5 Replies Latest reply: Dec 22, 2013 11:39 PM by user580543 RSS

Help with OAG authorization

user580543 Newbie
Currently Being Moderated

Hi,

I'm looking for authorization of users in the policy after user (a.b@oracle.com) is authenticated using WS-Security Username Token based on the below condition.


${authentication.subject.id}=a.b@oracle.com

 

Could please help how the above condition be placed in "attribute requirements" of authorization "attribute" filter .

 

Thanks in advance,

Vani

  • 1. Re: Help with OAG authorization
    user580543 Newbie
    Currently Being Moderated

    Hi ,

    To add more details in the sample policy that I developed ipfilter,authentication (WS-Security Username Token) and authorization.

     

    For authorization as I was unable to configure authorization message attribute , i'm using compare attribute with following pattern of "OR" condition for multiple users.

     

    ${authentication.subject.id}=a.b@oracle.com

     

    Thanks,

    Vani

  • 2. Re: Help with OAG authorization
    StefanOEG Explorer
    Currently Being Moderated

    Hi,

     

    The way to authorize like your are doing is not a way I would recommend as its not very dynamic. You don't say whatever you are using a repository like an Active Domain but in general you would always check whatever the user that is authenticated is member in a specific group rather than keeping a list of users in an compare filter. You want to avoid having very specific logic in the gateway configurations as much as possible, otherwise you will have to redeploy every time you want to add or remove users etc.

     

    If you are using an active directory you can use the filter "Retrieve from Directory Server" after a successful authentication to retrieve attributes of that user and then normally memberOf which will give you all the groups the specific user is a member of and on that data you would do an authorization check.

     

    If you are using the built in User repository there is a "Check Group Membership" filter that can be used instead.

     

    Cheers,

    Stefan

  • 3. Re: Help with OAG authorization
    user580543 Newbie
    Currently Being Moderated

    Hi Stefan,

    Thanks for your inputs which worked like magic.

    We are using ldap for authentication and our webservice do not depend on the attributes like group etc.

    So as per your suggestion , we maintain group of users meant for specific set of webservices to authorize.

     

    So when we add/remove users from the group , via api gateway manager, we don't need any deployment right?

     

    Thanks,

    Vani

  • 4. Re: Help with OAG authorization
    StefanOEG Explorer
    Currently Being Moderated

    Exactly, by using a group you will separate it nicely.. The gateway does by default cache LDAP requests for 30 seconds so be aware of this if you testing or change it to not cache at all.

     

    Cheer,

    Stefan

  • 5. Re: Help with OAG authorization
    user580543 Newbie
    Currently Being Moderated

    Hi Stefan,

    I could not find a way to add users from API Gateway Manager.

    Could you please let me know to add a user since policy studio exists on a remote machine and adding users in policy studio would need deployment.


    Thanks,

    Vani

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points