Update the Web Tier Policy
/__auth-mgmt-app/webtierpolicy
On Oracle Cloud Infrastructure Classic, this endpoint is applicable only to accounts that include Oracle Identity Cloud Service and Oracle Cloud Infrastructure Load Balancing Classic, and to Oracle Java Cloud Service instances that are created with Oracle Identity Cloud Service enabled, after release 18.4.2.
Updates the current web tier policy for CloudGate by replacing it with a new policy.
Note the following:
- You must use the
GET /__auth-mgmt-app/webtierpolicy
endpoint to retrieve the current policy before you update any resources in the policy. Copy the current policy into the update request payload, then edit only the objects within theresourceFilters
array. You can modify, add, and remove resource filters. - You must have the WebLogic Server Admin global role to get and update the policy.
- (On Oracle Cloud Infrastructure Classic) Because this endpoint API is deployed on the WebLogic Administration Server, the
ora_p2admin_ahttps
access rule for the WebLogic Server Administration Console must be enabled before you can use the endpoint. See Update an Access Rule.
Request
- application/json
- application/scim+json
-
Authorization: string
Base64 encoded user name and password separated by a colon or OAuth access token obtained from Oracle Identity Cloud Service. See Authenticate.
-
X-ID-TENANT-NAME: string
Identity domain ID for the Oracle Java Cloud Service account.
How to update: Use the GET /__auth-mgmt-app/webtierpolicy
endpoint to copy the entire current policy into the request payload, then edit only the objects within the resourceFilters
array.
object
-
cloudgatePolicy:
object cloudgatePolicy
Groups CloudGate webtier policy details.
object
-
allowCors:
boolean
Flag that specifies whether Cross-Origin Resource Sharing across domains is allowed.
-
disableAuthorize:
boolean
Authorize flag. Whether to disable validation of the access token audience during authentication.
-
requireSecureCookies:
boolean
Flag that specifies whether to use HTTPS for all browser requests.
-
version:
string
CloudGate version.
-
webtierPolicy:
array webtierPolicy
Groups web tier policy details.
object
-
policyName:
string
Name of the policy.
(When updating) The name must contain lowercase characters, such as
[a-z, 0-9_-+]
-
resourceFilters:
array resourceFilters
Groups resource filters.
object
-
authorize:
boolean
(When updating) Must be set to
false
. -
comment(optional):
string
Optional free-form text to describe the filter.
-
filter:
string
The path of the URL for the resource that you want to protect.
(When updating) The path must begin with the
/
character. For example:/store/departments/.*
-
method:
string
Authentication method for the resource filter.
(When updating) Valid values are:
Oauth
Oauth+logout
Public
(default)
-
type:
string
Resource filter type.
(When updating) Specify
regex
to indicate that the resource URL is defined as a regular expression match (not an exact text match).
Response
- application/json
- application/scim+json
200 Response
The response depends on when the Oracle Java Cloud Service instance is created.
For a service instance that is created after release 18.4.4, CloudGate web tier policy details are returned in the response, just like the response that is returned upon a GET
request.
For a service instance that is created before release 18.4.4, the response body contains details of the Oracle Identity Cloud Service App. All attributes are based on the standard specification SCIM (System for Cross-Domain Identity Management). See the Examples section for an example of this Oracle Identity Cloud Service App response.
object
-
cloudgatePolicy:
object cloudgatePolicy
Groups CloudGate webtier policy details.
object
-
allowCors:
boolean
Flag that specifies whether Cross-Origin Resource Sharing across domains is allowed.
-
disableAuthorize:
boolean
Authorize flag. Whether to disable validation of the access token audience during authentication.
-
requireSecureCookies:
boolean
Flag that specifies whether to use HTTPS for all browser requests.
-
version:
string
CloudGate version.
-
webtierPolicy:
array webtierPolicy
Groups web tier policy details.
object
-
policyName:
string
Name of the policy.
(When updating) The name must contain lowercase characters, such as
[a-z, 0-9_-+]
-
resourceFilters:
array resourceFilters
Groups resource filters.
object
-
authorize:
boolean
(When updating) Must be set to
false
. -
comment(optional):
string
Optional free-form text to describe the filter.
-
filter:
string
The path of the URL for the resource that you want to protect.
(When updating) The path must begin with the
/
character. For example:/store/departments/.*
-
method:
string
Authentication method for the resource filter.
(When updating) Valid values are:
Oauth
Oauth+logout
Public
(default)
-
type:
string
Resource filter type.
(When updating) Specify
regex
to indicate that the resource URL is defined as a regular expression match (not an exact text match).
Examples
The following example shows how to update the CloudGate web tier policy by submitting a PUT request on the REST resource using cURL.
cURL Command
curl -i -X PUT -u username:password -d @webtierpolicy.json -H "Content-Type:application/json" -H "X-ID-TENANT-NAME:ExampleIdentityDomain" https://host:port/__auth-mgmt-app/webtierpolicy
Example of Request Body
The following is an example of the request body in JSON format.
Note:
Remember to use theGET /__auth-mgmt-app/webtierpolicy
endpoint to copy the entire current policy into the request payload, then edit only the objects within the
resourceFilters
array.
{
"cloudgatePolicy":{
"disableAuthorize":false,
"allowCors":false,
"requireSecureCookies":true,
"webtierPolicy":[
{
"policyName":"jcs_cg_policy",
"resourceFilters":[
{
"type":"regex",
"filter":"/store/departments/.*",
"method":"oauth"
},
{
"type":"regex",
"filter":"/store/cart/.*",
"method":"oauth"
},
{
"type":"regex",
"filter":"/marketplace/.*",
"method":"oauth"
},
{
"type":"regex",
"filter":"/application1/.*",
"method":"oauth"
},
{
"type":"regex",
"filter":"/__protected/.*",
"method":"oauth"
},
{
"type":"regex",
"filter":"/.*/__protected/.*",
"method":"oauth"
},
{
"type":"regex",
"filter":"/.*/__test2path/.*",
"method":"oauth"
},
{
"type":"regex",
"filter":"/__testpath4/.*",
"method":"oauth"
},
{
"type":"regex",
"filter":"/.*/__test5path/.*",
"method":"oauth"
},
{
"type":"regex",
"filter":"/bea_wls_management_internal2.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/bea_wls_diagnostics.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/uddi.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/uddiexplorer.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/wsm-pm.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/console.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/console-help.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/wlstestclient.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/wls_utc.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/mejb.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/bea_wls_deployment_internal.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/bea_wls_internal.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/bea_wls9_async_response.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/bea_wls_async_response.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/wls-wsat.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/wls-cat.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":"/wsil-wls.*",
"method":"unsupported"
},
{
"type":"regex",
"filter":".*",
"method":"public"
}
]
}
],
"version":"2.3"
}
}
Example of Response Body
On Oracle Cloud Infrastructure: The response for a PUT
request is the same as the response for a GET
web tier policy, as shown in Retrieve the Web Tier Policy
On Oracle Cloud Infrastructure Classic: The response output depends on when the Oracle Java Cloud Service instance is created.
If the instance is created after release 18.4.4, the response for a PUT
request is the same as the response for a GET
web tier policy, as shown in Retrieve the Web Tier Policy.
If the instance is created before release 18.4.4, the response is similar to the following example shown in JSON format.
{
"accessTokenExpiry":3600,
"clientType":"trusted",
"isAliasApp":false,
"audience":"https://audience-url.com:443",
"meta":{
"created":"2018-07-26T01:15:21.837Z",
"lastModified":"2018-07-26T03:19:56.247Z",
"resourceType":"App",
"location":"https://location-url.com/admin/v1/Apps/string-numbers-letters"
},
"active":true,
"isLoginTarget":false,
"idcsCreatedBy":{
"display":"idcssm",
"type":"App",
"value":"string-numbers-letters",
"$ref":"https://location-url.com/admin/v1/Apps/string-numbers-letters"
},
"displayName":"JaaS_exampleinstance",
"showInMyApps":false,
"isMobileTarget":false,
"allowOffline":false,
"serviceTypeVersion":"18.3.6-1807222336",
"isUnmanagedApp":true,
"idcsLastModifiedBy":{
"display":"JaaS_exampleinstance",
"type":"App",
"value":"string-numbers-letters",
"$ref":"https://location-url.com/admin/v1/Apps/string-numbers-letters"
},
"isOPCService":true,
"refreshTokenExpiry":604800,
"name":"client-id_APPID",
"serviceTypeURN":"JaaS",
"description":"[JaaS] exampleinstance",
"isOAuthClient":true,
"isManagedApp":false,
"isSamlServiceProvider":false,
"infrastructure":false,
"allUrlSchemesAllowed":true,
"trustScope":"Default",
"id":"string-numbers-letters",
"isWebTierPolicy":true,
"allowAccessControl":false,
"isOAuthResource":true,
"migrated":false,
"isKerberosRealm":false,
"protectableSecondaryAudiences":[
{
"value":"urn:opc:lbaas:logicalguid=string-numbers-letters"
}
],
"scopes":[
{
"value":"internal",
"description":"Internal scope",
"fqs":"https://fqs-url.com:443internal",
"requiresConsent":false
},
{
"value":"external",
"description":"External scope",
"fqs":"https://fqs-url.com:443external",
"requiresConsent":true
}
],
"idcsPreventedOperations":[
"delete"
],
"basedOnTemplate":{
"lastModified":"2018-05-31T22:35:18Z",
"value":"OPCAppTemplateId",
"$ref":"https://some-url.com/admin/v1/AppTemplates/OPCAppTemplateId"
},
"urn:ietf:params:scim:schemas:oracle:idcs:extension:opcService:App":{
"serviceInstanceIdentifier":"string-numbers-letters"
},
"allowedGrants":[
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"password",
"client_credentials"
],
"allowedOperations":[
"introspect",
"onBehalfOfUser"
],
"aliasApps":[
{
"value":"string-numbers-letters",
"description":"string-numbers-letters_WSM_APPID",
"display":"string-numbers-letters_Oracle Web Services app ID",
"$ref":"https://some-url.com/admin/v1/Apps/string-numbers-letters"
},
{
"value":"string-numbers-letters",
"description":"Binding to authenticate against Oracle Storage Service protected by IDCS",
"display":"string-numbers-letters_IDCS_STORAGE_CLIENT_CUSTOMER",
"$ref":"https://some-url.com/admin/v1/Apps/string-numbers-letters"
}
],
"schemas":[
"urn:ietf:params:scim:schemas:oracle:idcs:App",
"urn:ietf:params:scim:schemas:oracle:idcs:extension:opcService:App"
],
"clientSecret":"string-numbers-letters",
"secondaryAudiences":[
"urn:opc:lbaas:logicalguid=string-numbers-letters"
],
"certificates":[
{
"certAlias":"alias-name_string-numbers-letters",
"x509Base64Certificate":"very-long-string-numbers-letters-slashes",
"sha1Thumbprint":"string-numbers-letters",
"x5t":"string-numbers-letters"
}
],
"grantedAppRoles":[
{
"value":"string-numbers-letters",
"$ref":"https://some-url.com/admin/v1/AppRoles/string-numbers-letters",
"appId":"IDCSAppId",
"display":"User Viewer",
"type":"direct",
"appName":"IDCSApp",
"adminRole":true
}
]
}