20-8 Oracle Fusion Middleware Application Security Guide The following example illustrates a servlet checking a permission. It is assumed that the EAR file packing the servlet includes the configuration files jazn-data.xml and web.xml. jazn-data.xml The application file-based policy store is as follows: ?xml version=1.0 ? jazn-data policy-store applications application nameMyAppname app-roles app-role nameAppRolename display-nameAppRole display namedisplay-name descriptionAppRole descriptiondescription guidF5494E409CFB11DEBFEBC11296284F58guid classoracle.security.jps.service.policystore.ApplicationRoleclass app-role app-roles role-categories role-category nameMyAppRoleCategoryname display-nameMyAppRoleCategory display namedisplay-name descriptionMyAppRoleCategory descriptiondescription role-category role-categories resource-types resource-type nameMyResourceTypename display-nameMyResourceType display namedisplay-name descriptionMyResourceType descriptiondescription provider-nameMyResourceType providerprovider-name matcher-classoracle.security.jps.ResourcePermissionmatcher-class actions-delimiter,actions-delimiter actionswrite,readactions resource-type resource-types resources subjectOnly Takes into consideration grants involving principals only and it disregards those involving codebase when evaluating a permission. Note: If checkPermission is called inside a doAs block and the check permission call fails, to display the failed protection domain you must set the system property java.security.debug=access,failure. Table 20–2 Cont. Behavior of checkPermission According to JAAS Mode JAAS Mode Setting checkPermission The OPSS Policy Model 20-9 resource nameMyResourcename display-nameMyResource display namedisplay-name descriptionMyResource descriptiondescription type-name-refMyResourceTypetype-name-ref resource resources permission-sets permission-set nameMyEntitlementname display-nameMyEntitlement display namedisplay-name descriptionMyEntitlement descriptiondescription member-resources member-resource type-name-refMyResourceTypetype-name-ref resource-nameMyResourceresource-name actionswriteactions member-resource member-resources permission-set permission-sets jazn-policy grant grantee principals principal class oracle.security.jps.service.policystore.ApplicationRoleclass nameAppRolename guidF5494E409CFB11DEBFEBC11296284F58guid principal principals grantee -- entitlement-based permissions -- permission-set-refs permission-set-ref nameMyEntitlementname permission-set-ref permission-set-refs grant jazn-policy application applications policy-store jazn-policyjazn-policy jazn-data web.xml The filter JpsFilter is configured as follows: web-app display-namePolicyTest: PolicyServletdisplay-name filter filter-nameJpsFilterfilter-name filter-classoracle.security.jps.ee.http.JpsFilterfilter-class init-param param-nameapplication.nameparam-name