tag:blogger.com,1999:blog-1816408742331555186.post1303017058574546076..comments2023-05-22T03:03:54.478-07:00Comments on Oracle Fusion Middleware Security: Oracle Access Manager 11g Academy: The Policy Model (Part 1)Chris Johnson (Oracle)http://www.blogger.com/profile/13331466366556759355noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-1816408742331555186.post-65864530758415247142012-04-17T13:27:07.535-07:002012-04-17T13:27:07.535-07:00Matt,
Good question. You do need to ensure that ...Matt,<br /><br />Good question. You do need to ensure that the request has really come through OHS/Apache with the webgate on it. There are a number of ways to accomplish this.<br /><br />I discuss the issue in some detail in this post: http://fusionsecurity.blogspot.com/2010/04/security-clarification-oam-identity.htmlBrian Eidelmanhttps://www.blogger.com/profile/00527044305949442012noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-26578207638156690562012-04-02T05:06:59.421-07:002012-04-02T05:06:59.421-07:00Good post.
Quick question... I am having a little...Good post.<br /><br />Quick question... I am having a little trouble understanding the architecture with OHS/Apache and protected resource. For example, say I have a JEE 5 app running on serverA with URI http://www.app1.us:7001/myapp. I install OHS on serverA, configure it to listen to http://www.app1.us:80/myapp and add the OAM files to OHS. Now, I tell my users to access the application through the OHS URI http://www.app1.us:80/myapp. But a few users don't get the memo and continue to directly access the application through http://www.app1.us:7001/myapp. How is this resolved? Should the application be re-designed to parse for OAMAuthnCookie? Should a firewall rule be put in place to block the original URI and then the protected resource entry within OAM becomes http://www.app1.us:80/myapp? Any help would be greatly appreciated.Matthttps://www.blogger.com/profile/09626521714801355642noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-89274219322231593292011-05-27T08:10:39.862-07:002011-05-27T08:10:39.862-07:00Kiran,
OAM 11g has the concept of constraints (wh...Kiran,<br /><br />OAM 11g has the concept of constraints (which I haven't covered yet in my policy model series) which can be based on individual users or LDAP groups.<br /><br />So, if you want to limit access based on group memberships that is easy to do in 11g. What you cannot (yet) do in 11g is base membership directly on user attribute values since you cannot directly do LDAP filter based authorization. <br /><br />If you have a requirement to do authorization based on attribute values then you should look at creating dynamic groups, either with OVD or your directory of choice.<br /><br />Good luck,<br /><br />BrianBrian Eidelmanhttps://www.blogger.com/profile/00527044305949442012noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-74084191283733095632011-05-23T12:23:27.456-07:002011-05-23T12:23:27.456-07:00Hi Brian
Thanks for the detailed post on OAM 11g ...Hi Brian<br /><br />Thanks for the detailed post on OAM 11g Policy model. It was really helpful. <br /><br />I had a question. I was reading document and figured out that OAM 11g does not support LDAP filter based authorization policy. I deployed OAM 11g and validated the same. <br /><br />Now If I want to limit access to a resource to a group of users, Do I have to add those users manually to the policy? Also if new user is created, I will have to make sure that I add that user in the authorization policy. Is there a better way to create policy in 11g? <br /><br />Thanks<br />Kiran ThakkarKiran Thakkarhttps://www.blogger.com/profile/06230583140441194599noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-41121394260606348742011-02-14T12:28:15.297-08:002011-02-14T12:28:15.297-08:00looking for how to protect the resource(web applic...looking for how to protect the resource(web application) that is deployed on same weblogic server containg OAM 11g, but without OHS reverse proxyRehan Farooqhttps://www.blogger.com/profile/03901651026243457741noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-16850841383159094072011-02-10T13:38:56.148-08:002011-02-10T13:38:56.148-08:00Nagesh,
I've been getting a lot of requests f...Nagesh,<br /><br />I've been getting a lot of requests for help with using an external login form with OAM 11g. <br /><br />So, I just put up a post on the subject: <br /><br />http://fusionsecurity.blogspot.com/2011/02/external-custom-login-forms-with-oracle.html<br /><br />I hope it helps!<br /><br />--BrianBrian Eidelmanhttps://www.blogger.com/profile/00527044305949442012noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-72621033320116331992011-02-10T11:44:42.696-08:002011-02-10T11:44:42.696-08:00Nice post, looking for how external custom login f...Nice post, looking for how external custom login form can be usednagesh reddyhttps://www.blogger.com/profile/10571514985694435627noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-40128580518136518412011-02-05T08:32:25.601-08:002011-02-05T08:32:25.601-08:00You have provided me with a way to finally tentati...You have provided me with a way to finally tentatively find my way into the world of OAM. Thanks for that - and please keep up this good work of yours.<br /><br />Kind regards,<br /><br />LucasLucas Jellemahttps://www.blogger.com/profile/00478743344418245594noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-64670771889843129532011-02-03T21:27:53.895-08:002011-02-03T21:27:53.895-08:00Great post! looking forward to the next one :)Great post! looking forward to the next one :)Thomas Isaksenhttps://www.blogger.com/profile/05027234694257742526noreply@blogger.com