expected.
Click the J2EE Declarative Security link to return.
On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.
If the Failed Invocation message is displayed, the third part of the test has succeeded as the sample policy for the employee role has been enforced as expected.
Log out and close the browser.
In a new browser session, access http://ProtectedResource-2.example.com:1081/agentsample/index.html, the sample application URL, again.
The Sample Application welcome page is displayed.
Click the J2EE Declarative Security link.
On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.
You are redirected to the Access Manager login page.
If you are not redirected to the Access Manager login page for authentication, clear your browser's cache and cookies and try again.
Log in to the Access Manager console as testuser2
testuser2
password
The Failed Invocation message is displayed. This is a known issue.
Click the J2EE Declarative Security link.
On the resulting page, click Invoke the Protected EJB via an Unprotected.
The Successful Invocation message is displayed as the sample policy for the employee role has been enforced as expected.
Click the J2EE Declarative Security link to return.
On the resulting page, click Invoke the Protected Servlet.
If the Access to Requested Resource Denied message is displayed, this part of the test has succeeded as the sample policy for the manager role has been enforced as expected.
Log out and close the browser.