Resource Discovery

The most challenging aspect of writing policy for an application is discovering all the application resources that must be secured. This process is greatly simplified by running the SSM in 'discovery' mode and then performing one or more user sessions that reflect actual use in the application. Based on the activities performed during the user session, ALES will generate an initial policy set to files that can then be imported into ALES.

Enabling Discovery Mode

Resource discovery is enabled by setting the ASI Authorization and ASI Role Mapping providers to run in discovery mode. In this mode, these providers always return 'true' when evaluating user requests and generate the initial policy files based on those requests.

To enable discovery mode, modify the command line that starts the SSM by adding the following system properties:

The system properties are set using the -D switch in the appropriate file. As an example, to enable resource discovery for the WLS SSM, add the following lines to the SSM’s set-wls-env.bat file:

set WLES_JAVA_OPTIONS=%WLES_JAVA_OPTIONS% -Dcom.bea.security.providers.authorization.asi.AuthorizationProviderImpl.discoverymode=true

set WLES_JAVA_OPTIONS=%WLES_JAVA_OPTIONS% -Dcom.bea.security.providers.authorization.asi.RoleProviderImpl.discoverymode=true

For each SSM, Table 9-1 indicates the name and location of the file that must be modified.

Table 9-1 Setting System Properties for Discovery Mode
SSM Type	File Name	Default Location
Java	`set-env.bat (.sh` )	`BEA_HOME\ales30-ssm\java-ssm\instance\<`instancename`>\bin`
Web Services	`wlesws.wrapper.conf`	`BEA_HOME\ales30-ssm\webservice-ssm\ instance\<`instancename`>\config`
WebLogic Server 8.1	`set-wls-env.bat` (`.sh`)	`BEA_HOME\ales30-ssm\wls8-ssm\instance\ <`instancename`>\bin`
WebLogic Server 9.x/10.x	`set-wls-env.bat` (`.sh`)	`BEA_HOME\ales30-ssm\wls-ssm\instance\ <`instancename`>\bin`

Running in Discovery Mode

After enabling discovery mode as described in the previous section, start the secured application. Then perform a user session by logging in to the application, exercising requests for resources, and invoking application functions.

It is important to note that the generated files are meant to serve as a starting point for defining a policy set to fully secure the application. In particular, note the following:

The recorded policy data is based only on requests made during the user session; no policy data will be generated for parts of the application that are not used.
Depending on the Resource hierarchy you use to define the application's resources, the imported policy may contain more Resources than actually needed. This can be a particular problem when securing a WLP application. Unlike other applications, access to a WLP resource is denied if not explicitly granted.

When generating the files, user requests are transformed into a policy import format. Under this format, a request consists of four elements: Subject, Resource, Action, Attributes. Each element has different restrictions on the allowable character set. The providers automatically normalize any invalid characters to produce a valid entry. See Character Restrictions in Policy Data for further details.

Importing the Policy

The files generated by discovery mode will be located in the SSM's domain directory. To import them into ALES, use the Policy Import tool.

Once imported, the policy can be managed using the Entitlements Management Tool.

How Tos

Resource Discovery

Enabling Discovery Mode

Running in Discovery Mode

Importing the Policy