58.5 Protecting JBoss-Specific Resources

Protecting JBoss-Specific Resources is JBoss specific task and is required for all JBoss integration use cases: protecting applications, Web Services, or EJBs.

The following sections describe how to create a JBoss Agent registration (which includes defining protected resources) and configure authorization policies for use with the JBoss Agent.

• Registering the JBoss Agent with Automatic Policy Creation

• Creating a Custom Policy for JBoss Resource Protection

58.5.1 Registering the JBoss Agent with Automatic Policy Creation

You can use the Oracle Access Management Console to register the JBoss Agent with Automatic Policy Creation. Remote registration can also be used.

Remote registration is described elsewhere in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

For communication between Access Manager and the JBoss Agent, you can use Open, Simple, or Cert Security Mode. Configuring the JBoss Agent to use Simple or Cert mode signals the Java ASDK to operate in the same mode. During registration, a new file system directory is created for the agent on the Oracle Access Management Console host (AdminServer). After registration, you copy artifacts to the Agent directory path:

• ObAccessClient.xml

• password.xml (Simple or Cert mode only)

• oamclient-keystore.jks - see "Setting Up The Keystore" in Oracle Fusion Middleware Developer's Guide for Oracle Access Management.

In the following procedure you will create a fresh registration for a 10g OAM Agent. Replace variables with values for your environment. This example uses Cert mode. Your deployment will be different.

1. Go to the Oracle Access Management Console (host 1) and log in using Administrator credentials. For example:

   https://host1:port/oamconsole 
   User: adminuserID
   Password ********
   

2. Click Application Security at the top of the window.
3. In the Launch Pad tab, click SSO Agent Registration in the Quick Start Wizards section.
4. Select WebGate as the agent type and click Next.
5. Enter the following (and required details) to register this OAM Agent. For example:

   • Name: JBoss

   • Version: 10g

   • Security: Cert (See Oracle Fusion Middleware Developer's Guide for Oracle Access Management)

   • User-defined Parameter:

       logoutRedirectUrl=http://OAM_Server.domain.com:14100/oam/server/logout    
   

6. Protected Resource List: Click the Add (+) button in this table and enter the resources you want protected by the default Authentication and Authorization policies:

   /Authen/Basic
   /Authen/SSOToken
   

7. Auto Create Policies: Check to create fresh policies and an Application Domain.
8. Click Apply to submit the registration.
9. Check the Confirmation window for the location of generated artifacts and then close the window.
10. In the navigation tree, confirm the Agent name is listed.
11. Copy ObAccessClient.xml from the AdminServer to the JBoss Agent installation directory path:

    From: $WLS_HOME/middleware/user_projects/domains/base_domain/output/AGENTNAME

    To: D:\agentconfig

12. Proceed with "Creating a Custom Policy for JBoss Resource Protection".

58.5.2 Creating a Custom Policy for JBoss Resource Protection

You can create a custom Authorization policy to protect JBoss Agent-specific resources and add responses that return the user groups as header variables.

For example, name the response OAM_GROUPS (with value $user.groups).

Note:

For this custom authorization policy, the success and failure redirect URLs are not needed because the single purpose of this policy is to provide responses for an authorized user. If redirect URLs are provided, no redirection occurs with the processing logic of the JBoss Agent or Login Module.

1. In the Oracle Access Management Console, click Application Security at the top of the window.

2. In the Launch Pad tab, click Application Domains in the Access Manager section.

3. Search for the JBoss domain and open it for editing.

4. Authorization Policies:

   1. Click the Authorization Policies node and click the Create (+) button.

   2. In the Name field of the Summary tab, enter a unique name. For example:

      Custom Authorization Policy

5. Add Resources: JBoss Agent-specific resources were defined during agent registration.

   1. Click the Resources tab on the Authorization Policy page.

   2. Click the Add (+) button.

   3. Click the Search button.

   4. Choose a URL from the list, then click Add Selected:

      /Authen/Basic
      

   5. Repeat Steps a through d to add:

      /Authen/SSOToken
      

   6. Click Apply

6. Add Responses: Click the Responses tab, click the Add (+) button and:

   • In the Name field, enter a unique name for this response: OAM_GROUPS.

   • From the Type list, choose a response type (Header).

   • In the Value field, enter a value for this response. For example: $user.groups

7. Click Apply to save changes and close the Confirmation window.

8. Proceed to the proper topic for your deployment.

   • Protecting Web Applications with the JBoss Agent

   • Configuring the Login Module to Secure EJBs

   • Configuring the Login Module to Secure Web Service Access