Skip to content
Tags

, , , ,

Oracle Entitlement Server (OES) Lightweight RMI Client

November 21, 2011

Introduction

Thanks to posts from Subbu one finds it easy to create and configure an RMI client to OES by replacing jps-config of a normal Java SM in the same host. What I want to show here is how to invoke entitlement requests remotely by an RMI client which send requests to a non-controlled RMI SM server. This is almost identical to a XACML/Web Service client except that it’s using RMI which is faster, more convinced an  less error prone.

As I said, I will try keep my RMI SM in non-controlled mode. I found it less problematic this way. Using controlled security modules you may end up in some GUI issues which prevent proper distribution.

Security Module (SM)

PRP

So here is my PRP file for this NC (non-controlled) RMI SM:

oracle.security.jps.runtime.pd.client.sm_name=Telstra_RMI_NC_SM
# Policy dustribution mode. Possible values:
oracle.security.jps.runtime.pd.client.policyDistributionMode=non-controlled
# ——– Policy Distributor connectivity information – required for controlled-push distribution mode
# Only needed for controlled-push policy distribution mode
oracle.security.jps.runtime.pd.client.RegistrationServerHost=[OES-Server]
oracle.security.jps.runtime.pd.client.RegistrationServerPort=[OES-Port]
# –Policy Store Service Configuration parameters – required only for controlled-pull or non-controlled modes
# Policy store type
oracle.security.jps.policystore.type=DB
# Policy Store URL for DB policy store
jdbc.url=jdbc:oracle:thin:@[DB-Host]:[DB-Port]/[DB-SID]
# Policy Store URL for LDAP policy store
ldap.url=
# For both LDAP and DB Policy Store
oracle.security.jps.farm.name=cn=oes_domain
oracle.security.jps.ldap.root.name=cn=jpsroot
#Communication between SM and Policy Distributor is over SSL by default
oracle.security.jps.pd.client.sslMode=true
bootstrap.security.principal.key=oes_sm_key
bootstrap.security.principal.map=oes_sm_map
jdbc.driver=oracle.jdbc.driver.OracleDriver
#———- ONLY for RMI SM —————————–
# port number to accept authorization requests
oracle.security.jps.pdp.rmism.RMIRegistryPortNumber=2099
#— Only for Java SM, WS SM, and RMI SM in controlled-push mode —
# port to listen for policy distribution. Picked automatically by SM config tool if not specified
oracle.security.jps.runtime.pd.client.DistributionServicePort=
oracle.security.jps.runtime.pd.client.sm_type=rmi

Setup

You may put this in [OES-Client-Home]/oessm/SMConfigTool folder and run  [OES-Client-Home]/oessm/bin/config.sh to add SM to OES. Like this:

./config.sh -prpFileName ../SMConfigTool/smconfig.Telstra_RMI_NC_SM.prp

Now enter your database Policy Store username and password. Note that policy stores are in APM. If things all go well, you’ll have your SM folder under [OES-Client-Home]/oes_sm_instances.

Logging

Before we start the RMI server, it’s better to go and modify start-up script to add more logging stuff. Put a simple JUL config file in config folder and add it to Java argument in startRMIServer.sh. You’d better create a logs folder too.

handlers= java.util.logging.FileHandler
.level= FINER
java.util.logging.FileHandler.pattern = ./logs/log
java.util.logging.FileHandler.limit = 50000000
java.util.logging.FileHandler.count = 1
java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter

And this is line in startRMIServer.sh

${JAVA_HOME}/bin/java <strong>-Djava.util.logging.config.file=./config/logging.properties</strong> -Djava.security.policy=file:${OES_INSTANCE_HOME}/config/java.policy -Doracle.security.jps.config=${OES_INSTANCE_HOME}/config/jps-config.xml com.bea.security.ssmrmi.LauncherWrapper

Run

Now make logs folder and run it.

mkdir logs
nohup ./startRMIServer.sh &
tail -f nohup.out logs/log

OES

SM Setup

Add a new SM to OES:

Application Binding

Bind this new SM to your application:

Attributed Based Authorization Policy

And finally an authorization policy based on resource, role and a dynamic attribute (key):

All done in OES. No need to distribute changes in policies to modules. It all will be done periodically and automatically (see waitDistributionTime variable).

Client

Code

Here is Client source code. Put it in oes/rmi/client/RmiAuthorizationServiceImpl.java

package oes.rmi.client;
import com.bea.security.ssmrmi.services.RMIAuthorizationService;
import com.bea.security.ssmrmi.socket.SocketConfiguration;
import com.bea.security.ssmrmi.socket.SocketFactory;
import com.bea.security.ssmrmi.types.*;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
import weblogic.security.spi.IdentityAssertionException;
import javax.naming.ServiceUnavailableException;
import javax.security.auth.Subject;
import java.rmi.NotBoundException;
import java.rmi.RemoteException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.security.Principal;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;
/**
* User: Amin Abbaspour
* A simple client for Oracle Entitlement Server (OES) RMI SM
*/
public class RmiAuthorizationServiceImpl {
private final RMIAuthorizationService authorizationService;
public RmiAuthorizationServiceImpl(String host, int port) throws RemoteException, NotBoundException, ServiceUnavailableException, InterruptedException {
final Registry registry;
try {
registry= LocateRegistry.getRegistry(host, port);
authorizationService = (RMIAuthorizationService) registry.lookup("ALES_Authorization_Service");
} catch (RemoteException e) {
throw new ExceptionInInitializerError(e);
} catch (NotBoundException e) {
throw new ExceptionInInitializerError(e);
}
SocketConfiguration socketConfiguration = new SocketConfiguration();
socketConfiguration.setServerHost(host);
SocketFactory.setConfiguration(socketConfiguration);
}
public RMIAuthenticatedSubject getUnauthenticatedSubject(String username, Stringgroups) {
final Set<Principal> principals = new HashSet<Principal>(groups.length + 1);
principals.add(new WLSUserImpl(username));
for(final String group : groups)
principals.add(new WLSGroupImpl(group));
final Subject subject = new Subject(false, principals, new HashSet<String>(), new HashSet<Object>());
RMIAuthenticatedSubject authenticatedSubject = new RMIAuthenticatedSubject();
authenticatedSubject.addSubject(subject);
return authenticatedSubject;
}
public RMIAuthenticatedSubject authenticate(RMIAuthenticatedSubject authenticatedSubject) throws ServiceUnavailableException, RemoteException {
RMIContext rmiContext = new RMIContext(new HashMap());
RMIAuthenticationResponse response = authorizationService.establishSession(authenticatedSubject, rmiContext);
return response.getSubject();
}
public String getActionsOnResource(RMIAuthenticatedSubject authenticatedSubject,
String applicationName, String resourceType, String resource,
String actionName, String namingAuthority, HashMap<String, Object> attributes)
throws ServiceUnavailableException, IdentityAssertionException, RemoteException {
RMIRuntimeAction runtimeAction = new RMIRuntimeAction(actionName, namingAuthority);
RMIRuntimeResource runtimeResource = new RMIRuntimeResource(applicationName, resourceType, resource);
RMIRuntimeResourceAction runtimeResourceAction = new RMIRuntimeResourceAction(runtimeResource, runtimeAction);
return authorizationService.queryActionsOnResource(authenticatedSubject, runtimeResourceAction, new RMIContext(attributes)).toString();
}
public static void main(String[] args) throws RemoteException, NotBoundException, ServiceUnavailableException, InterruptedException {
final String serverAddress = "host-name-where-rmi-sm-server-is-running";
final int port = 2099; // non-controlled one
RmiAuthorizationServiceImpl authorizationService = new RmiAuthorizationServiceImpl(serverAddress, port);
final HashMap<String, Object> attributes = new HashMap<String, Object>(1);
attributes.put("key", 101);
try {
RMIAuthenticatedSubject unauthenticatedSubject = authorizationService.getUnauthenticatedSubject("username", "group");
RMIAuthenticatedSubject authenticatedSubject = authorizationService.authenticate(unauthenticatedSubject);
final String actions = authorizationService.getActionsOnResource(authenticatedSubject,
"AppName", "ResourceType", "Resource", "Action", "", attributes);
System.out.println("actions = " + actions);
}catch (Exception e) {
e.printStackTrace();
}
}
}

Maven

I use Maven. Keep things simple. It has very minimal dependency to only 3 files. Here is pom.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>oes-demo</groupId>
<artifactId>authorization-client-rmi</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<version.oes>11.1.1</version.oes>
<version.wls>10.3</version.wls>
</properties>
<build>
<defaultGoal>compile</defaultGoal>
</build>
<dependencies>
<!– wls client for principals and general rmi types –>
<dependency>
<!– see: http://download.oracle.com/docs/cd/E12840_01/wls/docs103/client/jarbuilder.html –>
<groupId>weblogic</groupId>
<artifactId>wlfullclient</artifactId>
<version>${version.wls}</version>
</dependency>
<!– RMI types and stubs –>
<dependency>
<groupId>oracle.oes.sm.rmism</groupId>
<artifactId>rmi-types</artifactId>
<version>${version.oes}</version>
<scope>system</scope>
<systemPath>D:/project/OES/oes_client/oessm/rmism/rmi-types.jar</systemPath>
</dependency>
<dependency>
<groupId>oracle.oes.sm.rmism</groupId>
<artifactId>rmi-stubs</artifactId>
<version>${version.oes}</version>
<scope>system</scope>
<systemPath>D:/project/OES/oes_client/oessm/rmism/rmi-stubs.jar</systemPath>
</dependency>
</dependencies>
</project>

view raw
pom.xml
hosted with ❤ by GitHub

Test

If the connection to RMI server is OK, then run the application and enjoy. Once serverAddress, port, application name and other settings in code is correct, will result something like:

actions = Granted=true. Responses={oracle.security.oes.authorization.decision_reason=grant_policy_found}

From → java, OES

One Comment
  1. Hi Amin,

    nice blog post. BTW, the controlled mode distribution mode issue has been addressed in OES 11gR1 BP01 (Bundle Patch 1).

    Thanks,
    Subbu

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

<span>%d</span> bloggers like this: