Skip to content
Tags

, , , ,

Oracle Entitlement Server (OES) Lightweight RMI Client

November 21, 2011

Introduction

Thanks to posts from Subbu one finds it easy to create and configure an RMI client to OES by replacing jps-config of a normal Java SM in the same host. What I want to show here is how to invoke entitlement requests remotely by an RMI client which send requests to a non-controlled RMI SM server. This is almost identical to a XACML/Web Service client except that it’s using RMI which is faster, more convinced an  less error prone.

As I said, I will try keep my RMI SM in non-controlled mode. I found it less problematic this way. Using controlled security modules you may end up in some GUI issues which prevent proper distribution.

Security Module (SM)

PRP

So here is my PRP file for this NC (non-controlled) RMI SM:

Setup

You may put this in [OES-Client-Home]/oessm/SMConfigTool folder and run  [OES-Client-Home]/oessm/bin/config.sh to add SM to OES. Like this:

./config.sh -prpFileName ../SMConfigTool/smconfig.Telstra_RMI_NC_SM.prp

Now enter your database Policy Store username and password. Note that policy stores are in APM. If things all go well, you’ll have your SM folder under [OES-Client-Home]/oes_sm_instances.

Logging

Before we start the RMI server, it’s better to go and modify start-up script to add more logging stuff. Put a simple JUL config file in config folder and add it to Java argument in startRMIServer.sh. You’d better create a logs folder too.

handlers= java.util.logging.FileHandler
.level= FINER
java.util.logging.FileHandler.pattern = ./logs/log
java.util.logging.FileHandler.limit = 50000000
java.util.logging.FileHandler.count = 1
java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter

And this is line in startRMIServer.sh

${JAVA_HOME}/bin/java <strong>-Djava.util.logging.config.file=./config/logging.properties</strong> -Djava.security.policy=file:${OES_INSTANCE_HOME}/config/java.policy -Doracle.security.jps.config=${OES_INSTANCE_HOME}/config/jps-config.xml com.bea.security.ssmrmi.LauncherWrapper

Run

Now make logs folder and run it.

mkdir logs
nohup ./startRMIServer.sh &
tail -f nohup.out logs/log

OES

SM Setup

Add a new SM to OES:

Application Binding

Bind this new SM to your application:

Attributed Based Authorization Policy

And finally an authorization policy based on resource, role and a dynamic attribute (key):

All done in OES. No need to distribute changes in policies to modules. It all will be done periodically and automatically (see waitDistributionTime variable).

Client

Code

Here is Client source code. Put it in oes/rmi/client/RmiAuthorizationServiceImpl.java

Maven

I use Maven. Keep things simple. It has very minimal dependency to only 3 files. Here is pom.xml file:

Test

If the connection to RMI server is OK, then run the application and enjoy. Once serverAddress, port, application name and other settings in code is correct, will result something like:

actions = Granted=true. Responses={oracle.security.oes.authorization.decision_reason=grant_policy_found}
Advertisements

From → java, OES

One Comment
  1. Hi Amin,

    nice blog post. BTW, the controlled mode distribution mode issue has been addressed in OES 11gR1 BP01 (Bundle Patch 1).

    Thanks,
    Subbu

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: