1. Migrate JCS - SaaS Extension apps to WebLogic Server on Oracle Cloud Infrastructure
  2. Configure Web-Tier Security and Role Authorization in Oracle Identity Cloud Service

Configure Web-Tier Security and Role Authorization in Oracle Identity Cloud Service

Before deploying your updated application to your production environment, you need to configure web-tier security and role authorization in Oracle Identity Cloud Service.

Configure Web-Tier Security

With Oracle Java Cloud Service - SaaS Extension, web-tier security for an application was typically implemented with a deployment descriptor within web.xml. With Oracle Identity Cloud Service, web-tier and OAuth security are implemented with Oracle Identity Cloud Service Confidential Application configuration, specifically associated with the Fusion SaaS extension app in the Oracle Identity Cloud Service Administrative Console.

The steps to update protected application resources highlighted below are covered in detail in the Oracle WebLogic Server for OCI documentation.
  1. From the Oracle Identity Cloud Service console, in the navigation menu, click Applications.
  2. Search for the Enterprise application associated with your WebLogic Server Cloud instance. The name of the application is <stack>_enterprise_idcs_app_<timestamp>.
  3. On the SSO Configuration tab, expand the Resources section.
  4. Click Add and add a resource using the context path for an application that you want to protect. Note that values support regular expressions.
    Use a descriptive Resource Name such as Sample OAuth Fusion Client App, and use a Resource URL applicable to your application, such as /oauth-appclient/.* . Check the Regex box to indicate you are using regular expressions, and optionally give the resource a description.
  5. Expand the Authentication Policy section and create the policies for your desired protected resources. For example, you may want to allow CORS, require secure cookies, or disable audience validation.
    Policies are honored in the order of this ordered list, according to first match.
  6. For Authentication Method, select Form or Access Token.
  7. Click Save to save your changes.

Configure Role Authorization in Oracle Identity Cloud Service

If your extension application uses Oracle Platform Security Services (OPSS), you need to integrate OPSS user and group APIs with Oracle Identity Cloud Service.

A domain that uses Oracle Identity Cloud Service is associated with a confidential application, which grants Oracle WebLogic Server one or more Oracle Identity Cloud Service client roles. By default, this confidential application has a single role, Authenticator Client, which enables Java applications to use the OPSS authentication APIs. If your Java applications use the OPSS APIs to look up user and group information, then you must add more roles to the confidential application.

The full procedure is provided in the Oracle WebLogic Server for OCI product documentation.