0 Replies Latest reply: May 6, 2013 3:49 AM by 1005881 RSS

    ADF throws PolicyStoreAccessPermission - OPSS api addPrincipalToAppRole

    1005881
      I am facing PolicyStoreAccessPermission exception when trying to call OPPS API - ApplicationPolicy.addPrincipalToAppRole() for a PoC using JDeveloper 11.1.1.7 and 11.1.1.6 both. I know this issue has been resolved in some other threads and solutions suggested but none of them seems to be working for me.

      My code is very simple -

      JpsContextFactory ctxf = JpsContextFactory.getContextFactory();
      JpsContext ctx = ctxf.getContext();

      storeService = ctx.getServiceInstance(IdentityStoreService.class);
      ps = ctx.getServiceInstance(PolicyStore.class);
      policy= policyStore.getApplicationPolicy(<applicationName>);
      // find the principal etc..
      policy.addPrincipalToAppRole(principal, somerole);

      It works fine before I call addPrincipalToAppRole method. I added grants to "weblogic" and "codesource" in system-jazn-data.xml

      <jazn-data>
      <jazn-realm default="jazn.com">
      <realm>
      <name>jazn.com</name>
      </realm>
      </jazn-realm>
      <policy-store>
      <applications>
      <application locale="en_US">
      <jazn-policy>
      <TRIED GRANTS HERE>
      </jazn-policy>
      </application>
      </applications>
      </policy-store>
      <jazn-policy>
      <TRIED GRANTS HERE>
      </jazn-policy>
      </jazn-data>

      Added code source grant -

      <grant>
      <grantee>
      <codesource>
      <url>file:${domain.home}/../o.j2ee/drs/TablePaginationApp/-</url>
      </codesource>
      </grantee>
      <permissions>
      <permission>
      <class>oracle.security.jps.service.policystore.PolicyStoreAccessPermission</class>
      <name>context=APPLICATION,name=*</name>
      <actions>getApplicationPolicy,createApplicationPolicy,deleteApplicationPolicy,grant,revoke,createAppRole,addPrincipalToAppRole,removeAppRole,removePrincipalFromAppRole,alterAppRole</actions>
      </permission>
      <permission>
      <class>oracle.security.jps.service.policystore.PolicyStoreAccessPermission</class>
      <name>context=SYSTEM,name=*</name>
      <actions>*</actions>
      </permission>
      <permission>
      <class>java.security.SecurityPermission</class>
      <name>setPolicy</name>
      </permission>
      <permission>
      <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
      <name>context=SYSTEM,mapName=*,keyName=*</name>
      <actions>read,write</actions>
      </permission>
      <permission>
      <class>oracle.security.jps.JpsPermission</class>
      <name>AppSecurityContext.setApplicationID.*</name>
      </permission>
      <permission>
      <class>oracle.security.jps.service.trust.TrustServiceAccessPermission</class>
      <name>appId=*</name>
      <actions>issue</actions>
      </permission>
      </permissions>
      </grant>
      <grant>
      <grantee>
      <codesource>
      <url>file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/TablePaginationApp_application1/-</url>
      </codesource>
      </grantee>
      <permissions>
      <permission>
      <class>oracle.security.jps.service.policystore.PolicyStoreAccessPermission</class>
      <name>context=APPLICATION,name=*</name>
      <actions>getApplicationPolicy,createApplicationPolicy,deleteApplicationPolicy,grant,revoke,createAppRole,addPrincipalToAppRole,removeAppRole,removePrincipalFromAppRole,alterAppRole</actions>
      </permission>
      <permission>
      <class>oracle.security.jps.service.policystore.PolicyStoreAccessPermission</class>
      <name>context=SYSTEM,name=*</name>
      <actions>getApplicationPolicy,createApplicationPolicy,deleteApplicationPolicy,grant,revoke,createAppRole,addPrincipalToAppRole,removeAppRole,removePrincipalFromAppRole,alterAppRole</actions>
      </permission>
      <permission>
      <class>java.security.SecurityPermission</class>
      <name>setPolicy</name>
      </permission>
      <permission>
      <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
      <name>context=SYSTEM,mapName=*,keyName=*</name>
      <actions>read,write</actions>
      </permission>
      <permission>
      <class>oracle.security.jps.JpsPermission</class>
      <name>AppSecurityContext.setApplicationID.*</name>
      </permission>
      <permission>
      <class>oracle.security.jps.service.trust.TrustServiceAccessPermission</class>
      <name>appId=*</name>
      <actions>issue</actions>
      </permission>
      </permissions>
      </grant>

      added Weblogic grants

      <grant>
      <grantee>
      <principals>
      <principal>
      <class>oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl</class>
      <name>weblogic</name>
      </principal>
      </principals>
      </grantee>
      <permissions>
      <permission>
      <class>oracle.security.jps.service.policystore.PolicyStoreAccessPermission</class>
      <name>context=APPLICATION,name=*</name>
      <actions>getApplicationPolicy,createApplicationPolicy,deleteApplicationPolicy,grant,revoke,createAppRole,addPrincipalToAppRole,removeAppRole,removePrincipalFromAppRole,alterAppRole</actions>
      </permission>

      </permissions>
      </grant>

      But nothing worked for me, i always get this exception -

      java.security.AccessControlException: access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:TablePaginationApp_application1 Actions:getApplicationPolicy)
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
      at java.security.AccessController.checkPermission(AccessController.java:546)
      at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:463)
      at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:523)
      at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:549)
      at oracle.security.jps.internal.policystore.PolicyUtil.checkPolicyStorePermission(PolicyUtil.java:1292)

      Am i missing anything. please suggest.

      Thanks!