Friday, September 21, 2012
OAM R2 REST APIs for Policy Management
Oracle Access Manager 11g R2 provides several new REST APIs. This continues a trend to expose key functionality via Web Services.
The OAM Mobile and Social service provides APIs for Authentication, Authorization and User Profile services. I will cover those APIs in a future article (have a look here for examples) - but today I want to focus on the policy management APIs.
The Policy Administration API enables to you to interact with OAM to create a variety of Policy objects such as Application Domains, Resources, AuthN Schemes, and AuthN/AuthZ policies. The policy model is shown below:
For example, if you want to retrieve all of the resources in an Application Domain you can perform a GET against the /resource URI:
curl -u USER:PASSWORD http://<SERVER>:<PORT>/oam/services/rest/18.104.22.168.0/ssa/policyadmin/resource?appdomain="IAM Suite"
Note: The port above is where the OAM Admin Server is deployed (often 7001). It is NOT the managed server (oam_server1 - 14100 by default).
These APIs are useful for anyone who wants to automate policy creation. To provide an example: Let's assume we want to automate the process of bringing new applications online. Each application will have a resource URL to protect (example: /financeapp/**) and an LDAP group which should be used to enforce access to the application (example: FinanceManagers).
To demonstrate this functionality I have created a small Netbeans project that you can download here.
The demo uses the Jersey client to invoke OAM's policy management API.
The XML schema is used to generate JAXB bindings for the various policy objects. This schema can be found in your deployment directory for OAM (perform a find ..../domains/IAM -name \*.xsd -print) to locate it. A copy of the schema is included in the project file - but this may change with subsequent releases.
The demo does not cover every use case - but it should give you the general idea. Feedback is welcome!