Web service authentication issue - using openam j2ee agent 3

Question

I am new to openAM. I am trying to use openAM (954) to secure my web service using J2EE agent 3.0. I have deployed my webservice (using CXF) on Glass fish 3.1.x.

I have created necessary configuration given in URL http://docs.oracle.com/cd/E19575-01/820-4803/ghuqg/index.html

I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.

Are there any additional configurations required? Please let me know, I am not able to find any other information on this anywhere.

Following is the request we are sending. I am not sure about UsernameToken wsu:Id whether it is correct? How do we get this value from OpenAM dynamically at each time when we send the request.

        <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

        <wsse:UsernameToken wsu:Id="UsernameToken-27777511" xmlns:wsu="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

        <wsse:Username>amadmin</wsse:Username>

        <wsse:Password Type="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Amit4001</wsse:Password>

        </wsse:UsernameToken>

        </wsse:Security>

  <demo:greetPerson>

     <!--Optional:-->



     <arg0>Ashish</arg0>

  </demo:greetPerson>

Please help me solve this issue.

Answer 1

For your agent policy, in the Global tab: General section > Agent Filter Mode, remove ALL and add SSO_ONLY (leave Map Key blank and Map Value as SSO_ONLY). Note that this configuration isn't hot-swappable, so OpenAM has to be restarted to apply.

Here is a procedure for installing the agent on the server you want to protect: http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/jee-install-guide/index/chap-glassfish.html

Here is a good procedure for configuring the agent policy centrally on the OpenAM server: http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/admin-guide/index/chap-agents.html#create-agent-profiles

You might want to also control which URIs (webapps) to protect instead of the entire website. To do that, in the agent policy:

• Application tab: Not Enforced URI Processing section > add the URI to protect, for example: /application1/*
• Application tab: Not Enforced URI Processing section > check the "Invert Not Enforced URIs" checkbox so that it will actually enforce the "Not Enforced URI" values

Answer 2

I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.

I'm currently struggling to learn OpenAM as well and I think your specific problem is that you have not yet set up a policy (not a policy agent) after users have successfully authenticated.

If you haven't try the following steps: Navigate to Access Control -> YourRealm -> Policies -> New Policy

Name: yourpolicyname

Rules (click new):

Name: URLPolicy

Resource Name: http:// your-webservice-url/*

Check allow get and post

Name: GetUrlPolicy

Resource Name: http:// your-webservice-url /* ? *

Check allow get and post

Subjects (click new) Type = OpenAM Identity Subject Name: UserAccess Add users you want to be able to authenticate

You have to add in the * ? * if you have any GET parameters in your web page.

Hope that helps, I know the documentation around is terrible.