Knowledgebase

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Debugging Policies

This document desscribes how to set an SSM instance’s logs to record debugging-level events having to do with authentication, role mapping, and authorization.

 


Overview

When policy outcomes are other than expected, it may be useful to enable policy debugging so that the SSM’s logs will capture all events related to policy decisions. The logged information may policy-related details, such as failed authentications, missing group memberships, incorrect role assignments, and others.

Caution: SSM performance can be severely impacted when debug flags are enable. In production environments turn on debug flags only when necessary.

 


Enabling Policy Debugging

Policy debugging is enabled by changing settings in the SSM instance’s log4j.properties files. To do this:

  1. In the SSM instance’s config directory, open log4j.properties in an editor.
  2. To turn on authentication debugging, uncomment the following line:
  3. log4j.logger.com.bea.security.providers.authentication = DEBUG

  4. To turn on role mapping and authorization debugging, uncomment the following lines:
  5. log4j.logger.com.bea.security.providers.rolemapper = DEBUG
    log4j.logger.com.bea.security.providers.authorization = DEBUG
    log4j.logger.com.wles.util.DebugStore=DEBUG

  6. Restart the SSM.

 


Event Logs

This section describes common policy-related events that may be captured when in debugging mode.

Authentication

For authentication events, check for the events shown in Table 10-1:

Table 10-1 Authentication Events
Event
Description
Usernames
Usernames should match those supplied to the SSM.
Usernames are logged as follows:
DBMSAtnLoginModuleImpl - Login username: <username>
Identity Directory
Check that the identity directory name is correct.

Directory names are logged as follows:

DefaultDBMSPluginImpl - Formatted User: //user/<directory>/<username>/
Authentications
The following message indicates a successful authentication:
DBMSAtnLoginModuleImpl - Authenticated User <username>
Groups
The following message indicates a user’s group memberships:
odbms.DBMSAtnLoginModuleImpl - Groups Found: <list-of-groups>

Role Mapping

For role mapping events, check for the events shown in Table 10-2:

Table 10-2 Role Mapping Events
Event
Description
Roles
The following entry denotes the entry point for evaluating the roles. <username> is the user name supplied to the application and <resource> is the name of the queried resource.
BoolEvaluator - Query roles entered for //user/asi/<username>/://app/policy/<resource>
Role Policies
Make sure all relevant policies are evaluated. The following is a sample logged event:
BoolEvaluator - evaluateGrantDenyRoles:
evalute grant policy: 3600:grant
(//role/<
role>,//app/policy/<resource>,
//user/<
username>/)
Constraint Evaluations
The following is a sample message indicating a constraint evaluation:
BoolEvaluator - constraint evaluation result is: true
Roles Granted
The following is a sample message indicating a role assignment:
BoolEvaluator - Role //role/<role> was granted

Authorization

For authorization events, check for the events shown in Table 10-3:

Table 10-3 Authorization Events
Event
Description
Authorization
The following entry indicates the authorization policy evaluated:
BoolEvaluator - evaluateRuleArray():
Evaluate policy: 3401:grant
(//priv/buy,//app/policy/javaapi_app/store/book,
//role/borrower)
Constraint Evaluations
The following is a sample message indicating a constraint evaluation:
BoolEvaluator-constraint evaluation result: true
Roles Granted
The following is a sample message indicating a authorization policy evaluation:
BoolEvaluator - authEvalWorker:
evalute with roles return GRANT

 


Sample Log Messages

                        ========== Policy Evaluation Info ==========
            RequestResource is: //app/policy/<resource>
            UserInfo:
                  Name: //user/<identity-directory>/<user-name>
                  Groups: //sgrp/<identity-directory>/<group-name>
            
            Resource Present: true
            Roles Granted: //role/<granted-roles>

            Role Mapping Policies:
            1. Result: true; Policy Type: grant
                Role: //role/<requested-role>
                Resource: //app/policy/<resource>
                Subject: //user/<identity-directory>/<user-name>
                Constraints: (some-variable = "some-value")
                Evaluated Attributes and Functions:
                                some-variable(identity) = some-value
            
            ATZ Policies:
            1. Result: true; Policy Type: grant
                Privilege: //priv/<requested-privilege>
                Resource: //app/policy/<resource>
                Subject: //role/<granted-role>
                Constraints: NONE
                
                        ========== Policy Evaluation Info ==========

 


Debug API for Java-SSM

The following 2 API calls are specific to Java-SSM only. To enable policy debugging, open BEA_HOME/ales30-ssm/java-ssm/<instancename>/jssm/config/WLESarme.properties in an editor and set the following:

SsmPolicyTrace=true

Note: Enabling debugging weakens security, because OES policy evaluations will be visible to Java programs. For example, a malicious Java program could make "_Debug()" calls to gain information about policies.

To capture debugging data:

  1. Create a DebugInfo object as follows:
  2. DebugInfo debugInfo = new DebugInfo();

  3. Call getRoles_Debug() to obtain role assignments, as follows:
  4. getRoles_Debug(AuthenticIdentity ident, RuntimeResource resource, RuntimeAction action, AppContext context, DebugInfo debugInfo)

  5. Call isAccessAllowed_Debug() to obtain information about the policies used to reach a decision, as follows:
  6. isAccessAllowed_Debug(AuthenticIdentity ident, RuntimeResource resource, RuntimeAction action, AppContext context, DebugInfo debugInfo)

  7. Print the DebugInfo object to console:
  8. System.out.println(debugInfo.toString());

For further information, see the sample provided in the BEA_Home/ales32-ssm/java-ssm/examples/JavaAPIExample directory.


  Back to Top       Previous  Next