Debugging Policies

This document desscribes how to set an SSM instance’s logs to record debugging-level events having to do with authentication, role mapping, and authorization.

Overview

When policy outcomes are other than expected, it may be useful to enable policy debugging so that the SSM’s logs will capture all events related to policy decisions. The logged information may policy-related details, such as failed authentications, missing group memberships, incorrect role assignments, and others.

Enabling Policy Debugging

Policy debugging is enabled by changing settings in the SSM instance’s log4j.properties files. To do this:

In the SSM instance’s config directory, open log4j.properties in an editor.
To turn on authentication debugging, uncomment the following line:

log4j.logger.com.bea.security.providers.authentication = DEBUG

To turn on role mapping and authorization debugging, uncomment the following lines:

log4j.logger.com.bea.security.providers.rolemapper = DEBUG log4j.logger.com.bea.security.providers.authorization = DEBUG log4j.logger.com.wles.util.DebugStore=DEBUG

Restart the SSM.

Event Logs

This section describes common policy-related events that may be captured when in debugging mode.

Authentication

Table 10-1 Authentication Events
Event	Description
Usernames	Usernames should match those supplied to the SSM. Usernames are logged as follows: `DBMSAtnLoginModuleImpl - Login username: <username>`
Identity Directory	Check that the identity directory name is correct. Directory names are logged as follows: `DefaultDBMSPluginImpl - Formatted User: //user/<directory>/<username>/`
Authentications	The following message indicates a successful authentication: `DBMSAtnLoginModuleImpl - Authenticated User <username>`
Groups	The following message indicates a user’s group memberships: `odbms.DBMSAtnLoginModuleImpl - Groups Found: <list-of-groups>`

Role Mapping

Table 10-2 Role Mapping Events
Event	Description
Roles	The following entry denotes the entry point for evaluating the roles. <`username`> is the user name supplied to the application and <`resource`> is the name of the queried resource. `BoolEvaluator - Query roles entered for //user/asi/<username>/://app/policy/<`resource`>`
Role Policies	Make sure all relevant policies are evaluated. The following is a sample logged event: `BoolEvaluator - evaluateGrantDenyRoles: evalute grant policy: 3600:grant (//role/<role>,//app/policy/<resource>, //user/<`username`>/)`
Constraint Evaluations	The following is a sample message indicating a constraint evaluation: `BoolEvaluator - constraint evaluation result is: true`
Roles Granted	The following is a sample message indicating a role assignment: `BoolEvaluator - Role //role/<role> was granted`

Authorization

Table 10-3 Authorization Events
Event	Description
Authorization	The following entry indicates the authorization policy evaluated: `BoolEvaluator - evaluateRuleArray(): Evaluate policy: 3401:grant (//priv/buy,//app/policy/javaapi_app/store/book, //role/borrower)`
Constraint Evaluations	The following is a sample message indicating a constraint evaluation: `BoolEvaluator-constraint evaluation result: true`
Roles Granted	The following is a sample message indicating a authorization policy evaluation: `BoolEvaluator - authEvalWorker: evalute with roles return GRANT`

Sample Log Messages

                        ========== Policy Evaluation Info ==========
            RequestResource is: //app/policy/<resource>
            UserInfo:
                  Name: //user/<identity-directory>/<user-name>
                  Groups: //sgrp/<identity-directory>/<group-name>

            Resource Present: true
            Roles Granted: //role/<granted-roles>

            Role Mapping Policies:
            1. Result: true; Policy Type: grant
                Role: //role/<requested-role>
                Resource: //app/policy/<resource>
                Subject: //user/<identity-directory>/<user-name>
                Constraints: (some-variable = "some-value")
                Evaluated Attributes and Functions:
                                some-variable(identity) = some-value

            ATZ Policies:
            1. Result: true; Policy Type: grant
                Privilege: //priv/<requested-privilege>
                Resource: //app/policy/<resource>
                Subject: //role/<granted-role>
                Constraints: NONE

                        ========== Policy Evaluation Info ==========

Debug API for Java-SSM

The following 2 API calls are specific to Java-SSM only. To enable policy debugging, open BEA_HOME/ales30-ssm/java-ssm/<instancename>/jssm/config/WLESarme.properties in an editor and set the following:

Create a DebugInfo object as follows:

DebugInfo debugInfo = new DebugInfo();

Call getRoles_Debug() to obtain role assignments, as follows:

getRoles_Debug(AuthenticIdentity ident, RuntimeResource resource, RuntimeAction action, AppContext context, DebugInfo debugInfo)

Call isAccessAllowed_Debug() to obtain information about the policies used to reach a decision, as follows:

isAccessAllowed_Debug(AuthenticIdentity ident, RuntimeResource resource, RuntimeAction action, AppContext context, DebugInfo debugInfo)

Print the DebugInfo object to console:

System.out.println(debugInfo.toString());

For further information, see the sample provided in the BEA_Home/ales32-ssm/java-ssm/examples/JavaAPIExample directory.

Knowledgebase