7.4 Using Access Manager Policies to Enforce Authorization

The following procedure explains how to set up Access Manager policies that permit Managers to access the manager pages in the sample payroll application, deny Employees access to the manager pages, but permit Employees and Managers access to their own information pages. These policies do not require any J2EE server configuration to correctly enforce the policies.

7.4.1 Creating an Employee Role and a Manager Role

If you have a particular application that requires more than one role, and it is the only application using these roles, you can create one role policy that assigns users to the required roles. The following steps explain how to create one role policy that assigns users to the Manager role and the Employee role.

  1. In the Administration Console, click Devices > Policies.

  2. Click New, specify a name for the role policy, select Identity Server: Roles as the type, then click OK.

  3. For the first rule, click New, create a condition that matches your managers but not your employees, activate the Manager role, then click OK.

    The following rule uses the LDAP OU condition to determine whether the user is a manager. It assumes that all managers are in the ou=managers,ou=payroll,o=novell container.

  4. To create the second rule of the policy, click New.

  5. In Condition Group 1, click New, create a condition that matches your employees but not your managers, activate the Employee role, then click OK.

    The following rule uses the LDAP OU condition to determine whether the user is an employee. It assumes that all employees are in the ou=employees,ou=payroll,o=novell container.

  6. To save your Role policy, click OK > Apply Changes.

  7. Activate the Role policy for your Identity Server cluster configuration. Click Identity Servers > Edit > Roles.

  8. Select the name of your Role policy, click Enable, then click OK.

  9. Click Identity Servers > Update to update the Identity Server.

  10. Continue with Section 7.4.2, Creating Authorization Policies.

7.4.2 Creating Authorization Policies

The payroll application is a .ear file that contains both an EJB module and a Web (.war) module. Each module type requires its own type of Authorization policies, and to fully protect the application, you must create the following policies:

Creating EJB Authorization Policies

You need to create two policies: one that permits Managers to access EJB resources and one that permits Employees to access EJB resources.

  1. In the Administration Console, click Devices > Policies.

  2. To create an Authorization policy for the employees, click New, specify a name for the policy, select J2EE Agent: EJB Authorization as the type, then click OK.

  3. For the first rule, click New, set up a condition that permits access if the user has been assigned the Employee role, then click OK. Your rule should look similar to the following:

  4. To create the second rule in the policy, click New.

  5. To create a generic deny rule, assign a deny action, then click OK. Your rule should look similar to the following:

  6. To save your employee policy, click OK > Apply Changes.

  7. To create a policy for the managers, click New, specify a name for the policy, select J2EE Agent: EJB Authorization as the type, then click OK.

  8. For the first rule, click New, set up a condition that permits access if the user has been assigned the Manager role, then click OK. Your rule should look similar to the following:

  9. To create the second rule in the policy, click New.

  10. To create a generic deny rule, assign a deny action, then click OK. Your rule should look similar to the following:

  11. To save your manager policy, click OK > Apply Changes.

  12. Continue with Creating Web Authorization Policies.

Creating Web Authorization Policies

You need to create two policies: one that permits Managers to access resources and one that permits Employees to access resources.

  1. In the Administration Console, click Devices > Policies.

  2. To create an Authorization policy for the employees, click New, specify a name for the policy, select J2EE Agent: Web Authorization as the type, then click OK.

  3. For the first rule, click New, set up a condition that permits access if the user has been assigned the Employee role, then click OK. Your rule should look similar to the following:

  4. To create the second rule in the policy, click New.

  5. To create a generic deny rule, assign a deny action, then click OK. Your rule should look similar to the following:

    When you create a policy with one or more permit rules and you end it with a deny rule with a priority of 10, the logic of the policy is clear. Users who match a permit rule are allowed access; everyone else is denied access.

  6. To save your employee policy, click OK > Apply Changes.

  7. To create a policy for the managers, click New, specify a name for the policy, select J2EE Agent: Web Authorization as the type, then click OK.

  8. For the first rule, click New, set up a condition that permits access if the user has been assigned the Manager role, then click OK. Your rule should look similar to the following:

  9. To create the second rule in the policy, click New.

  10. To create a generic deny rule, assign a deny action, then click OK. Your rule should look similar to the following:

  11. To save your manager policy, click OK > Apply Changes.

  12. Continue with Section 7.4.3, Assigning Policies to Protected Resources

7.4.3 Assigning Policies to Protected Resources

After creating the Authorization policies, you need to create protected resources for the payroll application, then assign the policies to the protected resources.

Assigning the Authorization Policies to Protected Web Resources

To allow the J2EE Agent to enforce authorization for the payroll Web module, you need to create three protected resources for the payroll application.

  1. Click Devices > J2EE Agents > Edit.

  2. In the Access Control Configuration section, deselect Enforce application server policy, select Enforce additional authorization policy, then click Manage authorization policies.

  3. Click New, specify the name of the payroll .war file (PayrollWeb.war), select Web Module as the Type, then click OK.

  4. Click New to create the required protected resources.

  5. Select all three protected resources.

    The manager protected resource has /manager/* as its URL path and enables the PayrollWebManager Authorization policy. This policy allows only managers to access the manager pages. Everyone else is denied access.

    The myinfo protected resource has /myInformation.jsp and /payserv as its URL paths. Both the PayrollWebEmployee and PayrollWebManager Authorization policies are enabled for this resource. This allows both employees and managers to view their own information pages.

    The public protected resource uses /* for its URL path and is not assigned an Authorization policy. This allows everyone who can log in to the Identity Server to have access to the public pages of the application.

  6. To save your changes, click Configuration Panel, then click OK.

  7. On the J2EE Agents page, click Update.

Assigning the Authorization Policies to Protected EJB Resources

To allow the J2EE Agent to enforce authorization for the payroll EJB module, you need to create policies for four EJBs.

  1. Click Devices > J2EE Agents > Edit.

  2. In the Access Control Configuration section, deselect Enforce application server policy, select Enforce additional authorization policy, then click Manage authorization policies.

  3. Click New, specify the name of the payroll .jar file (PayrollEJB.jar), select EJB Module as the Type, then click OK.

  4. Click New to create the required EJB modules for this application.

  5. Select all four EJB modules.

    The [All] EJB is not assigned an Authorization policy. This allows everyone who can log in to the Identity Server to have access to the public EJBs of the application.

    The EmployeeEJB enables the PayrollEJBManager Authorization policy. This policy allows only managers to change sensitive employee information, such as an employee’s salary.

    The EmployeeSessionEJB enables both the PayrollEJBEmployee and PayrollEJBManager Authorization policies for this resource. This allows both employees and managers to view their own employee information.

    The ManagerSessionEJB enables the PayrollEJBManager Authorization policy. This policy allows only managers to manage employee information. Everyone else is denied access.

  6. To save your changes, click Configuration Panel, then click OK.

  7. On the J2EE Agents page, click Update.

7.4.4 Testing the Configuration

  1. Deploy the sample payroll application on your J2EE server.

    The location of the sample application is platform-specific:

    • On a Linux, Solaris, or AIX J2EE server, the application is copied to the /opt/novell/nids_agents/example directory.

    • On a Windows J2EE server, the application is copied to the <Install_Directory>\sampleapp directory.

  2. On your J2EE server, prepare the application to use the agent for login and logout. (See Section 4.1, Preparing the Application for the Agent).

    These steps have already been performed for the sample application. See the web.xml file in the application’s WEB-INF directory.

  3. Enable the RunAs role feature on your J2EE server.

  4. To test this configuration, send the following request from a browser:

    http://<Application_Server_DNS_Name>:<port>/payroll 
    

    Replace <Application_Server_DNS_Name> with the DNS name or the IP address of your application server. Replace <port> with the port number you have configured the J2EE Agent to use.

  5. Log in as a user who matches the condition to receive the Employee role. Access the My Page and the Manager Page.

  6. Log out and log in as a user who matches the condition to receive the Manager role. Access the My Page and the Manager Page.