The OPSS Policy Model 20-11 Subject.doAsPrivilegeds, new PrivilegedAction { public Object run { try { AccessController.checkPermissionrtPerm; out.printlnbr; out.printlnCheckPermission passed for permission: + rtPerm+ seeded in application policy; out.printlnbr; } catch IOException e { e.printStackTrace; printException IOException, e, out; } catch AccessControlException ace { ace.printStackTrace; printException Accesscontrol Exception, ace, out; } return null; } }, null; } catch Throwable e { e.printStackTrace; printExceptionapplication policy check failed, e, out; } out.printlnBODY; out.printlnHTML; } void printExceptionString msg, Throwable e, ServletOutputStream out { Throwable t; try { StringWriter sw = new StringWriter; PrintWriter pw = new PrintWritersw, true; e.printStackTracepw; out.printlnp + msg + p; out.printlncode; out.printlnsw.getBuffer.toString; t = e; Print the root cause while t = t.getCause = null { sw = new StringWriter; pw = new PrintWritersw, true; t.printStackTracepw; out.printlnhr; out.printlnp Caused By ... p; out.printlnsw.getBuffer.toString; } out.printlncodep; } catch IOException ioe { ioe.printStackTrace; } } }

20.3.3.2 Using the Methods doAs and doAsPrivileged

Oracle Fusion Middleware supports the methods doAs and doAsPrivileged in the standard class javax.security.auth.Subject. 20-12 Oracle Fusion Middleware Application Security Guide Oracle recommends, however, the use of these methods in the class oracle.security.jps.util.JpsSubject because they render better performance and provide auditing.

20.3.3.3 Using the Method checkBulkAuthorization

The method checkBulkAuthorization determines whether a Subject has access to one or more resource actions. Specifically, the method returns the set of resource actions the passed Subject is authorized to access in the passed resources. When invoking this method in a Java SE application, make sure that:

1. The system property java.security.policy has been set to the location of the

OPSSOracle WebLogic Server policy file.

2. Your application must call first the method setPolicy to explicitly set the policy

provider, as illustrated in the following lines: java.security.Policy.setPolicynew oracle.security.jps.internal.policystore.JavaProvider

3. Your application calls checkBulkAuthorization after the call to setPolicy.

In any application, checkBulkAuthorization assumes that the caller can provide: ■ A Subject with User and Enterprise Role Principals. ■ A list of resources including the stripe each resource belongs to. Grants using resource permissions must include the required resource type. checkBulkAuthorization also assumes that the application has visibility into the policy store stripes configured in the domain where the application is running. checkBulkAuthorization does not require resources to be present in the policy store.

20.3.3.4 Using the Method getGrantedResources

The method getGrantedResources provides a runtime authorization query to fetch all granted resources on a given Subject by returning the resource actions that have been granted to the Subject; only permissions associated with resource types directly or indirectly through permission sets are returned by this method, and it is available only when the policy store is LDAP-based.

20.3.4 The Class ResourcePermission

A permission class provides the means to control the actions that a grantee is allowed on a resource. Even though a custom permission class provides the application designer complete control over the actions, target matching, and the implies logic, to work as expected at runtime, a custom permission class must be specified in the system classpath of the server so that it is available and can be loaded when required. But modifying the system class path in environments is difficult and, in some environments, such modification might not be even possible. Note: If checkPermission is called inside a doAs block and the check permission call fails, to display the failed protection domain you must set the system property java.security.debug=access,failure.