OPENSSO PRE/POST PROCESSING ATTRIBUTE FETCHING VIA POLICY AGENT

Similar Messages

• Pre/post processing

  Hello group!
  Configuration:
  Oracle 8.1.7
  XDK 9.0.0.0.0(beta)
  We use XSQL Servlet scripts (great framework!). We tried to provide single entry point into our webapp. We want to replace XSQLServlet class, and gain control of our servlet environment (transactions, thread synchronization, logs...).
  Problem is, if we replace XSQLServlet class with our own class (which extends HttpServlet), we can't use XSQLPageProcesor directly because it is declared private for XSQLServlet package.
  So, we try to use XSQLRequest class and construct an instance with XSQLServletPageRequest as parameter and then call XSQLRequest.process().
  It works ,but ...
  When we attach object with setRequestObject (), requestProcessed is never called.
  Why? We mist something?
  If we use XSQLRequest (URL url), must we handle sessions, request parameters, cookies ...?
  Where is the best place to put pre/post processing of request?
  Thanks in advance
  Tomi
  null

  We found just XSQLPageRequest.setRequestObject(), that we already try to use (first post in thread).
  We associate *.xsql with our HttpServlet because we want to transparently add controller object(s), and we want to turn this feature off in servlet engine config whenever we want. If we forward it (getServletContext().getRequestDispatcher().forward()), with same name and extension ...
  Some code:
  public void doGet(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, IOException
  XSQLServletPageRequest req = new XSQLServletPageRequest(request, response, myContext);
  //TransactionController implements the XSQLRequestObjectListener
  req.setRequestObject("transaction",new TransactionController(req));
  XSQLRequest xsqlrequest = new XSQLRequest(request.getRequestURI(), req);
  try
  xsqlrequest.process(response.getOutputStream() ,new PrintWriter(System.err));
  catch(Exception ex)
  ex.printStackTrace();
  return;
  }When we call XSQLRequest.process, servlet response just fine (except we lost default encoding windows-1250?).
  TransactionController is properly attached, but requestProcessed is never called.
  We found why. Maybe?
  XSQLRequest.process call createNestedRequest from XSQLServletPageRequest, and then setIncludingRequest.
  This seems like little overhead :)
  We just want to keep our XSQL Scripts clean from including controllers via custom actions in every page.
  Can we do that?
  Anybody tried something similar?
  Thanks for your time
  Tomi
  null

• Pre-Post Processing Examples

  I'd like to learn more about how to use the Pre-Post Processing feature in the Apex Listener.
  Does anyone have any examples or documentation on how to do this?
  Thanks,
  C

  So i've answered my own question in part:
  Here is what I did:
  1. created a procedure named web_log_prc that inserts some session data into a table (web_log) in the Apex Application's parsing schema.
  2. granted execute privileges on that procedure to apex_public_user.
  3. In the post-processing text field in the apex listener admin page i entered the name of the procedure: <username>.web_log_prc
  Now when I click around in the app, rows get generated in the web_log table.
  My intend was to capture Oracle session data and tie it back to a particular Apex user. As expected, the username logged is apex_public_user.
  Is there a way to capture the session identifier that the connection pooling mechanisms use to send the data fetched from the database back to the correct Apex user?

• Lumia 920 pre & post processing of pics after Ambe...

  Hey folks, im starting this thread in order to grab more attention from Nokia. As they are already aware of the yellowish tint in photos since the amber update, I wanna just add something extra. I have attached 2 sample images of pictures below. Both photos were shot at ISO3200 to really show what this phone is capable of. Each picture will come with a before processing happens and after. Not only can you tell theres a yellowish tint in the post processing pics, but you can also see severe noise reduction. Sure, ISO3200 is a bit on a smartphone, but take a close look at the pics before the processing happens and tell me that isn't a amazing picture at ISO3200. White balance is spot on, and sharpness is excellent. Im sorry, but the aggressive noise reduction Nokia applies is not needed on this phone. Nokia I think most people buy these lumia 920 and 1020 phones based on cameras. I think most people can agree that while we may not ask you to remove your noise reduction settings, but rather add an option for us users who would like to skip out on the post processing that happens. You can clearly see in the before and after pics below how amazing an ISO3200 shot from this phone is.....let us have it please!!!
  Attachments:
  After Processing.jpg ‏3241 KB
  wp_ss_20130912_0005.png ‏1705 KB

  THE OTHER COMPARISON HERE:
  Attachments:
  After Processing (2).jpg ‏3166 KB
  wp_ss_20130912_0006.png ‏1597 KB

• Logout Processing Properties in the Policy Agent 2.2

  Hi,
  Did anyone ever used these properties? I have a case in which I need to use them but there are no examples and the documentation is a bit laconic. What is this handler? Any ideas? My app has just a simple /Logout.do url that when requested should logout the user in Access Manager too. I tried setting the property like
  com.sun.identity.agents.config.logout.uri[myApp] = /Logout.do
  But it did't work.
  Thank you.
  This is the only doco I found, in the AMAgent.properties:
  # LOGOUT PROCESSING PROPERTIES
  # - logout.application.handler: An application specific (MAP) property
  # that identifies a handler to be used for logout processing.
  # - logout.uri: An application specific (MAP) property that identifies
  # a request URI which indicates a logout event.
  # - logout.request.param: An application specific (MAP) property that
  # identifies a parameter which when present in the HTTP request
  # indicates a logout event.
  # - logout.introspect.enabled: A flag that when set allows the Agent
  # to search HTTP request body to locate logout parameter.
  # - logout.entry.uri: An application specific (MAP) property that identifies
  # a URI to be used as an entry point after successful logout and
  # subsequent successful authentication if applicable.
  # Hot-Swap Enabled: Yes
  com.sun.identity.agents.config.logout.application.handler[] =
  com.sun.identity.agents.config.logout.uri[] =
  com.sun.identity.agents.config.logout.request.param[] =
  com.sun.identity.agents.config.logout.introspect.enabled = false
  com.sun.identity.agents.config.logout.entry.uri[] =

  Hi,
  in my scenerion i have set up the SSO between SIM SPE and SAM sucessfully.
  I have put the default url of SIM-SPE edit profile page on suceesful login of Access manager. however i am facing the issue in logout of SIM-SPE application. i tried with access manager log out url but on log out and log-in with different user it gives me the profile of previous user however policy agent is fetching the current user (checking from the header). So it seems that some session is not able to destroyed on application (SIM-SPE) side. i came to know from forum even that some logout properties can use for logout.
  Can anybody please tell me how to use the following properties in AMAgent.properties file of policy agent on App server.
  # LOGOUT PROCESSING PROPERTIES
  #   - logout.application.handler: An application specific (MAP) property
  #     that identifies a handler to be used for logout processing.
  #   - logout.uri: An application specific (MAP) property that identifies
  #     a request URI which indicates a logout event.
  #   - logout.request.param: An application specific (MAP) property that
  #     identifies a parameter which when present in the HTTP request
  #     indicates a logout event.
  #   - logout.introspect.enabled: A flag that when set allows the Agent
  #     to search HTTP request body to locate logout parameter.
  #   - logout.entry.uri: An application specific (MAP) property that identifies
  #     a URI to be used as an entry point after successful logout and
  #     subsequent successful authentication if applicable.
  # Hot-Swap Enabled: Yes
  com.sun.identity.agents.config.logout.application.handler[] =
  com.sun.identity.agents.config.logout.uri[] =
  com.sun.identity.agents.config.logout.request.param[] =
  com.sun.identity.agents.config.logout.introspect.enabled = false
  com.sun.identity.agents.config.logout.entry.uri[] =i tried with http://<host name><port>/idm/spe/user/LogoutSubmit.do as setting the value for logout.uri property but no works.
  i would really appreciate your response.

• Post process bank statements in FEBA

  Hi expert,
  I received a customer payment via a bank transfer and I have loaded the bank statement via transaction FF_5.
  The G/L has been posted.
  When I wanted to post process the subledger, via transaction FEBA, the open items did not appear immediately.
  I had to select "More" and enter the account number.
  Then I was able to select all the open items related to my payment.
  Do you know what influences the fact that only 4 open items were shown?
  How can I show the whole list of a specific customer?
  Thank you.
  Kind regards,
  Linda

  Hello Eugene,
  Thank you for your reply.
  No,  we are not on new GL.
  Kind regards,
  Linda

• CDSSO, SAML & Policy Agents

  Hi all,
  My client would like to use Policy Agents to provide access control to internal systems. They would also like to use SAML 2.0 to interact with 3rd parties.
  The use case I have in mind is as follows;
  1. User authenticates to a Portal (not secured via Policy Agent)
  2. User accesses protected resource on Portal (Policy Agent intercepts and validates login status)
  3. User clicks a link to access 3rd party site. 3rd party site sends a SAML request back to us. We respond with SAML response. User obtains access to 3rd Party.
  There are a number of issues I see with this Use Case;
  1. The Portal will authenticate the user credentials against Access Manager via a back-end WebService. It will receive an SSOToken. This does not log the user on to the Policy Agent on the site.
  2. The Policy Agent does not have an authenticated session. The SSOToken the portal just obtained cannot be used to authenticate to the Policy Agent. The Policy Agent requires a Liberty Post profile. Is there an alternative to the Liberty profile to automatically obtain a session on the Policy Agent? How can I generate a valid Liberty profile that the Policy Agent will accept?
  3. The incoming SAML request must re-use the identity established when the user authenticated to the portal - I can't challenge the user again for credentials - this must be seamless. I think I need to use the SDK to turn the SSOToken in to a SAML reply. Are there any alternatives?
  Thanks for helping
  Jez

  I don't believe that the agent know anything about SAML.

• Policy agent and normal portal logon on one portal

  We run a shared portal infrastructure and want to use multiple logon methods for accessing ESS MSS portal applications.
  Is it possible to logon via Policy Agent and with normal sap poral logon to the same application?

  We have 3 bespoke types of SSO logon methods, JAAS, SAML and PKI.
  This means users can logon via our bespoke SSO solutions or via the normal SAP standard delivered logon method with UID and password.
  Currently we are investigating if we can also implement the Sun policy agent as logon method for the Poral and WAS. It should run in parallel with our current solutions without harming them.

• Pre-processing versus Post-processing Event Handlers

  After looking through the documentation, and a lot of forum posts, I'm still a little unclear as to where custom user modification updates most typically go... if I want to create a customer handler to say transform some data on a user after input on the main OIM form... should that go in the pre or post processing event handler? Or a more basic questions, which transactions or type of events would go in pre-processing, and which would go into post-processing?

  As far as I understand, there is no hard and fast rule as to what goes into pre and what goes into post. If you are doing a trusted recon then there is no pre will 11g and you have only post but if you are doing it from the OIM profile page then you can have either one and would depend upon your use case and requirement.
  Generally post should cover most of your scenarios from the UI unless you have access policies based on event handler derived attributes. If that's the case then you will have to fine tune the ordering of the event handler so that access policy is the last to be triggered.
  -Bikash

• OIM 11g: Has anyone managed to pre-populate Display Name by post process

  Hi all,
  I have an event handler to set Display Name. It works via pre-process but not post (which we need for recon).
  Does anyone have this working for trusted reconciliation?
  Thanks,
  Wayne,

  We are doing a little more basic in our modify post process handler... something like:
  public BulkEventResult execute(long processId, long eventId, BulkOrchestration bulkOrchestration) {
    HashMap<String, Serializable>[] bulkParameters = bulkOrchestration.getBulkParameters();
    String[] entities = bulkOrchestration.getTarget().getAllEntityId();
    params = new HashMap<String, Object>();
    HashMap<String, Serializable> parameters;
    for (int i = 0; i < bulkParameters.length; i++) {
         entityId=entities;
  parameters = bulkParameters[i];
  // Insert whatever your custom display name logic is below
  String fName = getParameterValue(parameters, "First Name");
  String lName = getParameterValue(parameters, "Last Name");
  String mInitials = getParameterValue(parameters, "Middle Name");
  String dName = lName + " ," + mInitials + " " + fName;
  params.put("Display Name", dName);
  try {
  entityManager.modifyEntity(bulkOrchestration.getTarget().getType(),entityId, params);
  } catch (InvalidDataTypeException e) {
  // All/any of your catches go here
  return new BulkEventResult();

• OIM11 event handlers: How to avoid firing the same code in both pre+post

  Hi everyone,
  I have a question around event handlers. My experiments so far have gleaned the following:
  Manual updates of user form in admin interface -> Fires: pre-insert + Post-insert
  Reconciliation trusted creates -> Fires: Post-insert
  Reconciliation trusted updates -> Fires: pre-insert + Post-insert
  Now I have various handlers that trigger to update fields coming in from trusted recon. Formatting telephone numbers, setting custom user attributes.. etc. I am using the same code in both the post and pre handlers as wherever the update comes from it needs to be processed in the same way. Problem is if a handler fires twice I can't be sure exactly how the system is going to behave (updating the same field again etc), never mind it is unneeded processing.
  We have to keep the pre handlers because otherwise changes completed via the admin interface won't be seen until you refresh.
  Can anyone please advice how to go about ensuring a handler is only fired once? i.e. if pre fires don't fire post. Have I missed something key here?
  Edit: I know I've worded this badly. They will always fire as that's how OIM behaves, what I want is some way to work out in the underlying code if a field has already been modified in pre process... or something like it.
  Thanks,
  Wayne.
  Edited by: wblacklock on 27-Feb-2012 05:38

  I am sorry but I am not agree with your design.
  However there is no chance to avoid this according to my knowledge. As both class has separate thread under different process, so there is no way to implement thread lock on entity operation.
  Alternate way  to acheive your requirement:
  You can have hidden UDFs. Update hidden UDFs in prepost handler with some data (hardcoded).
  "You can have the value this hidden filed like :- "NAME_UPDATE|EMAIL_UPDATED|MANGER_UPDATE"
  Now in Post - Process handler check the value of hidden UDF.
  Get the value of hidden UDF, tokenize with String Tokenizer. Check which filed is not updated in Pre handler.
  *If it is already updated - do not update.* else Update.
  Thanks,
  Kuldeep

• Building OpenSSO Policy Agent 2.2 for Apache 2.x

  Hi,
  I've been trying to build OpenSSO policy agent using sources from opensso_agentbranch22 on WINNT for Apache 2.0 web server. The reason I can't use the pre-build binary is because we are trying to customize the agent to integrate with another SSO app which sends us data. The compilation itself seems to work OK. But the libamapc2.dll (Apache module dll) created seems to be only 24-26k in size vs the 700k size in the binary distributed by Sun.
  Apache fails to start when this agent is installed, saying that the dll is invalid. Am I missing something in my compilation and linking process? I'm using VS 6 for the cl and link, Ant and Cygwin.
  Any input from the Sun OpenSSO gurus is greatly appreciated.

  I can show a snapshot from the Depends tool that clearly shows that amsdk.dll is dynamically linked. It creates all sorts of issues with Apache 2.0 as it doesn't like the dynamic linking. Until I changed the Makefile in the am directory to use the static library, I could not get my libamapc2.dll to match the libamapc2.dll distributed by Sun. Even now there are issues with libnspr4 and msvcrt.dll. Apache crashes as soon as it loads the libamapc2.dll and the issue has been narrowed down to the strlen() method. This method is used for logging messages by the agent.
  I wish Sun maintained a copy of the 3rd party libs they use to build the agent in their CVS instead of asking us to fetch those libraries from another website, in which case libraries may not correspond 1:1.

• Post Process Event Handler ----Unique Constraint Violation--Create User

  Hi Evryone..
  I am creating the user using the create user request template and there is one level of approval for this.
  I have one pre process event handler which populates one field A and one post process event handler which updates some 3 fields in the user form .
  In request template itself we had placed value as "ABC" for field B and this field B will be overridden in the post process event handler with Value as "XYZ" .
  Now when i raise the request the user is getting created in OIM but the value XYZ is not getting replaced in the field B.
  Below are the errors which i got in the logs while executing post process event handler :
  <Mar 28, 2012 10:25:58 AM CDT> <Warning> <oracle.iam.callbacks.common> <IAM-2030146> <[CALLBACKMSG] Are applicable policies present for this async eventhandler ? : false>
  <Mar 28, 2012 10:25:59 AM CDT> <Warning> <org.eclipse.persistence.session.oim> <BEA-000000> <
  Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.1.3.v20110304-r9073): org.eclipse.persistence.exceptions.DatabaseException
  Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (DEV_OIM.UK_UAR_ATTR_NAME_VALUE) violated
  Error Code: 1
  Call: INSERT INTO USR_ATTRIBUTE_RESERVATIONS (UAR_RESERVATION_KEY, UAR_ATTRIBUTE_NAME, CREATED_BY, CREATED_ON, DATA_LEVEL, UAR_REQUEST_ID, UAR_RESERVED_VALUE, UPDATED_BY, UPDATED_ON) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
  bind => [10, User Login, null, null, null, 10, DUMMY14, null, null]
  Query: InsertObjectQuery([email protected]658269)
  Exception at usrIntf.updateUser IAM-3050128 : Cannot reserve user attribute User Login with value DUMMY14 in OIMDB. Corresponding request ID is 10.:User Login:DUMMY14:10
  I checked reservations table and there are no records in that table.
  Has any one faced this issue..if so how it can be resolved..

  Are you trying to update the User ID? As far as I know during create user requests, OIM reserves the user login as it goes through approval and you cannot update that directly I think. I haven't tried it but can you tell me which fields you are prepopulating and which are you updating? Are there any OOTB fields in this or UDF?
  -Bikash

• Post Processing Steps after Support Package Stack Application

  I'm curious if anyone has any guidelines for post processing steps (or pre-processing) when applying Support Package Stacks to their Development Infrastructure (Developmend Workplace and the Central NWDI Server).  We have just upgraded a couple of developers local engines and developer studio to SP stack 19 from SP stack 14 and are experiencing some problems.  We also applied the J2EE stack and appropriate SCA files to the NWDI server.
  After the support packs it looks like our DTR files are gone (when reimporting configuration via Developer Studio the SC's are there but there are no DC's inside of them).  Additionally, it looks like we have to manually reimport the newest versions of SAP_BUILDT, SAP_JTECHS, and SAP-JEE.  Another thing is that old Local Web Dynpro DC's are now complaining about class path problems and different versions of files.  We followed the documentation for applying SP19 exactly as the documentation says for a Java Development Usage type.  Is there a checklist or something that anyone has for steps to perform after the application of the support packs?

  I think I'm missing something.  Now I see the code and DC's inside the DTR.  However, when I try to import into NWDS no DC's come in (the software components exist, but no DC's in them).  Additionally, the CBS web ui reports that my software components do not contain any DC's even though I see them in the DTR.  What things can I look at to determine what I'm missing here?
  Thought I'd add some more info..after applying the support packs, we imported the new SAPBUILD, SAP_JTECH, and SAP_jee SCA'S into our track as we required some functionality from the newer build SCA.  We also reimported our old archives back into the system by manually checking them in assuming this would fix the problem with us not seeing the source in the NWDS or the DTR.  After the import, the CBS no longer sees our custom DC's, but the DTR does (both in active and inactive ws).  When importing the dev configuration into the NWDS our custom DC's no longer appear, but SAP's standard SCA's do.
  Message was edited by:
          Eric Vota

• Problems with pre-mapping process operator in owb 9i

  Hi,
  I was trying to use the pre-mapping process operator in owb 9i. Problem is that the manual does not specify how the inputs need to be connected to this operator.
  Following is what I went through -
  I created a mapping table operator and a mapping dimension operator and connected these two. Then i created a pre-mapping process operator selecting the LTRIM function. Further I connected one of the table attributes to this pre-mapping operator as input and connected the output of this pre-mapping operator to the appropriate dimension operator attribute.
  On performing Validate, following error message was flashed -
  VLD-2451 : Illegal connection to pre-mapping process operator
  I am trying to learn how to use OWB 9i from the manual. So my interpretation of the use of the pre-mapping process operator may be wrong.
  In any case kindly help,
  Thanks,
  Saju

  Pre-mapping process is use to perform some operations preceding to mapping operation itself.
  For example, if your mapping is designed to incrementally append data to table for the definite time interval (witch is a parameter of the map operation) you might want to perform the table data cleanup for that period. That will allow for reload data number of time.
  In this case you have to define the procedure witch perform cleanup and than include the call to that procedure as a pre-mapping process.
  Other examples of pre- and post mapping process is disabling referential integrity before loading and re-enabling them after loading.
  Anyway, OWB documentation has clear definition for pre- and post-mapping processes.