OpenAM Authorization Manual
2015-11-16 09:59
387 查看
Important URL: https://iamblog.jelleverbraak.be/?cat=3#sthash.LlRzcvgO.dpbs
1. First define users in OpenDJ, I use it as user data storage.
![](https://img-blog.csdn.net/20151116095646072?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
2. Update hosts file in windows OS for local testing.
![](https://img-blog.csdn.net/20151116095646072?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
3. Tomcat version is 7.0.39 and OpenAM mine is 12.0.0
![](https://img-blog.csdn.net/20151116095716833?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
4. Define a Sub Realm namedfriends
![](https://img-blog.csdn.net/20151116100010564?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
5. Define a J2EE Policy Agent,agentapp is a project which is provided in OpenAM j2ee_agents, this agentapp.war will be put into Tomcat 7’s webapps directory and act as a listener to user’s event, once a request comes from user, it will
delegate Authentication and Authorization to OpenAM. Later I will provide a screenshot of its deployment.
![](https://img-blog.csdn.net/20151116100139393?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![](https://img-blog.csdn.net/20151116100157706?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
6. There is agentadmin.bat in my downloaded j2ee_agents
![](https://img-blog.csdn.net/20151116100252458?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
7. Now open a DOS window, go to this directoy and execute agent install command
![](https://img-blog.csdn.net/20151116100331439?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
8. Fill all the info to finish installation. For Agent URL, we will put agentapp.war to this Tomcat 7 webapps directory.
![](https://img-blog.csdn.net/20151116100401982?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
9. Below is log if successful installation
![](https://img-blog.csdn.net/20151116100428694?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
10. According to ForgeRock
official tutorial, there is subtle diff on installation between Tomcat 6 and 7, for 7, should not use tomcat’s global web.xml, but need to update each application’s web.xml deployed in this tomcat, and
must put agentapp.war to this tomcat.
![](https://img-blog.csdn.net/20151116100506340?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
11. Now start this tomcat, make.war extracted. We will add AmAgentFilter for all requests.
![](https://img-blog.csdn.net/20151116100539198?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
12. Update config/OpenSSOAgentBootstrap.properties to identify the sub-realm that has your policy agent configuration. Otherwise (initially it is “/” standing for top realm) tomcat will be failed to startup, and
theappearance is tomcat console would be auto-closed promptly. (Please read “NOTE”at the end of this article.)
![](https://img-blog.csdn.net/20151116100616737?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
13. This time we can go to define policy itself, but first we create an application, which is the resource template of policy, it is a must in OpenAM 12.0.0, I named it as newtemplate(not good but okay for testing :) )
![](https://img-blog.csdn.net/20151116100647860?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
14. Back to created application,click it to go to Policy definition page, click “Add New Policy”, fill exact definition for this policy
![](https://img-blog.csdn.net/20151116102534422?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
With below OpenDJ REST query we can see the dn is same as the one in OpenDJ Control-panel, while the universalId is shown in Policy’s Subjects values.
![](https://img-blog.csdn.net/20151116100833719?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
15. The final policy looks like as follow:
![](https://img-blog.csdn.net/20151116100908198?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
16. Here we can start testing, but we need to make sure agent filter mode is ALL but not SSO_ONLY, if OpenAM session and our testing application session is in one browser, should logout from OpenAM. It is better to restart tomcat in which our
testing application (testpolicy.war)is. We type the protected resource in browser, we can see it is redirected to OpenAM for authentication.
![](https://img-blog.csdn.net/20151116100944370?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
17. Since this resource only can be visited by leizhaojin in policy definition, so amAdmin cannot access, 403 error! It is expected.
![](https://img-blog.csdn.net/20151116101017377?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
18. As SSO is enabled, so we can go to OpenAM console to logout amAdmin, then try leizhaojin to request protected resource.
![](https://img-blog.csdn.net/20151116101051754?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
19. If you still encounter 403 error, then go to OpenAM console->Access Control<realm name>->Agent->J2EE-><policy name>->OpenAM service->policy client service, to check whether it read top realm’s policy as below screenshot:
![](https://img-blog.csdn.net/20151116101120728?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
20. Change highlighted 2 fields as following (friends:newtemplate), then revisit protected resource, resource content appears as expected.
![](https://img-blog.csdn.net/20151116101218194?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![](https://img-blog.csdn.net/20151116101228158?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
NOTE:
For top realm, there is a default application named iPlanetAMWebAgentService, this application is policy evaluation entrance, if leave anything default, you must use this application and define policies on it, then your policy would be evaluated
by OpenAM, otherwise you will always get 403 error.
![](https://img-blog.csdn.net/20151116101346205?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
Like I define a policy named policy to apply my URL-POLICY authorization
![](https://img-blog.csdn.net/20151116101419010?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
Its detail is:
![](https://img-blog.csdn.net/20151116101449619?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
If got below error and cannot start tomcat when agentapp.war is in it:
--------------------------------------
**********************************************
amSecurity:11/14/201512:06:25:859 上午 CST:Thread[main,5,main]
ERROR:AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
CheckAMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
-------------------------------
It means you created it in a sub-realm where you would then need to change the com.sun.identity.agents.config.organization.name value in the OpenSSOAgentBootstrap.properties file to reference the realm where the agent profile is.
1. First define users in OpenDJ, I use it as user data storage.
2. Update hosts file in windows OS for local testing.
3. Tomcat version is 7.0.39 and OpenAM mine is 12.0.0
4. Define a Sub Realm namedfriends
5. Define a J2EE Policy Agent,agentapp is a project which is provided in OpenAM j2ee_agents, this agentapp.war will be put into Tomcat 7’s webapps directory and act as a listener to user’s event, once a request comes from user, it will
delegate Authentication and Authorization to OpenAM. Later I will provide a screenshot of its deployment.
6. There is agentadmin.bat in my downloaded j2ee_agents
7. Now open a DOS window, go to this directoy and execute agent install command
8. Fill all the info to finish installation. For Agent URL, we will put agentapp.war to this Tomcat 7 webapps directory.
9. Below is log if successful installation
10. According to ForgeRock
official tutorial, there is subtle diff on installation between Tomcat 6 and 7, for 7, should not use tomcat’s global web.xml, but need to update each application’s web.xml deployed in this tomcat, and
must put agentapp.war to this tomcat.
11. Now start this tomcat, make.war extracted. We will add AmAgentFilter for all requests.
12. Update config/OpenSSOAgentBootstrap.properties to identify the sub-realm that has your policy agent configuration. Otherwise (initially it is “/” standing for top realm) tomcat will be failed to startup, and
theappearance is tomcat console would be auto-closed promptly. (Please read “NOTE”at the end of this article.)
13. This time we can go to define policy itself, but first we create an application, which is the resource template of policy, it is a must in OpenAM 12.0.0, I named it as newtemplate(not good but okay for testing :) )
14. Back to created application,click it to go to Policy definition page, click “Add New Policy”, fill exact definition for this policy
With below OpenDJ REST query we can see the dn is same as the one in OpenDJ Control-panel, while the universalId is shown in Policy’s Subjects values.
15. The final policy looks like as follow:
16. Here we can start testing, but we need to make sure agent filter mode is ALL but not SSO_ONLY, if OpenAM session and our testing application session is in one browser, should logout from OpenAM. It is better to restart tomcat in which our
testing application (testpolicy.war)is. We type the protected resource in browser, we can see it is redirected to OpenAM for authentication.
17. Since this resource only can be visited by leizhaojin in policy definition, so amAdmin cannot access, 403 error! It is expected.
18. As SSO is enabled, so we can go to OpenAM console to logout amAdmin, then try leizhaojin to request protected resource.
19. If you still encounter 403 error, then go to OpenAM console->Access Control<realm name>->Agent->J2EE-><policy name>->OpenAM service->policy client service, to check whether it read top realm’s policy as below screenshot:
20. Change highlighted 2 fields as following (friends:newtemplate), then revisit protected resource, resource content appears as expected.
NOTE:
For top realm, there is a default application named iPlanetAMWebAgentService, this application is policy evaluation entrance, if leave anything default, you must use this application and define policies on it, then your policy would be evaluated
by OpenAM, otherwise you will always get 403 error.
Like I define a policy named policy to apply my URL-POLICY authorization
Its detail is:
If got below error and cannot start tomcat when agentapp.war is in it:
--------------------------------------
**********************************************
amSecurity:11/14/201512:06:25:859 上午 CST:Thread[main,5,main]
ERROR:AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
CheckAMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
-------------------------------
It means you created it in a sub-realm where you would then need to change the com.sun.identity.agents.config.organization.name value in the OpenSSOAgentBootstrap.properties file to reference the realm where the agent profile is.
相关文章推荐
- linux 进程切换执行流的分离
- linux学习之文件权限
- linux 下某个文字在某几行的shell 写法 。
- linux启动流程分析
- 自己写的一个相同属性copy的方法
- 零基础学习openstack
- shell中的几个特殊变量
- 如何在 Linux 上使用 SSHfs 挂载一个远程文件系统
- nginx的五种负载算法模式
- Linux安装graphite:cannot open shared object file: No such file or directory
- 带你玩转Visual Studio——Property Manager的配制
- [Linux] 查看系统启动时间
- Docker:镜像操作和容器操作
- OpenLayers 3 之 地图矢量图层(ol.layer.Vector)详解,openlayersvector
- linux tar 解压命令总结
- CentOS6.5环境下使用镜像文件搭建本地yum源
- Linux编译cximage生成动态链接库
- Centos6.7 编译安装 Apache PHP
- 【转载】Linux常用命令列表
- 网站收集