Oracle® Fusion Middleware
Part 11. Authorization Filters

RSA Access Manager (formerly known as RSA ClearTrust) provides Identity Management and access control services for Web applications. It centrally manages access to Web applications, ensuring that only authorized users are allowed access to resources.

The API Gateway's Access Manager filter enables integration with RSA Access Manager. This filter can query Access Manager for authorization information for a particular user on a given resource. In other words, the API Gateway asks Access Manager to make the authorization decision. If the user has been given authorization rights to the Web service, the request is allowed through to the service. Otherwise, the request is rejected.

Integration with RSA Access Manager requires the RSA ClearTrust SDK, version 6.0. You must add the required third-party binaries to your API Gateway and Policy Studio installations.

API Gateway

To add third-party binaries to the API Gateway, you must perform the following steps:

Policy Studio

To add third-party binaries to Policy Studio, you must perform the following steps:

Configure the following general setting:

Name:

Enter an appropriate name for the filter.

This section enables you to specify a group of Access Manager servers to connect to in order to authenticate clients. You can select a group of Access Manager servers to provide failover in cases where one or more servers are not available.

Connection Group Type

The API Gateway can connect to a group of Access Manager Authorization Servers or Dispatcher Servers. When multiple Access Manager Authorization Servers are deployed for load-balancing purposes, the API Gateway should first connect to a Dispatcher Server, which returns a list of active Authorization Servers. An attempt is then made to connect to one of these Authorization Servers using round-robin DNS. If the first Dispatcher Server in the Connection Group is not available, the API Gateway attempts to connect to the Dispatcher Server with the next highest priority in the group, and so on.

If a Dispatcher Server has not been deployed, the API Gateway can connect directly to an Authorization Server. If the Authorization Server with the highest priority in the Connection Group is not available, the API Gateway attempts to connect to the Authorization Server with the next highest priority, and so on. Select the type of the Connection Group (Authorization Server or Dispatcher Server). All servers in the group must be of the same type.

Connection Group:

Click the button on the right, and select the Connection Group to use for authenticating clients. To add a Connection Group, right-click the RSA ClearTrust Connection Sets tree node, and select Add a Connection Set. Alternatively, you can configure a Connection Set under the External Connections node in the Policy Studio tree. For more details, see the topic on Configuring Connection Groups.

This section describes the resource for which the user is requesting access.

Alternatively, you can enter a selector representing a message attribute in the Resource field. The API Gateway expands this selector at runtime to the value of the corresponding message attribute. API Gateway message attribute selectors take the following format:

${message.attribute}

The following example of a typical SOAP message received by the API Gateway shows how this works:

POST /services/timeservice HTTP/1.0
Host: localhost:8095
Content-Length: 374
SOAPAction: TimeService
Accept-Language: en-US
Content-Type: text/XML; utf-8

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <ns1:getTime xmlns:ns1="urn:timeservice">
	</ns1:getTime>
  </soap:Body>
</soap:Envelope>

The following table shows an example of selector expansion:

For more details on selectors, see Selecting configuration values at runtime.