A RESTful interface to Oracle Entitlements Server 11g

OES's job is to provide authorization decisions to clients.  Clients may use a Java API implementing the OpenLiberty OpenAZ PEP API interface as well as an XACML web service interface.

However it may be easier for some clients to query OES over a REST style API.  This applies particularly to old Java or non-Java clients or to clients running in more restricted environments such as smart phones or other embedded devices.  Another example would be a stored procedure running in a database.  The ability to query a server using the REST style--essentially using HTTP URLs--simplifies the client by reducing dependencies and simplifying the interface.

In this posting I demonstrate a gateway to OES that that presents a natural REST style interface accessing the OES client PEP API.

The PEP API

 Firstly, recall the OpenAZ PEP API.  A typical call to the Java client API would look something as follows:

  contextMap.put("level","5);
  contextMap.put("speciality","Energy");
  PepResponse response =
    PepRequestFactoryImpl.getPepRequestFactory().newPepRequest(
      "glen.byrne",                             //subject
      "execute",                                //_action,
      "TradingApp/Options/BlackScholes/UK-Gas", //resource
      contextMap).decide();                     //attributes map
  System.out.println("Response from OES for request: {" + user + ", " +
    action + ", " + resource + "} \nResult: " + response.allowed());
  Map obligations = response.getObligations();

The request asks whether a given subject (with a context Map of attribute value pairs) has the right to carry out an action on a specific resource.  The so called obligations are a list of key/value pairs, returned with an allowed decision, which the client may interpret as refinements to the authorization decision.  For example, they might provide a where clause to allow a database client to provide which rows of a table a user is allowed to see.

αΊ¦ la REST

A natural way to encode such a query as an HTTP request would be to issue an HTP GET for a URL such as the following:

http://<machine>:<port>://<context root/TradingApp/Options/BlackScholes/UK-Gas/execute?user=glen.byrne&level=5&speciality=Energy

So we are mapping the resource to a URL and the user and context map are passed as query parameters.

This small JDeveloper project implements a gateway to OES which provides such an interface to OES.

To deploy the gateway you must deploy it to a Weblogic 10.3.5 domain which has been prepared as a WLS SM with the OES 11g Client.  This is a standard operation to configure a WLS domain to support Web applications calling to OES.  Once deployed you may test the gateway by accessing the URL htp://localhost:7001/oesgateway/sayHello.  This will return the string 'Hello World!'

Once you have configured OES with an Application, Resource Type, Resource and Authorization policy you can then query OES via the gateway by accessing URLs as shown in the example above.  The general pattern is that all context attributes are passed as query parameters and you access a URL of this form: http://localhost:7001/oesgateway/<resource string>/<action>/?user=<user name>.

A web browser can be used to access the URLs from the gateway.  A client program accessing the gateway is included in the project and a very simple Java program directly executing a HTTP get is available here.

The gateway depends on the Jersey 1.2 API and the OES 11g 11.1.1.5 Client API.

Note that in order for the resolution of user groups to work you need to ensure that the jps-config.xml file where the Gateway is deployed has it's identity store configured--look for the following elements in that file:

  • <serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
                 <description>LDAP-based IdentityStore Provider</description>
      </serviceProvider>
  • <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
                 <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
                 <property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool"/>
    </serviceInstance>
  • <serviceInstanceRef ref="idstore.ldap"/>





Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

user12587121

Search

Categories
Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today