Securing Applications With Identity Services, Part 2: Authorization

Print-friendly Version

We assume you have done the following:

• Downloaded IdSvcsClient from Part 1.
• Installed the stable Build 2 of OpenSSO.

The authorization service includes two interfaces. One is built with Simple Object Access Protocol (SOAP)—that is, it is a Web-service interface. The other interface is built with Representational State Transfer (REST). The authorization service authorizes users according to three parameters: resource, action, and subject. You can also extend the authorization mechanism for other approaches. That topic is beyond the scope of this article, however.

See also:
Part 3: User Attributes

The configuration process involves creating an authorization policy, setting up two JavaServer Pages (JSP) pages, and making authorization calls with either SOAP or REST.

Creating an Authorization Policy
First, create an authorization policy in the Access Manager Administration Console for evaluation by OpenSSO, which can then determine if the user is authorized to perform the requested operation on the target resource. For details on how to create policies in OpenSSO, see "Creating Policies" in Part 1, Access Control, in the Access Manager 7.1 Administration Guide (PDF).

Here are a few tips on the configurations in the Edit Policy screen:

• General — Under Name, type any name, for example, test-idsvcs.
  
  
• Rules
  
  
  • Service Type: Select URL Policy Agent (with resource name).
    
    
  • Name: Type a name according to the user requirements, for example, test-rule.
    
    
  • Resource Name: Type a name according to the user needs, for example, http://localhost:8080/protected, as in the example that accompanies this article.
    
    
  • Actions: Select your choices according to the user needs, for example, select Allow for both GET and POST.
  
  
• Subjects — Under Name, type a name according to the user requirements, for example, amadmin or the login of a test user.
  
  
• Conditions — The settings are optional, that is, you need not specify any settings for the example to work.
  
  
• Response Providers — Same as Conditions.

Setting Up the JSP Pages
To set up the two JSP pages in the NetBeans IDE for authorization:

1. Add the following code to the authenticate.jsp file to invoke the authorization service with either the SOAP (denoted as WS in the code) or REST interface:
   
   

   <form name="authorization" action="authorization.jsp" method="POST"> <input type="hidden" name="token" value=<%= token %> /> Resource (URL) <input type="text" name="resource" value="http://localhost:8080/protected" size="30" /> <br>Action <select name="action"> <option>GET</option> <option>POST</option> </select><br><br> Authorize using Web Service (SOAP/WSDL) <input type="submit" value="WS" name="auth" /><br><br> Authorize using REST <input type="submit" value="REST" name="auth" /><br> <input type="hidden" name="url" value=<%= ourl %> /> </form>

    
   By way of explanation—
   
   
   • The parameter token is the user's token that becomes available after successful authentication.
     
     
   • The value for resource can be any URL or the name of a J2EE resource. This is the resource at which the user is authorized to perform tasks.
     
     
   • action is the task the user is authorized to perform on that particular resource.
   
   Here is the full content of authenticate.jsp.
   
   
2. Create another JSP file, authorize.jsp, by right-clicking Web Pages in the IdSvcsClient project and then choosing New > JSP from the context menu.
   
   
3. In the dialog box that is displayed, type authorize as the JSP name.
   
   
4. Add the following code as the content for authorize.jsp to retrieve the form parameters and to obtain the values for resource, action, and token—the three parameters required for invoking the authorization interface:
   
   

   <% String type = request.getParameter("auth"); String url = request.getParameter("url"); String token = request.getParameter("token"); String uri = request.getParameter("resource"); String action = request.getParameter("action"); %>

    
   Here is the full content of authorize.jsp.

Making Authorization Calls With SOAP (Web-Service Interface)
Next, still in the NetBeans IDE, make the authorization calls with SOAP from authorize.jsp:

1. Double-click authorize.jsp in the left pane to load the content into the Editor pane on the right.
   
   
2. Right-click in the Editor pane for the context menu and choose Web Service Client Resources > Call Web Service Operation. See Figure 1.
   
   

   Figure 1: Web-Service Operation Call (Click image for larger view.)

    
   The Select Operation to Invoke dialog box is displayed.
   
   
3. Select authorize under IdentityServicesImplPort. See Figure 2.
   
   

   Figure 2: Authorize Operation (Click image for larger view.)

    
   The Netbeans IDE then adds the stub code to the authorize.jsp file.
   
   Note: This step for invoking Web-service calls is important. Do not skip it and manually add the stub code; otherwise, the calls will not work.
   
   The following code segment shows the rearranged stub code to be executed when you specify WS for authorization (see the next section). This code also passes the input parameters.
   
   

   try { if (type.equals("WS")) { com.idsvcsclient.IdentityServicesImplService service = new com.idsvcsclient.IdentityServicesImplService(); com.idsvcsclient.IdentityServicesImpl port = service.getIdentityServicesImplPort(); com.idsvcsclient.Token subject = new com.idsvcsclient.Token(); subject.setId(token); boolean result = port.authorize(uri, action, subject); if (result) { out.println("Authorization Decision: <b>ALLOWED</b>"); } else { out.println("Authorization Decision: <b>DENIED</b>"); } } } catch (Exception e) { try { e.printStackTrace(new java.io.PrintWriter(out)); } catch (Exception ex) { // Ignore } }

    
   

Subsequently, the Netbeans IDE submits the Web-service call with the values for resource, action, and token, and then displays the result of the authorization (Boolean true or false) on the browser. In case of exceptions, the IDE displays the stack trace.

Making Authorization Calls With REST
Alternatively, make the calls with REST, whose authorization service is triggered by the URI authorize. REST expects three query parameters: resource, action, and token. Here is the code segment in question:

try {
    if (type.equals("WS")) {
	... // Code from above.
    } else if (type.equals("REST")) {
	if (url == null || url.length() == 0) {
	    out.println("<h2>Invalid URL: </h2>" + url);
	} else {
	    uri = java.net.URLEncoder.encode(uri, "UTF-8");
	    token = java.net.URLEncoder.encode(token, "UTF-8");
	    url += "/authorize?uri=" + uri +
		"&action=" + action + "&subjectid=" + token;
	    java.net.URL iurl = new java.net.URL(url);
	    java.net.URLConnection connection = iurl.openConnection();
	    java.io.BufferedReader reader = new java.io.BufferedReader(
	  	new java.io.InputStreamReader(
	  	(java.io.InputStream) connection.getContent()));
	    out.println("<h2>Successful using REST</h2>");
	    String line;
	    while ((line = reader.readLine()) != null) {
		out.println(line + "<br>");
	    }
	}
    }
} catch (Exception e) {
    try {
	e.printStackTrace(new java.io.PrintWriter(out));
    } catch (Exception ex) {
	// Ignore
    }
}

The preceding code opens an HTTP URL connection and performs a POST operation with the values of resource, action, and token before displaying the response on the browser.

You are now ready to compile, deploy, and run IdSvcsClient as a test for the authorization service.

To deploy and run IdSvcsClient in the Netbeans IDE, right-click the IdSvcsClient project and choose Undeploy and Deploy from the context menu. The IDE then compiles the necessary classes, builds the WAR file, and deploys it to Sun Java System Application Server. Afterward, you can access the client application at http://localhost:8080/IdSvcsClient.

If authentication is successful, the browser displays the authorization service form, as shown in Figure 3.

Figure 3: Authorization Service Form

If the user has been preapproved to undertake the task concerned, then when that person clicks the WS or REST button next to "Authorize using Web Server (SOAP/WSDL)," the browser displays the authorization result. See Figure 4.

Figure 4: Authorization Results (Click image for larger view.)

To troubleshoot, analyze the exceptions and debug messages. Since OpenSSO is deployed as a Web application in a Web or J2EE container, OpenSSO logs exceptions in either of the following venues:

• Container log files — Note these two possible scenarios:
  
  
  • If an exception occurs when the container is loading the application, OpenSSO.war or fam.war, OpenSSO logs the exception in the container log files. For example, if you have deployed OpenSSO in the GlassFish application server, look for possible exceptions in the GlassFish log files.
    
    
  • If the OpenSSO server does not catch the exception in its code, OpenSSO propagates all the way to the container and logs the exception in the container log files.
  
  
• OpenSSO debug files — To control the level of OpenSSO messages in the debug files, set the appropriate debug level as a value to the parameter com.iplanet.services.debug.level in the AMConfig.properties file at container_install_dir/webapps/opensso/WEB-INF/classes. You have four levels of choices: off, error, warning, and message.
  
  The debug files are at opensso_config_dir/opensso_deploy_uri/debug. Identity service-specific messages reside in the debug file amIdentityServices. Hereare a few typical exceptions:
  
  
  • SSO exception during the creation of SSOToken
    
    
  • Policy exception during policy evaluation to determine if the user is authorized to perform the specified operation on the target resource
    
    
  • URI syntax exception in case the resource URI is malformed
  
  
If you see any of the above exceptions, read through the amIdentityServices debug file and determine the cause.

In case of authorization failures, debug the policies that are configured in the OpenSSO server. Test whether the policy in question allows the user to perform the specified operation on the target resource.

Parts 3 and 4 of this series will show you how to profile and audit with identity services. Stay tuned!

• Sun Java System Access Manager
  • Main page
  • Developer home
  • Software Forum
  
  
• OpenSSO Project
  
  
• Sun developer services
  • Support
  • Training and certification