Friday Apr 06, 2012

Finding the groups of a user in WLS with OPSS

How to find the group memberships for a user from a web application running in Weblogic server ?  This is useful for building up the profile of the user for security purposes for example.

WLS as a container offers an identity store service which applications can access to query and manage identities known to the container.  This article for example shows how to recover the groups of the current user, but how can we find the same information for an arbitrary user ?

It is the Oracle Platform for Securtiy Services (OPSS) that looks after the identity store in WLS and so it is in the OPSS APIs that we can find the way to recover this information.

This is explained in the following documents.  Starting from the FMW book list, with the Security Overview document we can see how WLS uses OPSS:

Proceeding to the more detailed Application Security document, we find this list of useful references for security in FMW. We can follow on into the User/Role API javadoc. The Application Security document explains how to ensure that the identity store is configured appropriately to allow the OPSS APIs to work.  We must verify that the jps-config.xml file where the application  is deployed has it's identity store configured--look for the following elements in that file:

  • <serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="">
                 <description>LDAP-based IdentityStore Provider</description>
  • <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
                 <property name="idstore.config.provider" value=""/>
                 <property name="CONNECTION_POOL_CLASS" value=""/>
  • <serviceInstanceRef ref="idstore.ldap"/>

The document contains a code sample for using the identity store here.

Once we have the identity store reference we can recover the user's group memberships using the RoleManager interface:

            RoleManager roleManager = idStore.getRoleManager();
            SearchResponse grantedRoles = null;
                System.out.println("Retrieving granted WLS roles for user " + userPrincipal.getName());
                grantedRoles = roleManager.getGrantedRoles(userPrincipal, false);
                while( grantedRoles.hasNext()){
                      Identity id =;
                      System.out.println("  disp name=" + id.getDisplayName() +
                                 " Name=" + id.getName() +
                                 " Principal=" + id.getPrincipal() +
                                 "Unique Name=" + id.getUniqueName());
                     // Here, we must use WLSGroupImpl() to build the Principal otherwise
                     // OES does not recognize it.
                      retSubject.getPrincipals().add(new WLSGroupImpl(id.getPrincipal().getName()));
            }catch(Exception ex) {
                System.out.println("Error getting roles for user " + ex.getMessage());
        }catch(Exception ex) {
            System.out.println("OESGateway: Got exception instantiating idstore reference");

This small JDeveloper project has a simple servlet that executes a request for the user weblogic's roles on executing a get on the default URL.  The full code to recover a user's goups is in the getSubjectWithRoles() method in the project.

Wednesday Sep 14, 2011

Oracle Identity Analytics 11gR1 PS1 ( quick installation

The latest version of the Oracle Identity Analytics product, OIA, contains some considerable enhancements in terms of Certification usability and risk management as well as improvements in the integration with OIM.  See the documentation for this version here.

This sample ant project helps prepare a deployment and takes care of most of the standard manual tasks.  See the README.txt and the ant script usage screen for pre-requisites and usage. 

The usage screen is shown here:

     [java] Buildfile: build.xml

Helper script to install OIA11gR1PS1.

You should give the App server at least 1024m (-Xms1024m -Xmx1024m)


* Download the product zip file from the Oracle website and copy to the ./product-zips directory
* Download and prep the required jar file dependencies as described in the Installation Guide and copy to the ./custom directory:
* Download the oracle JDBC driver for your Oracle Database and copy to the ./custom directory:
* Fixup the

Typical sequence of commands:
    ant -projecthelp
    ant show-build-properties
        ant clean
        ant dist
        ant repo-drop-oracle
        ant repo-create-oracle

        ant deploy-rbacxhome       -- copy the built rbacxhome to the deployment location
        ant deploy-rbacx           -- deploy to WLS

Deploy rbacx to WLS:
        ant deploy

Undeploy rbacx from WLS:
        ant undeploy

Main targets:

 checkAntVersion        Ensure that we're running ant 1.7
 clean                  delete the dist and staging directories
 dist                   cleans the build directories and then rebuilds the war file
 repo-create-oracle     Run the repo set up script. Make sure neither rbacx schema nor rbacxservice user exist
 repo-drop-oracle       drop the schema and rbacxservice user
 show-build-properties  show the build properties
Default target: usage

Total time: 0 seconds

Monday Sep 21, 2009

Defrag your disk assets: defragmenting disks on Mac OS X, Snow Leopard

Upgrading to Snow Leopard on my MacBook Pro laptop, I was curious about disk defragmentation and wondered whether to do a complete fresh install and so on. Received wisdom to now was by the time one really needs to defragment the disk with Mac OS X, it is time in any case for a new disk.

Mmmm.  Clearly some people have thought about this and do not exactly agree:

Following the mac attorney's article, I did the following:

  • used the native Mac OS X Disk Utility to repair permissions
  • had the Mac do a disk check and repair itself by booting the Mac into safe mode (by keeping shift pressed after the chime at boot time). 
  • My disk was at about 70% utilization, so I archived a lot of software packages, videos and VMs I had lying on the hard disk, so got that down to 50% utilization.
  • I ran the iDefrag demo software which analyzes the disk (takes about 5 minutes or so).  As the article explains, Mac OS X is good at keeping files contiguous but the free space on the disk was at 98% fragmentation.

Mmm...not sure that matters really, but me be thinkin dat aint right nohow, so I bought the full version of iDefrag for 24EUR. 'Hi, I'm a Mac, you will need to pay a third party for system maintenance tools that PC gives you for free.'.

The defragmentation goes like this:

  • start this process after work: it took about 3-4 hours to run the full defrag!
  • use the CDMaker application included with the commercial copy of iDefrag to create a bootable DVD (a CD is too small) so that iDefrag can do it's work on the offline hard disk.  CDMaker downloads a boot template from the internet and burns the DVD.  (I tried to get it to load from my Snow Leopard installation disk, but it seemed to take a long I cancelled that and went for the internet option).
  • Boot onto the DVD (by holding down the 'C' key after chime at boot time).
  • Choose to run a full defrag.

Prior to the defragmentation the free space was pretty much uniformly distributed accross the disk, afterwards it looks alot better:

Thursday Jan 29, 2009

Blog name could be better

In which Rob reflects on the quality of his blog name.[Read More]



« July 2016