Speeding up your OES-enabled app

When you secure a WebLogic app with OES or use OES to secure a Java based application using the Java Security Module the overhead and performance impact is minimal (it's usually measured in microseconds). In fact most customers report that OES is faster than the code it replaced.

When you use OES' Web Services Security Module your application makes SOAP or RMI calls over the network to a central server or cluster of servers. This is inherently slower than in process calls, not because the Web Service SM is slow, but because SOAP, XML, and SSL all add computational overhead, and network communication adds latency. Consider that a simple ICMP ping is measured in milliseconds and it's clear that this might be a fairly large impact on your application.

When an application calls OES there is a single, common Java API you can use regardless of which SM you are using. At its simplest the API takes three parameters - action, resource and context data - and returns a boolean along with context data. Programmers new to OES will often go no further than making calls to this API and if you are using the Java Security Module, which runs in the same process space as your application logic, you need go no further.

But if your making SOAP or RMI calls you'd be doing yourself a disservice by not looking further.

OES offers two additional API calls that allow you to make bulk authorization calls. One (isBulkAcessAllowed / isBulkAccessAllowed) allows you to send a batch of action/resource and context calls and get a list of true/false responses. The other (isChildResourceAccessAllowed / isChildResourceAccessAllowed) allows you to ask OES for a list of resources it knows about that the user is authorized to access.

These interfaces are also available in the WSDL and the .NET example shows how you can make these calls from C#.

OES discovery mode

How do you enable Discovery Mode in Oracle Entitlements Server?

from the documentation:

The ASI Authorization and ASI Role Mapping providers support a Discovery mode that helps make this task easier. Typically, these providers answer questions about security, but when in Discovery mode, the providers record information about those questions to build your policy (for example, what privileges and resources must be granted to view a particular web page).

To use Discovery mode, you must modify the command line that starts your Security Service Module by adding the following system properties:

com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.discoverymode=true
com.bea.security.providers.authorization.asi.RoleProviderImpl.discoverymode=true

More information about discovery mode is in the ALES 3.0 documentation

Installing OES with WebLogic 11gR1

The below is not officially supported by Oracle yet, but I've been happily running OES under WebLogic 11gR1 and thought it might be useful information for others.

WebLogic Server 10.3 is the most recent version certified for use with OES is 10.1.4.3. If you want to run OES with WebLogic 11gR1 (also known as WebLogic 10.3.1) you will need to take a few extra steps.

1) install WebLogic 11gR1

2) run the DBConfig tool to create the database for OES
3) install OES 10.1.4.3 Admin Server

During the installation do not install the OES schema.

4) install the latest OES cumulative patch - currently CP2

to do this you unzip the patch, edit ApplyAdminPatch.bat or .sh and then run that script

5) run install_schema.bat or .sh depending on platform. This script no only creates all of the tables and indexes but it also loads the default set of policies and boots the server.

If you accidentally install the schema in step 3 it's easy enough to recover:

1) stop SCM and Admin server
2) unzip the latest CP
3) edit the ApplyAdminPatch.sh/.bat
4) apply the patch
5) run install_ales_schema.sh/.bat

Update on Dec 2, 2009: CP3 is now available.