22.3 Managing Resource Types

Administrators can add a resource to an application domain, search a defined resource type, or create a defined resource type.

22.3.1 Resource Types and Their Use

When adding a resource to an Application Domain, Administrators must choose from a list of defined Resource Types.

Oracle-provided resource types include:

  • HTTP

  • wl_authen

  • TokenServiceRP

Administrators can configure additional resource types, and define operations on both Oracle-provided and custom resource types. A particular resource can be defined to use a subset of the declared operations, or all of them (which includes any new operators defined on the resource's type subsequently.Administrators cannot remove custom resource types or operations for which resources have been created. Oracle-provided resource types and operations are marked as read-only within the policy store and cannot be removed.

Note:

Changes to the operation list of a resource type is not allowed if a resource of that type exists.

Table 22-1 compares resource types and operations.

Table 22-1 Comparison: Resource Types for Access Manager versus 10g

Access Manager 11g Oracle Access Manager 10g

HTTP: The default resource type used with HTTP and HTTPS protocols.

When adding an HTTP type resource to an Application Domain, Administrators must choose from a list of existing host identifiers and add the resource URL.

This resource type is read-only. Default operations associated with the HTTP resource type need not be defined by an Administrator. Instead, policies developed and applied to the resource apply to all operations:

Operations: Oracle-provided resource types are read-only; associated operations are pre-defined. Policies developed and applied to HTTP type resources apply to all operations.

  • Get

  • Post

  • Put

  • Head

  • Delete

  • Trace

  • Options

  • Connect

  • Other

See Also: "Resource Type Page".

HTTP: The HTTP resource type is read-only.

Operations: Oracle-provided resource types are read-only; associated operations are pre-defined. Policies developed and applied to the resource apply to all operations.

  • Get

  • Post

  • Put

  • Head

  • Delete

  • Trace

  • Options

  • Connect

  • Other

wl_authen: Resources for representing WebLogic Authentication schemes is also read-only (default operations cannot be modified or deleted.)

This non-HTTP resource type is available to use with resources deployed in a WebLogic container in a domain that does not include Access Manager. The protected resource is accessed through its URL on the Oracle WebLogic Server.

Type wl_authen resources, require a custom Access Client.

N/A

TokenServiceRP: Resources for representing Token Service Relying Party. The Operation for this resource type is Issue.

N/A

Custom Resource Types: Have no associated host identifier.

A custom "EJB" resource type can be created on demand for use in SSO integrations.

EJB: A custom resource type used in SSO integrations with WebLogic and WebSphere for authenticating the user. During authentication, the user's groups were fetched and populated in the Subject Principal as roles. Subsequent authorization was executed inside the application server based on user roles.

No authorization calls were made using resource operations.

Non-HTTP resource types have no associated host identifier.

When adding non-HTTP resources to an Application Domain, Administrators must enter the Type name into the Resource URL field as a pointer. The name cannot match any host Identifier (and vice versa). This is not a relative HTTP URL.

  

22.3.2 Resource Type Page

In the Oracle Access Management Console, resource types are organized with other Components under the Policy Configuration tab. The navigation tree shows Oracle-provided resource types: HTTP, wl_authen, and TokenServiceRP.

Note:

Pre-defined resource types cannot be deleted. Pre-defined operations are shown with a lock icon and cannot be deleted. Additional operations can be created, edited, or deleted as needed.

The HTTP resource type, shown in Figure 22-1, is used for Web applications protected by Access Manager and accessed using internet protocols (HTTP or HTTPS).

Figure 22-1 Default HTTP Resource Type Definition

Description of Figure 22-1 follows
Description of "Figure 22-1 Default HTTP Resource Type Definition"

The wl_authen resource type is shown in Figure 22-2. It is used for Fusion Middleware applications that use one of the following Access Manager Identity Assertion Provider configurations described in the Securing Applications with Oracle Platform Security Services:

  • Identity Asserter

  • Identity Asserter with Oracle Web Services Manager

  • Authenticator function

Figure 22-2 Default Resource Type wl_authen

Description of Figure 22-2 follows
Description of "Figure 22-2 Default Resource Type wl_authen"

The TokenServiceRP resource type represents the Token Service Relying Party, as shown in Figure 22-3. The operation for this resource type is Issue. For more information, see "Managing TokenServiceRP Type Resources".

Figure 22-3 Default Resource Type TokenServiceRP Resource Type

Description of Figure 22-3 follows
Description of "Figure 22-3 Default Resource Type TokenServiceRP Resource Type"

Table 22-2 describes the elements in each resource type definition.

Table 22-2 Resource Type Definition

Element Description

Name

Required. A unique name of up to 30 alpha or numeric characters.

Note: A non-HTTP Resource Type name cannot match a Host Identifier (and vice versa).

Description

Optional. Use this field to describe the purpose of this resource type using up to 200 alpha or numeric characters.

For example: Resources representing WebLogic Authentication schemes.

Operations

Optional. Policies that govern a particular resource apply to all specified operations defined for the resource. Add (or remove) operations for this resource type as a string and the operations will be available when you define a resource of this type within an Application Domain. There is no limit to the number of operations that can be added to the resource type.

  • Get

  • Post

  • Put

  • Head

  • Issue (TokenServiceRP)

  • Login (wl_authen)

  • Delete

  • Trace

  • Options

  • Connect

  • Other (available with Oracle Access Manager 10 is not supported in 11g).

Remote Registration: During automatic policy creation, specified operations are supported. During automatic policy creation with no operations specified, then All operations defined for that type are supported.

Migration: During an upgrade to Access Manager 11.1.2 (from 10g or from 11.1.1.3 or from 11.1.1.5), resource definitions and HTTP default operations are handled automatically. However, you must create any custom resource types to replace 10g-provided EJB custom resource types which are no longer provided by Oracle. See

See Also: "Resource Types and Their Use" and "Resources in an Application Domain".

Following topics describe how to create, modify, and delete a resource type.

22.3.3 Searching for a Specific Resource Type

Users with valid Administrator credentials can to locate a defined resource type.

See Also:

"SSO Agent Search Page"

  1. In the Oracle Access Management Console, click Application Security at the top of the window.
  2. In the Application Security console, click Resource Types in the Access Manager section.
  3. In the Name field, enter the name of the Resource Type you want to find (with or without a wild card (*)), and click Search. For example: 
    h*

    Alternatively: Go to the desired Application Domain, open the Resources node to display controls for that domain, choose a Resource Type from the list, and click Search.

  4. In the results table, you can:

    • Edit or View: Click the Edit button in the tool bar to display the configuration page.

    • Delete: Click the Delete button in the tool bar to remove the instance; confirm removal in the Confirmation window.

    • Detach: Click Detach in the tool bar to expand the table to a full page.

    • Reorder Columns: Select a View menu item to alter the appearance of the results table.

22.3.4 Creating a Custom Resource Type

Users with valid Administrator credentials can create a defined resource type.

For instance, you can define a custom resource type that applies to as few as one or two (or more) operations. Any defined custom resource type is listed with default resource types when adding resources to an authentication or authorization policy.

See Also:

  1. In the Oracle Access Management Console, click Application Security at the top of the window.
  2. In the Application Security console, click Resource Types in the Access Manager section.
  3. Click Create Resource type.
  4. In the page that appears, enter the following information:

    • Name: A unique name that identifies this resource type.

    • Description: Optional.

    • Operations: Click + in the Operations table, type the operation name into the field provided. Repeat as needed to define all operations for this resource type.

    • Reconfigure Table: Select a View menu item to alter the appearance of the results table.

  5. Click Apply to submit this custom resource definition.
  6. Add this resource definition to an Application Domain as described in "Adding and Managing Policy Resource Definitions".