25.2 Introduction to Application Domain and Policy Creation

Application domains are the top-level constructs of the Access Manager 11g policy model. Each Application Domain provides a logical container for resources or sets of resources, and the associated policies that dictate who can access specific protected resources.

Certain shared components are used within each Application Domain. Each Application Domain represents a singular application on a particular host or Administrators can define different Application Domains for resources that reside on the same Web server and are closely tied to each other in one way or another. For example, an Administrator can create a single Application Domain for a financial application and an accounts receivable application, or have a different Application Domain for each. Configurable policies allow or deny access to the resources.

Note:

To enhance security, Access Manager, by default, will deny access when a resource is not protected by a policy that explicitly allows access.

Each Access Manager Application Domain contains information regarding:

  • Resource Definitions

    Each resource definition in an Application Domain requires a Resource Type, Host Identifier (for HTTP resources), and a URL to the specific resource. You can have as many resource definitions as you need in an Application Domain.

  • Authentication Policies and Responses for Specific Resources

    Each authentication policy includes a unique name, one authentication scheme, success and failure URLs, one or more resources to which this policy applies, and Administrator-defined responses to be applied after successful authentication.

    Note:

    Depending on the policy responses specified for authentication or authorization success and failure, the end user might be redirected to a specific URL, or user information might be passed to other applications through a header variable or a cookie value.

  • Authorization Policies, Conditions, Rules, and Responses for Specific Resources

    Each authorization policy includes a unique name, success and failure URLs, and one or more resources to which this policy applies. In addition, Administrators can define specific conditions that must be fulfilled for a successful authorization and define responses to be applied after successful authorization.

  • Policy Ordering

    Policy ordering is a new feature in which the administrator manually designates the order in which policies within an application domain will be matched to incoming requests for access to protected resources. Previous versions of Access Manager used the best match algorithm for this purpose.

When a new application is placed behind an existing agent, the Administrator must decide if the application should be protected by a separate (new) Application Domain and policies or an existing Application Domain and policies. This section provides information in the following sections to inform your choice.

25.2.1 About Generating Application Domains and Policies Automatically

When you register a policy-enforcement Agent with Access Manager, you can choose to have the domain and policies generated automatically or decline the automatic generation.

An automatically generated Application Domain is named for the Agent and seeded with default resources and basic policies (authentication and authorization). No Token Issuance Policy is defined, though an empty container is provided.

During Agent registration, it is presumed that the Agent resides on the same Web Server as the application it protects. However, the Agent can be on a proxy Web server and the application can be on a different host. Default resources are protected by basic policies until an Administrator adds more resources or modifies or adds policies.

Note:

IAMSuiteAgent is a pre-registered Java Agent filter that provides an Application Domain (IAMSuite) to protect the Oracle Fusion Middleware console and other consoles. For more information, see "Bundled 10g IAMSuiteAgent Artifacts".

25.2.2 About Managing Application Domains and Policies Remotely

Access Manager provides two modes to manage Application Domains and their policies without registering or modifying the companion agent.

Remote policy and Application Domain management supports only create and update functions. Remote management does not support removing Application Domains or policies. For more information, see "Understanding Remote Policy and Application Domain Management".

25.2.3 Creating or Managing an Application Domain and Policies

Here is an overview that outlines the procedures that must be performed to manually create or manage an Application Domain and policies.

To create or manage an Application Domain:

  1. Get acquainted with the following details:
  2. Perform all prerequisite tasks for this chapter, as described in:
  3. Start a fresh Application Domain (or view an existing one), as described in:
  4. Add resource definitions to your Application Domain as described in:
  5. Define your Authentication Policy, as described in:
  6. Define your Authorization Policy, as described in:
  7. Define your Token Issuance Policy, as described in:
  8. Configure SSO settings and policy evaluation caches, as described in:
  9. Validate your policies and configuration, as described in: