2976N/A DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 2976N/A Copyright (c) 2008 Sun Microsystems Inc. All Rights Reserved 2976N/A The contents of this file are subject to the terms 2976N/A of the Common Development and Distribution License 2976N/A (the License). You may not use this file except in 2976N/A compliance with the License. 2976N/A You can obtain a copy of the License at 2976N/A See the License for the specific language governing 2976N/A permission and limitations under the License. 2976N/A When distributing Covered Code, include this CDDL 2976N/A Header Notice in each file and include the License file 2976N/A If applicable, add the following below the CDDL Header, 2976N/A with the fields enclosed by brackets [] replaced by 2976N/A your own identifying information: 2976N/A "Portions Copyrighted [year] [name of copyright owner]" 2976N/A Portions Copyrighted 2013 ForgeRock AS. 3824N/A------------------------------------
2976N/AJ2EE Policy Agent Sample Application
2976N/A------------------------------------
2976N/AThis document describes how to use the agent sample application in conjunction
2976N/Awith the Weblogic 10 Application Server and the J2EE Agent. Please note that
2976N/Athe agent needs to be installed first before deploying this sample application.
6238N/A * Configure the OpenAM server
2976N/A * Configure the agent properties
2976N/A * Deploying the Sample Application
2976N/A * Running the Sample Application
3824N/A ** Compiling and Assembling the Application
3842N/AThe sample application is a collection of servlets, JSPs and EJB's that
3842N/Ademonstrate the salient features of the J2EE policy Agent. These features
3824N/Ainclude SSO, web-tier declarative security, programmatic security, URL policy
2976N/Adescriptor has already been edited to include the Agent Filter. The
6251N/AThe sample application is supported for Policy Agent 3.0.
6251N/AThe application is already built and ready to be deployed. It is available at
4287N/ANote, the instructions here assume that you have installed the agent
3824N/Asuccessfully and have followed the steps outlined in the OpenAM
2976N/A----------------------------------------------
2976N/AThis agent sample application requires that the OpenAM server is configured
2976N/Awith the subjects and policies required by the sample application.
2976N/AOn OpenAM admin console, do the following configuration.
2976N/A1. Create the following users:
2976N/A Create new groups for employee, manager, everyone, and customer. Then assign
2976N/A the users to the groups as follows:
5636N/A o andy, bob, chris, dave, ellen, frank
5636N/A o andy, bob, chris, dave, ellen, frank, gina
2976N/A3. Create the following URL Policies:
2976N/A In the following URLs, replace the <
hostname> and <
port> with the
5636N/A actual fully qualified host name and port on which the sample
5636N/A application will be running.
5636N/A o Subject: all authenticated users.
2976N/AConfigure the agent properties
2976N/A--------------------------------------------
5636N/A If the agent configuration is centralized, then do the following steps.
2976N/A 1). login to OpenAM console as amadmin user
2976N/A instance link (assume the agent instance is already created, otherwise
4915N/A refer to the agent doc to create the agent instance).
2976N/A 3). in tab "Application", section "Access Denied URI Processing", property
5636N/A "Resource Access Denied URI", enter agentsample in the Map Key field,
2976N/A 4). in tab "Application", section "Login Processing", property "Login Form URI",
5224N/A 5). in tab "Application", section "Not Enforced URI Processing", property
2976N/A "Not Enforced URIs", add the following entries:
4261N/A 6). in tab "Application", section "Privilege Attributes Processing", property
2976N/A "Privileged Attribute Mapping",
2976N/A a) add the UUID of group employee in the Map Key field of the UI
2976N/A add am_employee_role in the Corresponding Map Value field of the UI
2976N/A b) add the UUID of group manager in the Map Key field of the UI
6238N/A add am_manager_role in the Corresponding Map Value field of the UI
2976N/A Note you can find the UUID (Universal User ID) of the groups employee
2976N/A and manager from the OpenAM console group page.
2976N/A For example, if the UUID of employee is id=employee,ou=group,dc=opensso,dc=java,dc=net
2976N/A and the UUID of manager is id=manager,ou=group,dc=opensso,dc=java,dc=net
5636N/A then you need to add the following entries in the "Privileged Attribute Mapping".
5636N/A a) add id=employee,ou=group,dc=opensso,dc=java,dc=net in the Map Key
3449N/A add am_employee_role in the Corresponding Map Value field of the UI
3449N/A b) add id=manager,ou=group,dc=opensso,dc=java,dc=net in the Map Key
2976N/A add am_manager_role in the Corresponding Map Value field of the UI
5636N/A If the agent configuration is local, then edit the local agent configuration
2976N/A <
agent_install_root>/Agent_<
instance_number>/config with following changes:
2976N/A * Privileged Attribute Mapping:
2976N/A Note the above settings assume the UUIDs of group employee and manager are
2976N/A "id=employee,ou=group,dc=opensso,dc=java,dc=net" and
3449N/A "id=manager,ou=group,dc=opensso,dc=java,dc=net" respectively. Change to
5218N/A the appropriate UUIDs accordingly.
3449N/A Optionally, you can try out the fetch mode features that allow the agent to
3449N/A fetch some values and make them available to your application. For example,
2976N/A you can fetch user profile values(like email or full name) from the user data
4261N/A store of your OpenAM setup and make them available to your application code
5636N/A (through cookies, headers, or request attributes) for application
4261N/A customization. See the Policy Agent 3.0 for details about the fetching
5636N/A attributes for details on using this feature. If you change the agent's
2976N/A sample application will show all the attributes being fetched. You can choose
2976N/A to try this later after you have already installed and deployed the agent and
5636N/A sample application in order to learn about this feature.
4261N/ADeploying the Sample Application
2976N/A--------------------------------
4261N/ANote, before deploying the sample application, please be sure that you have
4261N/Adeployed the Agent Application, which should have been done after installing
2976N/Athe agent. This is explained in the OpenAM Policy Agent 3.0 Guide for
2976N/Aoutlined the post-installation tasks.
2976N/ATo deploy the application, do the following:
2976N/AGo to BEA WebLogic server console and deploy the sample application.
Running the Sample Application
----------------------------
You can run the application through the following URL:
http://<
hostname>:<
port>/agentsample
Traverse the various links to understand each agent feature.
----------------------------
If you encounter problems when running the application, review the log files to
learn what exactly went wrong. J2EE Agent logs can be found at
<
agent_install_root>/Agent_<
instance_number>/
logs/
debug directory.
Also, see the OpenAM Policy Agent 3.0 Guide for BEA WebLogic
----------------------------
Compiling and Assembling the Application (Optional)
---------------------------------------------------
The application is already built and ready to be deployed, so you could skip
this section. If you want to change something or get familiar with the build
details, then this section is useful.
This section contains instructions to build and assemble the sample application
using a Command Line Interface (CLI).
To rebuild the entire application from scratch, follow these steps:
1. This requires that you have downloaded and installed Apache Ant, at least
Ant version 1.6.5. Also be sure to have
ant/
bin in your path.
1. Set your JAVA_HOME to include JDK1.5 or above. Also, include the
2. Replace 'APPSERV_LIB_DIR' in
build.xml with the directory where
For Example: Replace APPSERV_LIB_DIR with
where you installed WebLogic BEA 10
3. Compile and assemble the application.
For example: execute the command ant
under <
agent_install_root>/sampleapp/ to execute the default target build
and rebuild the EAR file.
The build target creates a built and dist directory with the EAR file.
Note that you can also run 'ant rebuild' to clean the application project
area and run a new build.