README revision 0a99555401a033704f1f171baab6db11fb5528f2
------------------------------------------------------------------------------
README file for Open Web Single Sign-On Exercise
------------------------------------------------------------------------------
DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
The contents of this file are subject to the terms
of the Common Development and Distribution License
(the License). You may not use this file except in
compliance with the License.
You can obtain a copy of the License at
See the License for the specific language governing
permission and limitations under the License.
When distributing Covered Code, include this CDDL
Header Notice in each file and include the License file
If applicable, add the following below the CDDL Header,
with the fields enclosed by brackets [] replaced by
your own identifying information:
"Portions Copyrighted [year] [name of copyright owner]"
$Id: README,v 1.13 2008/08/19 19:08:17 veiming Exp $
------------------------------------------------------------------------------
%% Contents:
%% 1. Deploying and Configuring the opensso server
%% 2. Building the agent
%% 3. Installing and configuring agent
%% 4. Creating the user
%% 5. Creating the policies
%% 6. Exercising the access control
%% 7. Alternatives
%% 1. Deploying and Configuring the opensso server
Please refer to opensso/products/amserver/war/README
%% 2. Building the agent
Please refer to opensso/products/webagents/docs/<platform>/apache/README.txt.
%% 3. Installing and configuring agent
Installation details are provided at
opensso/products/webagents/docs/<platform>/apache/INSTALL.txt. For this demo,
please follow the following steps in place of the bullet
"1.2.2 Please perform the below tag swapping" in INSTALL.txt.
PRIMARY_NAMING_URL = <protocol>://<hostname>:<port>/demo/namingservice
PRIMARY_LOGIN_URL = <protocol>://<hostname>:<port>/demo/UI/Login
where <protocol>, <hostname> and <port> are the demo server's protocol,
hostname and port respectively.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = XFC3z18nqMEgWbnshtNfwQ==
where XFC3z18nqMEgWbnshtNfwQ== is the encrypted password (adminadmin)
This can be generated by
com.sun.am.policy.agents.config.agenturi.prefix = <agent-protocol>://<agent-hostname>:<agent-port>/amagent
com.sun.am.policy.agents.config.fqdn.default = <agent-hostname>
where <agent-protocol>, <agent-hostname> and <agent-port> are the agent's
protocol, hostname and port respectively.
Remember to restart the apache web server after configuring the agent.
%% 4. Creating the user
New user can be created in the user management datastore. Here, you create a
user and later grant him privileges to access all web resources. Please
follow the following steps to create an user.
%% In the web console, click on the opensso realm hyperlink; and you
see the profile of a realm;
%% Select the Subjects tab to view the realm's subject main page;
%% Click on the New button to access the user creation page;
%% Enter an user ID (example duke); password (example opensso); and
other required fields;
%% Click on OK button to create the user;
%% Click on Access Control breadcrumb to go back to the main page.
%% 5. Creating the policies
Here, you create a policy so that the newly created user, "duke"
can access to all web resources that are served out by the apache
server. Please follow the following steps to create this policy.
%% In the web console, click on the opensso realm hyperlink; and you
see the profile of a realm;
%% Select the Policies tab; and you see the realm's policies main page;
%% Click on the New Policy button to access the policy creation page;
%% Enter a name for the policy (example DemoPolicy);
%% Click on the New ... button under the Rules action table to access
the rule creation page. (Choose "URL Policy Agent (with resource name)"
in the "Select Service Type for the Rule" page; and click on the Next
button)
%% Enter DemoRule as rule name;
%% Enter <agent-protocol>://<agent-hostname>:<agent-port>/* as the
resource name. where <agent-protocol>, <agent-hostname> and
<agent-port> are the agent's protocol, hostname and port
respectively;
%% Check the GET and POST checkboxes and have their values as allow;
%% Click on Finish button to create the rule;
%% Click on the New ... button under the Subjects action table to access
the subject creation page; (Choose "OpenSSO Identity Subject"
in the "Select Subject Type" page; and click on the Next button)
%% Enter DemoSubject as subject name;
%% Select User in the Filter dropdown list and click on Search button;
%% Select the user Id that was created in step 7. (example duke) under the
Available list box and click on "Add >" button to select the user;
%% Click on Finish button to create the subject;
%% Click on OK button to create the policy.
%% 6. Exercising the access control
This demo is setup so that the user can access all web resource under
<agent-protocol>://<agent-hostname>:<agent-port>.
%% Log out of the web console;
%% Open a web browser (with Javascript and cookie enabled), visit
<agent-protocol>://<agent-hostname>:<agent-port> where
<agent-protocol>, <agent-hostname> and <agent-port> are the
protocol, hostname and port number of the agent's web server
respectively.
%% You will be redirected to <protocol>://<hostname>:<port>/demo/UI/Login,
the Login page by the web agent as you have not yet authenticated.
(<protocol>, <hostname> and <port> are the protocol, hostname and port
number of the opensso server respectively.)
%% Log in as the newly created user, "duke" with password "opensso";
%% You will be brought to the URL that you first attempt to visit, i.e.
<agent-protocol>://<agent-hostname>:<agent-port>.
You can modified the policy to alter his access rights. For instance,
<agent-protocol>://<agent-hostname>:<agent-port>/html/*, so that he can
only access all web resource under
<agent-protocol>://<agent-hostname>:<agent-port>/html/*
Or you can visit the web console to delete the policy and then the user will
not have access to any resources
<agent-protocol>://<agent-hostname>:<agent-port>
%% To logout, visit <protocol>://<hostname>:<port>/demo/UI/Logout;
%% Log in to the system by visiting <protocol>://<hostname>:<port>/demo;
%% Enter "amadmin" and "adminadmin" as username and password respectively;
%% In the web console, click on the opensso realm hyperlink; and you
see the profile of a realm;
%% Select the Policies tab; and you see the realm's policies main page;
%% Check the checkbox next to the policy to delete;
%% Click on the Delete button to delete it.
Now, the user will not have access to any resource in
<agent-protocol>://<agent-hostname>:<agent-port>
%% Log out of the web console;
%% Clear the browser's cache and cookie.
%% Open a web browser (with Javascript and cookie enabled), visit
<agent-protocol>://<agent-hostname>:<agent-port> where
<agent-protocol>, <agent-hostname> and <agent-port> are the
protocol, hostname and port number of the agent's web server
respectively.
%% You will be redirected to <protocol>://<hostname>:<port>/demo/UI/Login,
the Login page by the web agent as you have not yet authenticated.
(<protocol>, <hostname> and <port> are the protocol, hostname and port
number of the opensso server respectively.)
%% Log in as the newly created user, "duke" with password "opensso";
%% You will get a denied access message.
%% 7. Alternatives
You can deploy a sample WAR to try out access control policy evaluation.
%% cd opensso/products/amserver;
%% ant demo;
%% a WAR file, openssodemo.war will be created under
opensso/products/amserver/built/demo/dist directory;
%% Deploying and Configuring the opensso demo, Please refer to
%% Login as amadmin user;
%% Point your browser to
<protocol>://<hostname>:<port>/opensso/EvaluatePolicy.jsp or
<protocol>://<hostname>:<port>/openssodemo/EvaluatePolicy.jsp,
depending on where the web application is deployed;
%% Enter http://www.demo.com in the textbox and click on evaluate button;
%% We will get a "false" policy decision for this resource.
%% Point your browser to
<protocol>://<hostname>:<port>/opensso or
<protocol>://<hostname>:<port>/openssodemo, depending on where the web
application is deployed; and create a policy.
%% In the web console, click on the opensso realm hyperlink; and you
see the profile of a realm;
%% Select the Policies tab; and you see the realm's policies main
page;
%% Click on the New Policy button to access the policy creation page;
%% Enter a name for the policy (example DemoPolicy);
%% Click on the New ... button under the Rules action table to access
the rule creation page. (Choose "URL Policy Agent (with resource
name)" in the "Select Service Type for the Rule" page; and click
on the Next button)
%% Enter DemoRule as rule name;
%% Enter http://www.demo.com as the resource name;
%% Check the GET and POST checkboxes and have their values as allow;
%% Click on Finish button to create the rule;
%% Click on the New ... button under the Subjects action table to
access the subject creation page; (Choose "Authenticated Users" in
the "Select Subject Type" page; and click on the Next button)
%% Enter DemoSubject as subject name;
%% Click on Finish button to create the subject;
%% Click on OK button to create the policy.
%% Point your browser to
<protocol>://<hostname>:<port>/opensso/EvaluatePolicy.jsp or
<protocol>://<hostname>:<port>/openssodemo/EvaluatePolicy.jsp,
depending on where the web application is deployed;
%% Enter http://www.demo.com in the textbox and click on evaluate button;
%% We will get a "true" policy decision for this resource.
You can try different resource names and subject types to test the policy
evaluation results.