OpenAM Authorization Manual

本文详细介绍了如何使用OpenDJ作为用户数据存储,配置Windows主机文件进行本地测试,选择Tomcat 7.0.39与OpenAM 12.0.0版本的集成,并定义了一个名为'friends'的子域。通过部署J2EE Policy Agent作为事件监听器,实现用户认证和授权。安装过程包括安装命令、配置文件修改、启动Tomcat以及添加Agent过滤器到所有请求中。此外,创建应用程序并定义策略,通过OpenDJ REST查询验证DN与策略ID的一致性,最终实现基于策略的访问控制。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >


Important URL: https://iamblog.jelleverbraak.be/?cat=3#sthash.LlRzcvgO.dpbs

 

1.      First define users in OpenDJ, I use it as user data storage.

 

2.      Update hosts file in windows OS for local testing.

 

3.      Tomcat version is 7.0.39 and OpenAM mine is 12.0.0

 

4.      Define a Sub Realm namedfriends

5.      Define a J2EE Policy Agent,agentapp is a project which is provided in OpenAM j2ee_agents, this agentapp.war will be put into Tomcat 7’s webapps directory and act as a listener to user’s event, once a request comes from user, it will delegate Authentication and Authorization to OpenAM. Later I will provide a screenshot of its deployment.

 

6.      There is agentadmin.bat in my downloaded j2ee_agents

 

 

7.      Now open a DOS window, go to this directoy and execute agent install command

 

8.      Fill all the info to finish installation. For Agent URL, we will put agentapp.war to this Tomcat 7 webapps directory.

 

9.      Below is log if successful installation

 

10.  According to ForgeRock official tutorial, there is subtle diff on installation between Tomcat 6 and 7, for 7, should not use tomcat’s global web.xml, but need to update each application’s web.xml deployed in this tomcat, and must put agentapp.war to this tomcat.

 

11.  Now start this tomcat, make.war extracted. We will add AmAgentFilter for all requests.

 

12.  Update config/OpenSSOAgentBootstrap.properties to identify the sub-realm that has your policy agent configuration. Otherwise (initially it is “/” standing for top realm) tomcat will be failed to startup, and theappearance is tomcat console would be auto-closed promptly. (Please read “NOTE”at the end of this article.)

 

13.  This time we can go to define policy itself, but first we create an application, which is the resource template of policy, it is a must in OpenAM 12.0.0, I named it as newtemplate(not good but okay for testing :) )

 

14.  Back to created application,click it to go to Policy definition page, click “Add New Policy”, fill exact definition for this policy


With below OpenDJ REST query we can see the dn is same as the one in OpenDJ Control-panel, while the universalId is shown in Policy’s Subjects values.

 

15.  The final policy looks like as follow:

 

16.  Here we can start testing, but we need to make sure agent filter mode is ALL but not SSO_ONLY, if OpenAM session and our testing application session is in one browser, should logout from OpenAM. It is better to restart tomcat in which our testing application (testpolicy.war)is. We type the protected resource in browser, we can see it is redirected to OpenAM for authentication.

 

17.  Since this resource only can be visited by leizhaojin in policy definition, so amAdmin cannot access, 403 error! It is expected.

18.  As SSO is enabled, so we can go to OpenAM console to logout amAdmin, then try leizhaojin to request protected resource.

 

19.  If you still encounter 403 error, then go to OpenAM console->Access Control<realm name>->Agent->J2EE-><policy name>->OpenAM service->policy client service, to check whether it read top realm’s policy as below screenshot:

20.  Change highlighted 2 fields as following (friends:newtemplate), then revisit protected resource, resource content appears as expected.

 

 

 

NOTE:

 

For top realm, there is a default application named iPlanetAMWebAgentService, this application is policy evaluation entrance, if leave anything default, you must use this application and define policies on it, then your policy would be evaluated by OpenAM, otherwise you will always get 403 error.

Like I define a policy named policy to apply my URL-POLICY authorization

Its detail is:

 

 

If got below error and cannot start tomcat when agentapp.war is in it:

--------------------------------------

**********************************************

amSecurity:11/14/201512:06:25:859 上午 CST:Thread[main,5,main]

ERROR:AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.

CheckAMConfig.properties for the following properties

         com.sun.identity.agents.app.username

         com.iplanet.am.service.password

-------------------------------

It means you created it in a sub-realm where you would then need to change the com.sun.identity.agents.config.organization.name value in the OpenSSOAgentBootstrap.properties file to reference the realm where the agent profile is.

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值