Skip to content

, , , ,

Oracle Entitlement Server (OES) Lightweight RMI Client

November 21, 2011


Thanks to posts from Subbu one finds it easy to create and configure an RMI client to OES by replacing jps-config of a normal Java SM in the same host. What I want to show here is how to invoke entitlement requests remotely by an RMI client which send requests to a non-controlled RMI SM server. This is almost identical to a XACML/Web Service client except that it’s using RMI which is faster, more convinced an  less error prone.

As I said, I will try keep my RMI SM in non-controlled mode. I found it less problematic this way. Using controlled security modules you may end up in some GUI issues which prevent proper distribution.

Security Module (SM)


So here is my PRP file for this NC (non-controlled) RMI SM:
# Policy dustribution mode. Possible values:
# ——– Policy Distributor connectivity information – required for controlled-push distribution mode
# Only needed for controlled-push policy distribution mode[OES-Server][OES-Port]
# –Policy Store Service Configuration parameters – required only for controlled-pull or non-controlled modes
# Policy store type
# Policy Store URL for DB policy store
# Policy Store URL for LDAP policy store
# For both LDAP and DB Policy Store
#Communication between SM and Policy Distributor is over SSL by default
#———- ONLY for RMI SM —————————–
# port number to accept authorization requests
#— Only for Java SM, WS SM, and RMI SM in controlled-push mode —
# port to listen for policy distribution. Picked automatically by SM config tool if not specified


You may put this in [OES-Client-Home]/oessm/SMConfigTool folder and run  [OES-Client-Home]/oessm/bin/ to add SM to OES. Like this:

./ -prpFileName ../SMConfigTool/smconfig.Telstra_RMI_NC_SM.prp

Now enter your database Policy Store username and password. Note that policy stores are in APM. If things all go well, you’ll have your SM folder under [OES-Client-Home]/oes_sm_instances.


Before we start the RMI server, it’s better to go and modify start-up script to add more logging stuff. Put a simple JUL config file in config folder and add it to Java argument in You’d better create a logs folder too.

handlers= java.util.logging.FileHandler
.level= FINER
java.util.logging.FileHandler.pattern = ./logs/log
java.util.logging.FileHandler.limit = 50000000
java.util.logging.FileHandler.count = 1
java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter

And this is line in

${JAVA_HOME}/bin/java <strong>-Djava.util.logging.config.file=./config/</strong>${OES_INSTANCE_HOME}/config/java.policy${OES_INSTANCE_HOME}/config/jps-config.xml


Now make logs folder and run it.

mkdir logs
nohup ./ &
tail -f nohup.out logs/log


SM Setup

Add a new SM to OES:

Application Binding

Bind this new SM to your application:

Attributed Based Authorization Policy

And finally an authorization policy based on resource, role and a dynamic attribute (key):

All done in OES. No need to distribute changes in policies to modules. It all will be done periodically and automatically (see waitDistributionTime variable).



Here is Client source code. Put it in oes/rmi/client/

package oes.rmi.client;
import javax.naming.ServiceUnavailableException;
import java.rmi.NotBoundException;
import java.rmi.RemoteException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;
* User: Amin Abbaspour
* A simple client for Oracle Entitlement Server (OES) RMI SM
public class RmiAuthorizationServiceImpl {
private final RMIAuthorizationService authorizationService;
public RmiAuthorizationServiceImpl(String host, int port) throws RemoteException, NotBoundException, ServiceUnavailableException, InterruptedException {
final Registry registry;
try {
registry= LocateRegistry.getRegistry(host, port);
authorizationService = (RMIAuthorizationService) registry.lookup("ALES_Authorization_Service");
} catch (RemoteException e) {
throw new ExceptionInInitializerError(e);
} catch (NotBoundException e) {
throw new ExceptionInInitializerError(e);
SocketConfiguration socketConfiguration = new SocketConfiguration();
public RMIAuthenticatedSubject getUnauthenticatedSubject(String username, Stringgroups) {
final Set<Principal> principals = new HashSet<Principal>(groups.length + 1);
principals.add(new WLSUserImpl(username));
for(final String group : groups)
principals.add(new WLSGroupImpl(group));
final Subject subject = new Subject(false, principals, new HashSet<String>(), new HashSet<Object>());
RMIAuthenticatedSubject authenticatedSubject = new RMIAuthenticatedSubject();
return authenticatedSubject;
public RMIAuthenticatedSubject authenticate(RMIAuthenticatedSubject authenticatedSubject) throws ServiceUnavailableException, RemoteException {
RMIContext rmiContext = new RMIContext(new HashMap());
RMIAuthenticationResponse response = authorizationService.establishSession(authenticatedSubject, rmiContext);
return response.getSubject();
public String getActionsOnResource(RMIAuthenticatedSubject authenticatedSubject,
String applicationName, String resourceType, String resource,
String actionName, String namingAuthority, HashMap<String, Object> attributes)
throws ServiceUnavailableException, IdentityAssertionException, RemoteException {
RMIRuntimeAction runtimeAction = new RMIRuntimeAction(actionName, namingAuthority);
RMIRuntimeResource runtimeResource = new RMIRuntimeResource(applicationName, resourceType, resource);
RMIRuntimeResourceAction runtimeResourceAction = new RMIRuntimeResourceAction(runtimeResource, runtimeAction);
return authorizationService.queryActionsOnResource(authenticatedSubject, runtimeResourceAction, new RMIContext(attributes)).toString();
public static void main(String[] args) throws RemoteException, NotBoundException, ServiceUnavailableException, InterruptedException {
final String serverAddress = "host-name-where-rmi-sm-server-is-running";
final int port = 2099; // non-controlled one
RmiAuthorizationServiceImpl authorizationService = new RmiAuthorizationServiceImpl(serverAddress, port);
final HashMap<String, Object> attributes = new HashMap<String, Object>(1);
attributes.put("key", 101);
try {
RMIAuthenticatedSubject unauthenticatedSubject = authorizationService.getUnauthenticatedSubject("username", "group");
RMIAuthenticatedSubject authenticatedSubject = authorizationService.authenticate(unauthenticatedSubject);
final String actions = authorizationService.getActionsOnResource(authenticatedSubject,
"AppName", "ResourceType", "Resource", "Action", "", attributes);
System.out.println("actions = " + actions);
}catch (Exception e) {


I use Maven. Keep things simple. It has very minimal dependency to only 3 files. Here is pom.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns=""
<!– wls client for principals and general rmi types –>
<!– see: –>
<!– RMI types and stubs –>

view raw
hosted with ❤ by GitHub


If the connection to RMI server is OK, then run the application and enjoy. Once serverAddress, port, application name and other settings in code is correct, will result something like:

actions = Granted=true. Responses={}

From → java, OES

One Comment
  1. Hi Amin,

    nice blog post. BTW, the controlled mode distribution mode issue has been addressed in OES 11gR1 BP01 (Bundle Patch 1).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

<span>%d</span> bloggers like this: