Tuesday, September 17, 2013

OWSM policies: username is not preserved upon import of OSB project in Eclipse

I am not sure this restriction is documented. I have searched in Oracle Support and I could only find this:
Import Policies in OWSM 11g Using a User without Admin Rights (Doc ID 1208863.1)
"Is it possible to import policies in OWSM 11g using a User who does not have Administrative rights?"
"One potential option is to map the logical role "policy.Updater" defined in the WSM-PM EJB application to a group that the User belongs to.
By default, the logical role "policy.Updater" is mapped to the "Administrators" group. "
but this refers to the user you use to log into sbconsole, not to the user you attach to a policy. See also http://docs.oracle.com/cd/E25178_01/web.1111/b32511/managing.htm#CEGHCGEB :
We discovered that Eclipse doesn't import the tag access-control-policies which is created when you edit the oracle/wss11_username_token_with_message_protection_service_policy in the Acces Control tab:
  <ser:coreEntry isProxy="true" isEnabled="true" isTracingEnabled="true">
    <ser:security>
      <con5:inboundWss processWssHeader="false"/>
      <con5:access-control-policies>
        <con5:transport-level-policy xsi:type="con6:ProviderPolicyContainerType" xmlns:con6="http://www.bea.com/wli/sb/security/accesscontrol/config">
          <con6:policy provider-id="XACMLAuthorizer">
            <con6:policy-expression>Usr(pippo)|Usr(pluto)</con6:policy-expression>
          </con6:policy>
        </con5:transport-level-policy>
      </con5:access-control-policies>
    </ser:security>

The only workaround is to open the .proxy file with a text editor and PASTE manually the access-control-policies tag. It's a bit sad.

No comments: