0a99555401a033704f1f171baab6db11fb5528f2Allan Foster------------------------------------------------------------------------------
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterREADME file for Open Web Single Sign-On Exercise
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster------------------------------------------------------------------------------
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterCopyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterThe contents of this file are subject to the terms
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterof the Common Development and Distribution License
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster(the License). You may not use this file except in
0a99555401a033704f1f171baab6db11fb5528f2Allan Fostercompliance with the License.
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterYou can obtain a copy of the License at
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterhttps://opensso.dev.java.net/public/CDDLv1.0.html or
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterSee the License for the specific language governing
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterpermission and limitations under the License.
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterWhen distributing Covered Code, include this CDDL
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterHeader Notice in each file and include the License file
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterIf applicable, add the following below the CDDL Header,
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterwith the fields enclosed by brackets [] replaced by
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosteryour own identifying information:
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster"Portions Copyrighted [year] [name of copyright owner]"
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster$Id: README,v 1.13 2008/08/19 19:08:17 veiming Exp $
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster------------------------------------------------------------------------------
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% 1. Deploying and Configuring the opensso server
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% 2. Building the agent
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% 3. Installing and configuring agent
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% 4. Creating the user
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% 5. Creating the policies
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% 6. Exercising the access control
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% 7. Alternatives
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster%% 1. Deploying and Configuring the opensso server
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterPlease refer to opensso/products/amserver/war/README
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster%% 2. Building the agent
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterPlease refer to opensso/products/webagents/docs/<platform>/apache/README.txt.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster%% 3. Installing and configuring agent
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterInstallation details are provided at
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosteropensso/products/webagents/docs/<platform>/apache/INSTALL.txt. For this demo,
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterplease follow the following steps in place of the bullet
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster"1.2.2 Please perform the below tag swapping" in INSTALL.txt.
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterPRIMARY_NAMING_URL = <protocol>://<hostname>:<port>/demo/namingservice
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterPRIMARY_LOGIN_URL = <protocol>://<hostname>:<port>/demo/UI/Login
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster where <protocol>, <hostname> and <port> are the demo server's protocol,
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster hostname and port respectively.
0a99555401a033704f1f171baab6db11fb5528f2Allan Fostercom.sun.am.policy.am.password = XFC3z18nqMEgWbnshtNfwQ==
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster where XFC3z18nqMEgWbnshtNfwQ== is the encrypted password (adminadmin)
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster This can be generated by
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster opensso/products/dsame/webagents/am/source/crypt_util adminadmin
0a99555401a033704f1f171baab6db11fb5528f2Allan Fostercom.sun.am.policy.agents.config.agenturi.prefix = <agent-protocol>://<agent-hostname>:<agent-port>/amagent
0a99555401a033704f1f171baab6db11fb5528f2Allan Fostercom.sun.am.policy.agents.config.fqdn.default = <agent-hostname>
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster where <agent-protocol>, <agent-hostname> and <agent-port> are the agent's
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster protocol, hostname and port respectively.
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterRemember to restart the apache web server after configuring the agent.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster%% 4. Creating the user
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterNew user can be created in the user management datastore. Here, you create a
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosteruser and later grant him privileges to access all web resources. Please
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterfollow the following steps to create an user.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% In the web console, click on the opensso realm hyperlink; and you
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster see the profile of a realm;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Select the Subjects tab to view the realm's subject main page;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on the New button to access the user creation page;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter an user ID (example duke); password (example opensso); and
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster other required fields;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on OK button to create the user;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on Access Control breadcrumb to go back to the main page.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster%% 5. Creating the policies
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterHere, you create a policy so that the newly created user, "duke"
0a99555401a033704f1f171baab6db11fb5528f2Allan Fostercan access to all web resources that are served out by the apache
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterserver. Please follow the following steps to create this policy.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% In the web console, click on the opensso realm hyperlink; and you
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster see the profile of a realm;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Select the Policies tab; and you see the realm's policies main page;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on the New Policy button to access the policy creation page;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter a name for the policy (example DemoPolicy);
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on the New ... button under the Rules action table to access
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster the rule creation page. (Choose "URL Policy Agent (with resource name)"
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster in the "Select Service Type for the Rule" page; and click on the Next
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter DemoRule as rule name;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter <agent-protocol>://<agent-hostname>:<agent-port>/* as the
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster resource name. where <agent-protocol>, <agent-hostname> and
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <agent-port> are the agent's protocol, hostname and port
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster respectively;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Check the GET and POST checkboxes and have their values as allow;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on Finish button to create the rule;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on the New ... button under the Subjects action table to access
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster the subject creation page; (Choose "OpenSSO Identity Subject"
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster in the "Select Subject Type" page; and click on the Next button)
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter DemoSubject as subject name;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Select User in the Filter dropdown list and click on Search button;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Select the user Id that was created in step 7. (example duke) under the
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster Available list box and click on "Add >" button to select the user;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on Finish button to create the subject;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on OK button to create the policy.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster%% 6. Exercising the access control
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterThis demo is setup so that the user can access all web resource under
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster<agent-protocol>://<agent-hostname>:<agent-port>.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Log out of the web console;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Open a web browser (with Javascript and cookie enabled), visit
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <agent-protocol>://<agent-hostname>:<agent-port> where
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <agent-protocol>, <agent-hostname> and <agent-port> are the
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster protocol, hostname and port number of the agent's web server
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster respectively.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% You will be redirected to <protocol>://<hostname>:<port>/demo/UI/Login,
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster the Login page by the web agent as you have not yet authenticated.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster (<protocol>, <hostname> and <port> are the protocol, hostname and port
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster number of the opensso server respectively.)
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Log in as the newly created user, "duke" with password "opensso";
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% You will be brought to the URL that you first attempt to visit, i.e.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <agent-protocol>://<agent-hostname>:<agent-port>.
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterYou can modified the policy to alter his access rights. For instance,
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster<agent-protocol>://<agent-hostname>:<agent-port>/html/*, so that he can
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosteronly access all web resource under
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster<agent-protocol>://<agent-hostname>:<agent-port>/html/*
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterOr you can visit the web console to delete the policy and then the user will
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosternot have access to any resources
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster<agent-protocol>://<agent-hostname>:<agent-port>
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% To logout, visit <protocol>://<hostname>:<port>/demo/UI/Logout;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Log in to the system by visiting <protocol>://<hostname>:<port>/demo;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter "amadmin" and "adminadmin" as username and password respectively;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% In the web console, click on the opensso realm hyperlink; and you
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster see the profile of a realm;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Select the Policies tab; and you see the realm's policies main page;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Check the checkbox next to the policy to delete;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on the Delete button to delete it.
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterNow, the user will not have access to any resource in
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster<agent-protocol>://<agent-hostname>:<agent-port>
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Log out of the web console;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Clear the browser's cache and cookie.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Open a web browser (with Javascript and cookie enabled), visit
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <agent-protocol>://<agent-hostname>:<agent-port> where
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <agent-protocol>, <agent-hostname> and <agent-port> are the
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster protocol, hostname and port number of the agent's web server
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster respectively.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% You will be redirected to <protocol>://<hostname>:<port>/demo/UI/Login,
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster the Login page by the web agent as you have not yet authenticated.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster (<protocol>, <hostname> and <port> are the protocol, hostname and port
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster number of the opensso server respectively.)
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Log in as the newly created user, "duke" with password "opensso";
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% You will get a denied access message.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster%% 7. Alternatives
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterYou can deploy a sample WAR to try out access control policy evaluation.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% ant demo;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% a WAR file, openssodemo.war will be created under
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster opensso/products/amserver/built/demo/dist directory;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Deploying and Configuring the opensso demo, Please refer to
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Login as amadmin user;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Point your browser to
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <protocol>://<hostname>:<port>/opensso/EvaluatePolicy.jsp or
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <protocol>://<hostname>:<port>/openssodemo/EvaluatePolicy.jsp,
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster depending on where the web application is deployed;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter http://www.demo.com in the textbox and click on evaluate button;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% We will get a "false" policy decision for this resource.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Point your browser to
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <protocol>://<hostname>:<port>/opensso or
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <protocol>://<hostname>:<port>/openssodemo, depending on where the web
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster application is deployed; and create a policy.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% In the web console, click on the opensso realm hyperlink; and you
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster see the profile of a realm;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Select the Policies tab; and you see the realm's policies main
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on the New Policy button to access the policy creation page;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter a name for the policy (example DemoPolicy);
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on the New ... button under the Rules action table to access
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster the rule creation page. (Choose "URL Policy Agent (with resource
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster name)" in the "Select Service Type for the Rule" page; and click
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster on the Next button)
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter DemoRule as rule name;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter http://www.demo.com as the resource name;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Check the GET and POST checkboxes and have their values as allow;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on Finish button to create the rule;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on the New ... button under the Subjects action table to
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster access the subject creation page; (Choose "Authenticated Users" in
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster the "Select Subject Type" page; and click on the Next button)
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter DemoSubject as subject name;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on Finish button to create the subject;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Click on OK button to create the policy.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Point your browser to
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <protocol>://<hostname>:<port>/opensso/EvaluatePolicy.jsp or
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster <protocol>://<hostname>:<port>/openssodemo/EvaluatePolicy.jsp,
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster depending on where the web application is deployed;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% Enter http://www.demo.com in the textbox and click on evaluate button;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster %% We will get a "true" policy decision for this resource.
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterYou can try different resource names and subject types to test the policy
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterevaluation results.