The BEA Policy Agent comes with a sample application that was deployed in To Deploy the J2EE Policy Agent 1 Sample Application and To Deploy the J2EE Policy Agent 2 Sample Application. The application was created to help test policies and will be used for that purpose in this section. Use the following list as a checklist for this task.
To Create a Test Policy in the OpenSSO Enterprise Root Realm
To Configure OpenSSO Enterprise Properties for the J2EE Policy Agent 1 Sample Application
For more information on the sample application, see readme.txt in the /export/J2EEPA1/j2ee_agents/weblogic_v10_agent/sampleapp directory.
Access https://osso-1.example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Under the Access Control tab, click / (Top Level Realm).
Click the Policies tab.
The Policies page is displayed.
Click New Policy.
Enter URL Policy for Application Server-1 in the Name field.
Under Rules, click New.
On the resulting page, select URL Policy Agent (with Resource Name) and click Next.
On the resulting page, provide the following information and click Finish.
agentsample
http://pr-1.example.com:1081/agentsample/*
Make sure the hostname is typed in lowercase.
Mark this check box and verify that Allow is selected.
Mark this check box and verify that Allow is selected.
The rule agentsample is now added to the list of Rules.
Under Subjects, click New.
On the resulting page, select Access Manager Identity Subject and click Next.
On the resulting page, provide the following information and click Search.
agentsampleGroup
Select Group.
Manager-Group and Employee-Group are displayed in the Available list.
Select Manager-Group and Employee-Group and click Add.
Manager-Group and Employee-Group are displayed in the Selected list.
Click Finish.
Click OK.
The new policy is displayed in the list of policies.
Click Back to Access Control.
Log out of the OpenSSO Enterprise console.
Access https://osso-1.example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Under the Access Control tab, click / (Top Level Realm).
Click the Agents tab.
Click the J2EE tab.
j2eeagent-1 is displayed under the Agent table.
Click j2eeagent-1.
The j2eeagent-1 properties page is displayed.
Click the Application tab.
The Application properties page is displayed.
Provide the following information.
Enter the following and click Add.
/agentsample/authentication/login.html
Enter each of the following and click Add.
/agentsample/public/*
/agentsample/images/*
/agentsample/styles/*
/agentsample/index.html
/agentsample
Enter each of the following and click Add.
Map Key: agentsample
Corresponding Map Value: /agentsample/authentication/accessdenied.html
Click Save.
The j2eeagent-1 properties page is displayed.
Map the attributes from the OpenSSO Enterprise embedded data store to those used by the Application Server with the following sub procedure.
From the j2eeagent-1 properties page, click Back to Main Page.
Click the Subjects tab.
Click the Group tab.
Click Employee-Group in the list of Groups.
Copy and save id=Employee-Group,ou=group,dc=opensso,dc=java,dc=net, the value of the Universal ID attribute.
Click Back to Subjects.
You are returned to the Group tab.
Click Manager-Group in the list of Groups.
Copy and save id=Manager-Group,ou=group,dc=opensso,dc=java,dc=net, the value of the Universal ID attribute.
Click Back to Subjects.
Click the Agents tab.
Click the J2EE tab.
j2eeagent-1 is displayed under the Agent table.
Click j2eeagent-1.
The j2eeagent-1 properties page is displayed.
Click the Application tab.
The Application properties page is displayed.
Provide the identifiers previously saved as the manager and employee map keys and corresponding map values for Privileged Attribute Mapping and click Save.
Map Key: [id=Manager-Group,ou=group,dc=opensso,dc=java,dc=net] Corresponding Map Value: am_manager_role |
Map Key: [id=Employee-Group,ou=group,dc=opensso,dc=java,dc=net] Corresponding Map Value: am_employee_role |
Log out of the OpenSSO Enterprise console.
Use these steps to access the agent sample application and test policies against it.
Access http://pr-1.example.com:1081/agentsample/index.html, the sample application URL, from a web browser.
The Sample Application welcome page is displayed.
Click the J2EE Declarative Security link.
On the resulting page, click Invoke the Protected Servlet.
You are redirected to the OpenSSO Enterprise login page.
Log in to OpenSSO Enterprise as testuser1.
testuser1
password
If you can successfully log in as testuser1 and the J2EE Policy Agent Sample Application page is displayed, the first part of the test has succeeded and authentication is working as expected.
Click the J2EE Declarative Security link again.
On the resulting page, click Invoke the Protected Servlet.
If the Success Invocation message is displayed, the second part of the test has succeeded as the sample policy for the manager role has been enforced as expected.
Click the J2EE Declarative Security link to return.
On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.
If the Failed Invocation message is displayed, the third part of the test has succeeded as the sample policy for the employee role has been enforced as expected.
Close the browser.
In a new browser session, access http://pr-1.example.com:1081/agentsample/index.html, the sample application URL, again.
The Sample Application welcome page is displayed.
Click the J2EE Declarative Security link.
On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.
You are redirected to the OpenSSO Enterprise login page.
Log in to OpenSSO Enterprise as testuser2.
testuser2
password
The Failed Invocation message is displayed. This is a known issue.
Click the J2EE Declarative Security link.
On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.
The Successful Invocation message is displayed as the sample policy for the employee role has been enforced as expected.
Click the J2EE Declarative Security link to return.
On the resulting page, click Invoke the Protected Servlet.
If the Access to Requested Resource Denied message is displayed, this part of the test has succeeded as the sample policy for the manager role has been enforced as expected.
Close the browser.