I recently configured SAML Identiy Switching by setting subject.precedence=false in OWSM policy protecting Web Service . This post covers error encountered after configuring Context Switching ( Subject.Precedence) in OWSM policy.
For Identity Switching to work you must set permission for class oracle.wsm.security.WSIdentityPermission as described here
If you don’t set permisson you will see error like
___
access denied (oracle.wsm.security.WSIdentityPermission resource=<myApp> assert)
oracle.wsm.security.SecurityException: access denied (oracle.wsm.security.WSIdentityPermission resource=<myApp> assert)
___
_____
<08-Jan-2014 19:52:20 o’clock GMT> <Error> <oracle.wsm.resources.policyaccess> <WSM-06303> <The method “registerListener” was not called with required permission “oracle.wsm.policyaccess” >
<08-Jan-2014 20:53:06 o’clock GMT> <Warning> <oracle.wsm.resources.enforcement> <WSM-07507> <Failure in Oracle WSM Agent, category= security, function=agent.function. client, stage=request due to RuntimeException. java.security. AccessControlException: access denied (oracle.security. jps.service.credstore. CredentialAccess Permission context=SYSTEM,mapName=oracle. wsm.security, keyName=keystore-csf-key read) at java.security.Access ControlContext. checkPermission (AccessControlContext.java:374) javax.xml.ws. WebServiceException: oracle.fabric. common.PolicyEnforcement Exception: access denied (oracle.security. jps.service. credstore. CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=keystore-csf-key read) at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:867)
Caused By: oracle.fabric.common.PolicyEnforcementException: access denied (oracle.security.jps. service.credstore. CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=keystore-csf-key read) at oracle.integration. platform.common. InterceptorChainImpl. createPolicyEnforcement Exception(InterceptorChainImpl.java:200) at oracle.integration.platform.common. InterceptorChainImpl. processRequest (InterceptorChainImpl.java:136)
________
If you get error like above then this error means some of the permissions are missing in .
.
Note : Policy Store in Oracle Fusion Middleware could be in one of three locations and is defined in jps-config.xml (under $DOMAIN_HOME/config/fmwconfig)
a) File Based in XML file : $DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml
b) Database : Under OPSS schema . Note: Only supported database for Policy Store is Oracle Database.
c) LDAP Server : Note: Only supported LDAP Server for Policy Store is Oracle Internet Directory (OID)
In my case setting permission for oracle.wsm.security.WSIdentityPermission removed existing permission for codebase wsm-agent-core.jar, adding permission in bold under codebase wsm-agent-core.jar fixed this issue
_____
<grant>
<grantee>
<codesource>
<url>file:${common.components.home}/ modules/oracle.wsm.agent.common_11.1.1/ wsm-agent-core.jar</url>
</codesource>
</grantee>
<permissions>
<permission>
<class>oracle.security.jps. service.credstore. CredentialAccessPermission</class>
<name>context=SYSTEM, mapName=oracle.wsm.security, keyName=*</name>
<actions>*</actions>
</permission>
<permission>
<class>java.util.PropertyPermission</class>
<name>*</name>
<actions>read</actions>
</permission>
<permission>
<class>java.util.PropertyPermission</class>
<name>osdt.useMTOM</name>
<actions>read,write</actions>
</permission>
<permission>
<class>oracle.security.jps.JpsPermission</class>
<name>IdentityAssertion</name>
</permission>
<permission>
<class>java.lang.RuntimePermission</class>
<name>accessDeclaredMembers</name>
</permission>
<permission>
<class>java.lang.reflect.ReflectPermission</class>
<name>suppressAccessChecks</name>
</permission>
<permission>
<class>java.io.FilePermission</class>
<name>-</name>
<actions>read</actions>
</permission>
<permission>
<class>java.lang.RuntimePermission</class>
<name>getProtectionDomain</name>
</permission>
<permission>
<class>java.lang.RuntimePermission</class>
<name>oracle.wsm.policyaccess</name>
</permission>
<permission>
<class>oracle.security.jps.service.attribute.AttributeAccessPermission</class>
<name>*</name>
<actions>get,set</actions>
</permission>
______
Related/Reference