20-6 Oracle Fusion Middleware Application Security Guide RoleCategoryManager rcm = ap.getEntityManagerRoleCategoryManager.class; RoleCategorySearchQuery rcsq = new RoleCategorySearchQuery; rcsq.setANDMatch; rcsq.addQueryRoleCategorySearchQuery.SEARCH_PROPERTY.NAME, false, ComparatorType.EQUALITY, roleCategoryCartoon, BaseSearchQuery.MATCHER.EXACT; ListRoleCategoryEntry allRoleCategories = rcm.getRoleCategoriesrcsq; } } The following code snippet illustrates a complex query involving resource catalog elements: ApplicationPolicy ap as in the preceeding example ResourceTypeManager rtm = ap.getEntityManagerResourceTypeManager.class; ResourceTypeSearchQuery query = new ResourceTypeSearchQuery; query.setANDMatch; query.addQueryResourceTypeSearchQuery.SEARCH_PROPERTY.NAME, false, ComparatorType.EQUALITY, resourceType, BaseSearchQuery.MATCHER.EXACT; ListResourceTypeEntry enties = rtm.getResourceTypesquery; ResourceManager rm = ap.getEntityManagerResourceManager.class; ResourceSearchQuery ResourceQuery = new ResourceSearchQuery; ResourceQuery.setANDMatch; ResourceQuery.addQueryResourceSearchQuery.SEARCH_PROPERTY.NAME, false, ComparatorType.EQUALITY, R2, BaseSearchQuery.MATCHER.EXACT; ArrayListBaseSearchQuery querries = ResourceQuery.getQueries; ListResourceEntry resources = rm.getResourcesRT2, ResourceQuery; PermissionSetManager psm = ap.getEntityManagerPermissionSetManager.class; PermissionSetSearchQuery pssq = new PermissionSetSearchQuery; pssq.setANDMatch; pssq.addQueryPermissionSetSearchQuery.SEARCH_PROPERTY.NAME, false, ComparatorType.EQUALITY, PS1, BaseSearchQuery.MATCHER.EXACT; ListPermissionSetEntry psets = psm.getPermissionSetspssq; RoleCategoryManager rcm = ap.getEntityManagerRoleCategoryManager.class; RoleCategorySearchQuery rcsq = new RoleCategorySearchQuery; rcsq.setANDMatch; rcsq.addQueryRoleCategorySearchQuery.SEARCH_PROPERTY.NAME, false, ComparatorType.EQUALITY, roleCategoryCartoon, BaseSearchQuery.MATCHER.EXACT; ArrayListBaseSearchQuery queries = rcsq.getQueries; ListRoleCategoryEntry rcs = rcm.getRoleCategoriesrcsq; The following code sample illustrates how to create a grant: GrantManager gm = ap.getEntityManagerGrantManager.class; SetPrincipalEntry pe = new HashSetPrincipalEntry; ListAppRoleEntry are = ap.searchAppRolesappRoleName; pe.addAllare; gm.grantpe, null, permissionSetName;

20.3.3 Checking Policies

This section illustrates several ways to check policies programmatically, in the following sections: ■ Using the Method checkPermission ■ Using the Methods doAs and doAsPrivileged The OPSS Policy Model 20-7 ■ Using the Method checkBulkAuthorization ■ Using the Method getGrantedResources

20.3.3.1 Using the Method checkPermission

Oracle Fusion Middleware supports the use of the method checkPermission in the following standard classes: ■ java.lang.SecurityManager ■ java.security.AccessController In addition, Oracle Fusion Middleware also supports the use of the method checkPermission in the class oracle.security.jps.util.JpsAuth.: Oracle recommends the use of checkPermission in the class JpsAuth instead of the previous two because it provides better debugging support, better performance, and audit support. The static method AccessController.checkPermission uses the default access control context the context inherited when the thread was created. To check permissions on some other context, call the instance method checkPermission on a particular AccessControlContext instance. The method checkPermission behaves according to the value of the JAAS mode see JAAS mode in Chapter 21.1, Configuring the Servlet Filter and the EJB Interceptor , as listed in the following table: Important Note 1: Authorization failures are not visible, by default, in the console. To have authorization failures sent to the console you must set the system variable jps.auth.debug as follows: -Djps.auth.debug=true In particular, to have JpsAuth.checkPermission failures sent to the console, you must set the variable as above. Important Note 2: The OPSS policy provider must be explicitly set in Java SE applications, as illustrated in the following snippet: java.security.Policy.setPolicynew oracle.security.jps.internal.policystore.JavaProvider Not setting the policy provider explicitly in a Java SE application may cause runtime methods such as JpsAuth.checkPermission to return incorrect values. Table 20–2 Behavior of checkPermission According to JAAS Mode JAAS Mode Setting checkPermission off or undefined Enforces code-based security based on the security policy in effect, and there is no provision for subject-based security. doAs Enforces a combination of code-based and subject-based security using the access control context created through the doAs block. doAsPrivileged Enforces subject-based security using a null access control context. 20-8 Oracle Fusion Middleware Application Security Guide The following example illustrates a servlet checking a permission. It is assumed that the EAR file packing the servlet includes the configuration files jazn-data.xml and web.xml. jazn-data.xml The application file-based policy store is as follows: ?xml version=1.0 ? jazn-data policy-store applications application nameMyAppname app-roles app-role nameAppRolename display-nameAppRole display namedisplay-name descriptionAppRole descriptiondescription guidF5494E409CFB11DEBFEBC11296284F58guid classoracle.security.jps.service.policystore.ApplicationRoleclass app-role app-roles role-categories role-category nameMyAppRoleCategoryname display-nameMyAppRoleCategory display namedisplay-name descriptionMyAppRoleCategory descriptiondescription role-category role-categories resource-types resource-type nameMyResourceTypename display-nameMyResourceType display namedisplay-name descriptionMyResourceType descriptiondescription provider-nameMyResourceType providerprovider-name matcher-classoracle.security.jps.ResourcePermissionmatcher-class actions-delimiter,actions-delimiter actionswrite,readactions resource-type resource-types resources subjectOnly Takes into consideration grants involving principals only and it disregards those involving codebase when evaluating a permission. Note: If checkPermission is called inside a doAs block and the check permission call fails, to display the failed protection domain you must set the system property java.security.debug=access,failure. Table 20–2 Cont. Behavior of checkPermission According to JAAS Mode JAAS Mode Setting checkPermission