Enterprise Security
Thursday, August 31, 2017
Tuesday, May 9, 2017
OIM: Sample code to Publish roles to Organizations
This post covers a sample OIM code that publishes the roles to specific organization provided through inputs.
Our example code performs the following operations
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import oracle.iam.identity.exception.NoSuchRoleException;
import oracle.iam.identity.exception.RoleLookupException;
import oracle.iam.identity.exception.SearchKeyNotUniqueException;
import oracle.iam.identity.orgmgmt.api.OrganizationManager;
import oracle.iam.identity.orgmgmt.vo.Organization;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.authopss.api.PolicyConstants;
import oracle.iam.platform.authopss.vo.EntityPublication;
import oracle.iam.platform.authz.exception.AccessDeniedException;
import oracle.iam.platformservice.api.EntityPublicationService;
public class UpdateOIMRoleOrgAssociation {
public static void main(String[] args) {
try {
String roleKey = "";
String roleName = "APP_USER";
// Connect to OIM
Hashtable<Object, Object> env = new Hashtable<Object, Object>();
env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
OIMClient.WLS_CONTEXT_FACTORY);
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://oimenv:14100");
System.setProperty("java.security.auth.login.config",
"/oracle/iam/authwl.conf");
System.setProperty("OIMConnect.AppServerType", "wls");
System.setProperty("APPSERVER_TYPE", "wls");
OIMClient oimClient = new OIMClient(env);
oimClient.login("xelsysadm", "Welcome123!");
// Update Role Manager
RoleManager roleManager = oimClient.getService(RoleManager.class);
// Update Organization Manager
OrganizationManager orgManager = oimClient
.getService(OrganizationManager.class);
// Update EntityPublicationService
EntityPublicationService entityPubService = oimClient
.getService(EntityPublicationService.class);
// Get role Key information
try {
roleKey = roleManager.getDetails("Role Name", roleName, null)
.getAttribute("Role Key").toString();
System.out.println("=====>Retrieved role Key ::" + roleKey);
} catch (SearchKeyNotUniqueException | NoSuchRoleException
| RoleLookupException | AccessDeniedException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
// To modify/delete existing publication, it must first be fetched
List<EntityPublication> entityPubsAssigned = entityPubService
.listEntityPublications(PolicyConstants.Resources.ROLE,
roleKey, null);
// Initializing additions
System.out.println("----- Initializing updates/removes -----");
List<EntityPublication> entityPubsAddList = new ArrayList<EntityPublication>();
List<EntityPublication> entityPubsUpdateList = new ArrayList<EntityPublication>();
List<EntityPublication> entityPubsDeleteList = new ArrayList<EntityPublication>();
// Get Organization keys
Organization org1 = orgManager.getDetails("Google", null, true);
Organization org2 = orgManager.getDetails("Yahoo", null, true);
Organization org3 = orgManager.getDetails("Microsoft", null, true);
System.out.println("Google" + " Key ::" + org1.getEntityId());
// Add a new entity publication to the list
entityPubsAddList.add(new EntityPublication(roleKey,
PolicyConstants.Resources.ROLE, Long.valueOf(org1
.getEntityId()), false));
// Update existing entity publication
// Loop through Entity Pub result
for (EntityPublication entityPub : entityPubsAssigned) {
// Add to update list if Org name matches
if (entityPub.getScopeName().equalsIgnoreCase("Microsoft")) {
entityPub.setHierarchicalScope(true);
entityPubsUpdateList.add(entityPub);
}
}
// Delete existing entity publication
for (EntityPublication entityPub : entityPubsAssigned) {
// Add to update list if Org name matches
if (entityPub.getScopeName().equalsIgnoreCase("Yahoo")) {
entityPub.setHierarchicalScope(true);
entityPubsDeleteList.add(entityPub);
}
}
// Add all the entityPublication Lists to a Map
Map<String, List<EntityPublication>> entityPubsMap = new HashMap<String, List<EntityPublication>>();
entityPubsMap.put("ADD", entityPubsAddList);
entityPubsMap.put("UPDATE", entityPubsUpdateList);
entityPubsMap.put("DELETE", entityPubsDeleteList);
//Now update the role
Role newRole = new Role(roleKey);
newRole.setAttribute(
RoleManagerConstants.ORGANIZATIONS_PUBLISHED_TO,
entityPubsMap);
roleManager.modify(newRole);
} catch (Exception e) {
e.printStackTrace();
}
}
}
After updating through code, APP_USER role will be updated as shown below:
Our example code performs the following operations
- Publish APP_USER to new Organization "Google" and set "include sub-orgs" flag to False.
- Publish APP_USER to existing Organization "Microsoft" and set "include sub-orgs" flag to True.
- Remove APP_USER from existing Organization "Yahoo"
- OIM 11.1.2.3BP07
- OEL/RHEL 6
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import oracle.iam.identity.exception.NoSuchRoleException;
import oracle.iam.identity.exception.RoleLookupException;
import oracle.iam.identity.exception.SearchKeyNotUniqueException;
import oracle.iam.identity.orgmgmt.api.OrganizationManager;
import oracle.iam.identity.orgmgmt.vo.Organization;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.authopss.api.PolicyConstants;
import oracle.iam.platform.authopss.vo.EntityPublication;
import oracle.iam.platform.authz.exception.AccessDeniedException;
import oracle.iam.platformservice.api.EntityPublicationService;
public class UpdateOIMRoleOrgAssociation {
public static void main(String[] args) {
try {
String roleKey = "";
String roleName = "APP_USER";
// Connect to OIM
Hashtable<Object, Object> env = new Hashtable<Object, Object>();
env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
OIMClient.WLS_CONTEXT_FACTORY);
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://oimenv:14100");
System.setProperty("java.security.auth.login.config",
"/oracle/iam/authwl.conf");
System.setProperty("OIMConnect.AppServerType", "wls");
System.setProperty("APPSERVER_TYPE", "wls");
OIMClient oimClient = new OIMClient(env);
oimClient.login("xelsysadm", "Welcome123!");
// Update Role Manager
RoleManager roleManager = oimClient.getService(RoleManager.class);
// Update Organization Manager
OrganizationManager orgManager = oimClient
.getService(OrganizationManager.class);
// Update EntityPublicationService
EntityPublicationService entityPubService = oimClient
.getService(EntityPublicationService.class);
// Get role Key information
try {
roleKey = roleManager.getDetails("Role Name", roleName, null)
.getAttribute("Role Key").toString();
System.out.println("=====>Retrieved role Key ::" + roleKey);
} catch (SearchKeyNotUniqueException | NoSuchRoleException
| RoleLookupException | AccessDeniedException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
// To modify/delete existing publication, it must first be fetched
List<EntityPublication> entityPubsAssigned = entityPubService
.listEntityPublications(PolicyConstants.Resources.ROLE,
roleKey, null);
// Initializing additions
System.out.println("----- Initializing updates/removes -----");
List<EntityPublication> entityPubsAddList = new ArrayList<EntityPublication>();
List<EntityPublication> entityPubsUpdateList = new ArrayList<EntityPublication>();
List<EntityPublication> entityPubsDeleteList = new ArrayList<EntityPublication>();
// Get Organization keys
Organization org1 = orgManager.getDetails("Google", null, true);
Organization org2 = orgManager.getDetails("Yahoo", null, true);
Organization org3 = orgManager.getDetails("Microsoft", null, true);
System.out.println("Google" + " Key ::" + org1.getEntityId());
// Add a new entity publication to the list
entityPubsAddList.add(new EntityPublication(roleKey,
PolicyConstants.Resources.ROLE, Long.valueOf(org1
.getEntityId()), false));
// Update existing entity publication
// Loop through Entity Pub result
for (EntityPublication entityPub : entityPubsAssigned) {
// Add to update list if Org name matches
if (entityPub.getScopeName().equalsIgnoreCase("Microsoft")) {
entityPub.setHierarchicalScope(true);
entityPubsUpdateList.add(entityPub);
}
}
// Delete existing entity publication
for (EntityPublication entityPub : entityPubsAssigned) {
// Add to update list if Org name matches
if (entityPub.getScopeName().equalsIgnoreCase("Yahoo")) {
entityPub.setHierarchicalScope(true);
entityPubsDeleteList.add(entityPub);
}
}
// Add all the entityPublication Lists to a Map
Map<String, List<EntityPublication>> entityPubsMap = new HashMap<String, List<EntityPublication>>();
entityPubsMap.put("ADD", entityPubsAddList);
entityPubsMap.put("UPDATE", entityPubsUpdateList);
entityPubsMap.put("DELETE", entityPubsDeleteList);
//Now update the role
Role newRole = new Role(roleKey);
newRole.setAttribute(
RoleManagerConstants.ORGANIZATIONS_PUBLISHED_TO,
entityPubsMap);
roleManager.modify(newRole);
} catch (Exception e) {
e.printStackTrace();
}
}
}
After updating through code, APP_USER role will be updated as shown below:
Monday, April 17, 2017
OAM: Enable White Listing mode
We are going to cover about the commands that can be used to enable White listing of URLs in OAM and enable it on OAM Protected applications. This white listing of URLs helps to avoid re-directions to external sites/URLs that are not registered with OAM.
Environment:
Enabling and configuring White-listing mode is very simple and just requires the following acitivites.
1. Enable OAM White listing Mode:Environment:
- OAM 11.1.2.3BP07
- RHEL6/OEL6
Enabling and configuring White-listing mode is very simple and just requires the following acitivites.
- Enable OAM White listing Mode
- Adding/Removing URLs to/from the list of White listed URLs
- Login to the server that contains installation of OAM component
- Browse to the following directory
- <Oracle_IDM_Home>/common/bin
- Execute the following commands
- ./wlst.sh
- connect('weblogic','password','t3://oamhost:7001'>)
- domainRuntime()
- oamSetWhiteListMode(oamWhiteListMode="true")
- This returns the success message as shown below.
2. Adding/Removing URLs to/from the list of White listed URLs :
- Execute the below command to add a URL to the list
- oamWhiteListURLConfig(Name="google",Value="http://www.google.com",Operation="Update")
- Execute the below command to remove a URL from the list
- oamWhiteListURLConfig(Name="google",Value="http://www.google.com",Operation="Remove")
Validation:
- We can validate the behaviour during the logout process of any protected application with OAM Logout URL. For example, Add a URL like "http://www.google.com/" to white list and invoke the following Logout URL which has end_url parameter with the google.com URL
- http://<OHSHost:7777/oamsso/logout.html?end_URL=http://www.google.com/
- After successful logout, above URL will redirect you back to "http://www.google.com/" as it is trusted URL.
- You can validate by removing the same URL from the White Listed URLs list and invoke logout again. Then OAM will just log you out but will not redirect the user to "http://www.google.com/"
Thanks for visiting.
Subscribe to:
Posts (Atom)