Policy-Based Resource Management AM 6.3X
I am having some issues getting Policy-Based Resource Management working.
I have an AM 6.3X setup here in our dev env. <2005 q1>
I have a 2.2 j2ee agent installed on Sun Appserver 8.1
I am trying to get a url policy scheme setup to
1) force already authenticated user to auth using another auth module before being allowed access to a resource.
2) Allow the same user to navigate back to other protected resources not covered by the policy.
We have three types of users
unauthenticated These folks need to have access to parts of the application.
LDAP authenticated user these folks need to have access to all of the unauth spaces and the LDAP protected spaces, additionally if they are able to auth to the certificate protected space they need access to those.
Users that access the cert protected resource directly thereby bypassing ldap auth.
I am trying to set this up but I am running into issues.
I have a small application with a few directories in it.
I am using a 2.2 j2ee agent.
/sample/ldappages
/sample/certpages
/sample/index.html
my filter in web.xml is *
I have my not enforced list set to /sample/index.html so it is viewable by the world.
I have my agent configured to use the /amserver/gateway for the login url. and it is setup for mode URL_POLICY
I have one policy for http://myhost.com:8080/sample/certpages/*
that is for authenticated users with an authlevel of 4
So i can start a browser and go to the /sample/index.html and see it without auth.
I can then try to access /sample/certpages/ and get propmted for auth and then see the resource.
when i go to /sample/ldappages though i get a forbidden error.
When i start a new browser and try to go to ldappages i get an exception ...I am guessing because it has no policy for those pages.
So am making another policy for those pages this on with a LE authlevel of 4 which coincides with the cert module and will also match 1 which is the ldap module.
So now i can access the index unuathed, get prompted for auth on the certpages and after successful auth I cannot access the ldappages as a matter of fact I get an exception
java.lang.NullPointerException com.sun.identity.policy.util.Gateway.getOrgNameFromAdvice(Gateway.java:391)
I think I am missing something basic here. Can you help maybe?
This is all the admin guide has on this....
Policy-Based Resource Management
Some organizations require an advanced authentication scenario where a user
authenticates against a particular module based on the resource that they are
attempting to access. Policy-based resource management is a function of Access
Manager in which the user does not need to pass their default authentication
module in order to access a web resource.
Limitations
Policy-based resource management contains the following limitations:
1. All policies applicable to the resource require the same authentication scheme
or level of authentication. For example, if abc.html is defined in a policy for the
LDAP authentication module, it can not be defined in a policy for the
Certificate-based authentication module.
2. Level and scheme are the only conditions that can be defined for this policy.
3. This feature does not work across different DNS domains.
To Configure Policy-based Resource
Management
Once both Access Manager and a policy agent have been installed, policy-based
resource management can be configured. To do this, it is necessary to point Access
Manager to the Gateway servlet.
Open AMAgent.properties.
AMAgent.properties can be found (in a Solaris environment) in
/etc/opt//SUNWam/agents/config/.
2. Comment out the following line:
#com.sun.am.policy.am.loginURL =
http://identity_server_host.domain_name:port/amserver/UI/Login.
3. Add the following line to the file:
com.sun.am.policy.am.loginURL =
http://identity_server_host.domain_name:port/amserver/gateway
4. Restart the agent.
