Post-Installation Steps Specific to Agent for Oracle Application Server 10g
Once you have installed Policy Agent 2.2 for Oracle Application Server 10g and you have performed the post-installation steps that apply to all J2EE agents in the Policy Agent 2.2 release, complete the following agent-specific steps.
Installing the Agent Filter for the Deployed Application on Agent for Oracle Application Server 10g
The agent filter can be installed by modifying the deployment descriptor of each application to be protected.
To Install the Agent Filter for the Deployed Application
on Agent for Oracle Application Server 10g
The following steps explain how to install the agent filter for an application you want the agent to protect.
-
Ensure that the application is not currently deployed on Oracle Application Server 10g.
If it is currently deployed, remove it before proceeding any further.
-
Create the necessary backups before proceeding to modify these descriptors.
Since you will modify the deployment descriptor in the next step, creating backup files at this point is important.
-
Edit the application's WEB-INF/web.xml descriptor as required:
You must change the <DOCTYPE> element and you must add filter elements to the web.xml descriptor.
The <DOCTYPE> element of the web.xml descriptor must be changed to reflect that the deployment is, at minimum, a servlet 2.3 compliant deployment descriptor.
The filters were introduced in Servlet Specification 2.3. For more information about this specification visit the following web page: http://jcp.org/aboutJava/communityprocess/first/jsr053/index.html
-
Edit the <DOCTYPE> element of the web.xml descriptor as required.
The following is an example of how the <DOCTYPE> element should appear after editing:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
-
Add the required filter elements to the web.xml descriptor at the first filter definition.
The following example demonstrates the <filter> elements to be added:
<web-app> ... <filter> <filter-name>Agent</filter-name> <display-name>Agent</display-name> <filter-class> com.sun.identity.agents.filter.AmAgentFilter </filter-class> </filter> <filter-mapping> <filter-name>Agent</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ... <web-app>
-
Next Steps
You have the option of protecting your application with J2EE declarative security. For more information, seeEnabling Web-Tier Declarative Security in J2EE Agents.
Furthermore, you can learn more about protecting your application with J2EE declarative security by deploying the sample application. Change directories to the PolicyAgentBase/sampleapp directory to learn how to build and deploy an application. The sampleapp application is by no means a full fledged J2EE application. Rather it is a simple application that provides you with a quick reference to application specific deployment descriptors and various deployment modes of a J2EE agent. Once you successfully deploy sampleapp and test all of its features, you can use it as a reference to other applications that will be protected by the J2EE agent.
Once the web.xml deployment descriptor is modified to reflect the new <DOCTYPE> and <filter> elements, the agent filter is added to the application. You can now redeploy your application on Oracle Application Server 10g.
Note –
Ensure that role-to-principal mappings in container specific deployment descriptors are replaced with Access Manager roles or principals. You can retrieve Access Manager roles or principals for Access Manager 7 by issuing the agentadmin --getUuid command. For more information on the agentadmin --getUuid command, see agentadmin --getUuid.
You can also retrieve the universal ID for the user (UUID) using Access Manager 7 Console to browse the user profile.
Protecting an Application With the Filter Mode Set to J2EE_POLICY or ALL For the Oracle Application Server 10g Agent
The steps in this section are required if the filter mode (com.sun.identity.agents.config.filter.mode property) is set to J2EE_POLICY or ALL (which is the default value set during the agent installation).
Perform these steps for each application to be protected by the version 2.2–02 Oracle Application Server 10g agent, including the sample application.
To Protect an Application With the Filter Mode Set
to J2EE_POLICY or ALL For the Oracle Application Server 10g Agent
-
If the application is already deployed, undeploy it.
Then, find the application's EAR file with its internal source files, including files within the WAR and JAR files.
-
Edit the WAR file's WEB-INF/web.xml file as follows:
-
Add the following filter descriptors as the first filter definition:
<filter id="Filter_PolicyAgent"> <filter-name>Agent</filter-name> <display-name>Agent</display-name> <description>J2EE Policy Agent Filter</description> <filter-class> com.sun.identity.agents.filter.AmAgentFilter </filter-class> </filter> <filter-mapping id="FilterMapping_PolicyAgent"> <filter-name>Agent</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
-
Since filters were introduced in Servlet specification 2.3, the web.xml file's <DOCTYPE> element must indicate that the deployment descriptor is a Servlet 2.3 compliant deployment descriptor, as follows:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
-
-
If the application has specified declarative security in the web.xml or ejb-jar.xml file, perform these steps:
-
Add the following entry in WEB-INF/web.xml:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/jsp/oracle10g_login.jsp</form-login-page> <form-error-page>/authentication/accessdenied.html</form-error-page> </form-login-config> </login-config>
-
Copy the sampleapp/docroot/jsp/oracle10g_login.jsp file to the application's WAR file jsp directory.
-
Copy the sampleapp/docroot/authentication/accessdenied.html file to the application's WAR file authentication directory.
Note: If you wish, you can customize these two files and put them into different directories for the application. Refer to the various application files under sampleapp/etc for the sample application.
-
-
Add the following entry to the application's META-INF/orion-application.xml file:
<jazn provider="XML"> <property name="role.mapping.dynamic" value="true"/> <property name="custom.loginmodule.provider" value="true" /> </jazn>
Or, if the application has an existing jazn-data.xml file in its META-INF directory, add this entry:
<jazn provider="XML" "location="./jazn-data.xml"> <property name="role.mapping.dynamic" value="true"/> <property name="custom.loginmodule.provider" value="true" /> </jazn>
-
Repackage the application with the changes you have made.
-
Redeploy the application through the Oracle 10g Enterprise Manager. Note the application name, which is required in a later step.
-
On the “Deploy Application: User Manager” screen, select “Use JAZN XML User Manager”.
-
Leave the “Default Realm” empty and “XML Data” as /jazn-data.xml, which are the defaults.
-
-
Add the following entry to oracle_home/j2ee/home/config/jazn-data.xml or oracle_home/j2ee/instance/config/jazn-data.xml:
<application> <name>application-name</name> <login-modules> <login-module> <class>com.sun.identity.agents.oracle.v1012.AmOracleLoginModule</class> <control-flag>required</control-flag> <options> <option> <name>debug</name> <value>true</value> </option> </options> </login-module> </login-modules> </application>
Note: For <name>application-name</name>, specify the application name within the Oracle 10g instance from Step 6.
-
Add the URL policies from Access Manager. You also must grant permissions to those users for this application's URLs.
For information about specifying URL policies in Access Manager, see Chapter 8, Managing Policies, in Sun Java System Access Manager 7 2005Q4 Administration Guide.
-
In AMAgent.properties, set the com.sun.identity.agents.config.filter.mode property to the proper mode, such as J2EE_POLICY or ALL.
-
Restart both the Access Manager server and the Oracle 10g instance.
- © 2010, Oracle Corporation and/or its affiliates