tag:blogger.com,1999:blog-1816408742331555186.post8900467704243940015..comments2023-05-22T03:03:54.478-07:00Comments on Oracle Fusion Middleware Security: JSF and OES part 3Chris Johnson (Oracle)http://www.blogger.com/profile/13331466366556759355noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-1816408742331555186.post-31509297878970007682011-10-21T14:37:04.420-07:002011-10-21T14:37:04.420-07:00The above post was talking about OES 10g.
You are...The above post was talking about OES 10g.<br /><br />You are right - OES 11g is currently not supported in a domain with JRF.Chris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-8311536380048311412011-10-12T13:25:47.903-07:002011-10-12T13:25:47.903-07:00I am helping a client who wants to use OES to prot...I am helping a client who wants to use OES to protect standalone ADF applications running on weblogic for fine grained access control. Based on my research , here is what I found -<br /><br />1. ADF , Webcenter and SOA use JRF template.<br />2. OES Policy Client is currently not supported to be installed in Weblogic container extended with JRF.<br /><br />Based on above ,that would mean that OES SSM ( Embedded PDP ) cannot be used for ADF applications . Am I missing something here ?<br /><br />My second question is - Can ADF really use OES Policies ? As I understand , Fine grained security with ADF applications ( e.g. enabling or disabling a command button ) is driven by ADF Security Framework ( consumes OPSS ) which basically uses enterprise/application roles to protect ADF components. How can we use OES Policies to protect ADF components using declarative approach ?<br /><br />Please advice.Mukesh Khattarhttps://www.blogger.com/profile/17434014425025383894noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-2277515134026978182010-04-29T19:25:47.637-07:002010-04-29T19:25:47.637-07:00This comment has been removed by a blog administrator.Anonymoushttps://www.blogger.com/profile/04103597834639685086noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-12806225515821683582010-04-29T08:13:08.774-07:002010-04-29T08:13:08.774-07:00Sridar: Can you post to OTN or open a support case...Sridar: Can you post to OTN or open a support case? Those would be better forums to help you get this resolved.Chris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-62690772184871455242010-04-28T00:41:45.230-07:002010-04-28T00:41:45.230-07:00Hi Chris,
I have created a sample Web Service and ...Hi Chris,<br />I have created a sample Web Service and deployed in web logic server and test it.<br /><br />Now the requirement is to secure the web Service using OES, i have configured the web service in OES , and created a policy in OES. Now when i access the web service from SOAP UI, I am getting the following exception, Please advice<br /><br />weblogic.wsee.util.AccessException: Access Denied to operation getInstrumentList<br /> at weblogic.wsee.security.AuthorizationHandler.handleRequest(AuthorizationHandler.java:62)<br /> at weblogic.wsee.handler.HandlerIterator.handleRequest(HandlerIterator.java:141)<br /> at weblogic.wsee.ws.dispatch.server.ServerDispatcher.dispatch(ServerDispatcher.java:114)<br /> at weblogic.wsee.ws.WsSkel.invoke(WsSkel.java:80)<br /> at weblogic.wsee.server.servlet.SoapProcessor.handlePost(SoapProcessor.java:66)<br /> at weblogic.wsee.server.servlet.SoapProcessor.process(SoapProcessor.java:44)<br /> at weblogic.wsee.server.servlet.BaseWSServlet$AuthorizedInvoke.run(BaseWSServlet.java:285)<br /> at weblogic.wsee.server.servlet.BaseWSServlet.service(BaseWSServlet.java:169)<br /> at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)<br /> at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)<br /> at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)<br /> at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)<br /> at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)<br /> at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3498)<br /> at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)<br /> at weblogic.security.service.SecurityManager.runAs(Unknown Source)<br /> at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)<br /> at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)<br /> at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)<br /> at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)<br /> at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)Anonymoushttps://www.blogger.com/profile/04103597834639685086noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-75714534165828111302010-03-04T16:20:57.721-08:002010-03-04T16:20:57.721-08:00Chris,
Great post! Looking forward for the next e...Chris,<br /><br />Great post! Looking forward for the next entry!<br /><br />[]s! :-)<br />MaikoMaiko Rochahttps://www.blogger.com/profile/17589428760474682504noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-44768475228522695182009-10-28T18:42:51.478-07:002009-10-28T18:42:51.478-07:00sags: Hmm.
I'm writing a longer article on ho...sags: Hmm.<br /><br />I'm writing a longer article on how to write manageable OES policies, but it sounds like you MAY have a use case that COULD POSSIBLY have some instances where calling the BLM from your app MIGHT be sensible.<br /><br />Note how many qualifiers I have in that sentence? Your use case feels like "when all you have is a hammer" uses and I'd hate to see you waste your time with the wrong approach.<br /><br />For now I'd suggest two things:<br />1) get in touch with OCS or one of our integrator partners that has experience with OES. They're well equipped to help you figure out the best way to attack your requirements in your environment<br /><br />2) consider using the BLM and add users as you need them. What I mean is let your policy manager person enter the username or pick off a list of users you generate from OIM or OID. After they pick some permissions for that user and go to save their changes back you check OES to see if the user exists in OES's user database - if they don't add them then. Finally go ahead and create/update your policies as needed.<br /><br />Please contact me offline at christopher dot johnson at oracle dot com. I'd like to help you find a better way.Chris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-86607932406951314302009-10-23T08:13:27.949-07:002009-10-23T08:13:27.949-07:00Thanks Chris,
I am totaly new to OES and did found...Thanks Chris,<br />I am totaly new to OES and did found the examples after I wrote the comment.<br /><br />Let me explain you something about the use case I am trying to achieve.<br /><br />We have an existing admin interface through which we have to manage everything which is dynamic. The underlying products involve OIM, OID, OAM, OAAM, OWSM and OES. All of them integrated with each other. Let me explain you how.<br />1. User is created from the front end -> web service calls to OIM to create user, set access permissions, set roles etc.. <br />2. OIM provision the information in OID<br />3. OID is the user store for OAM and OES<br />4. User accesses application protected by OAM<br />5. OAAM is integrated with OAM for authentication.<br />6. User profile information is passed along with the risk analysis information to the underlying application. <br />7. The underlying application calls OES for authorization of its resources with the inforamtion from OAM i.e. userid, role, risk score etc...<br />8. If the application needs to make any web service calls OWSM comes into picture which is again integrated with OAM for authentication.<br /><br />Everything here is managed from a single front-end. except the OES stuff. Policies are a static thing here and will hardly change, but who has access to what changes often, To automate that change I need to expose OES management api's /web service calls to the front end.sagshttps://www.blogger.com/profile/06818692533810447824noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-51846566870480979822009-10-23T06:40:43.277-07:002009-10-23T06:40:43.277-07:00Sagar: Examples of both local and remote calls to ...Sagar: Examples of both local and remote calls to the management APIs are included in the Admin server's installation directory. In ales32-admin/examples you should see three directories of interest policymgtapi, policymgtwsapi, and policymgtwsapi4dotnet. The first two are Java examples of local and remote Web Services based interfaces. The last one is a .NET example calling the Web Services interface.<br /><br />I am curious about what you're planning to do with the interface since most deployments of OES have no need to use the management interface. Could you post a comment letting us know?Chris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-6249328900499907232009-10-21T07:54:17.332-07:002009-10-21T07:54:17.332-07:00Hi Chris,
We are planning to use OES in one of our...Hi Chris,<br />We are planning to use OES in one of our deployments and want to use OES managment API's but I couldn't find any examples either to use webservice calls or java api's.<br />Can you post an example to use management api or web service with steps to configure the client?<br /><br />Thanks,<br />Sagarsagshttps://www.blogger.com/profile/06818692533810447824noreply@blogger.com