The Java Authorization API lets you implement custom functionality for controlling access to protected resources.
The functionality is provided through custom Java classes that are referenced in Policy Server active expressions. An active expression is a string of variable definitions that appears in the following Policy Server objects:
For example, you might implement a custom Java class that returns true if the user belongs to a particular organizational unit (ou) in an LDAP directory. The ou is passed to the custom Java class in the parameter (param) field of the active expression.
For example, you might define an active response that returns a user’s common name (cn) if the user belongs to the ou passed in the param field of the active expression.
For example, you might define a custom Java class that returns true if a user is a member of a group, such as Directory Administrator, that has permission to view a realm. The group name is passed to the Java class in the param field of the active expression.
Active expressions are constructed in the Policy Server User Interface using the following syntax:
<@ lib=<lib-spec> func=<func-spec> param=<func-params>@>
An active expression based on the Java Authorization API has the following required fields:
You define an active expression when you configure the active policy, rule, or response in the Policy Server User Interface.
When SiteMinder detects an active expression that references a custom Java class, it performs the following tasks:
SiteMinder interprets the result returned by the instance of the custom Java class according to the type of active expression that references the Java class, as follows:
The policy does not fire if the result returned matches any of the following strings (not case-sensitive): FALSE, F, or 0.
Any other result causes the policy to fire.
Otherwise, the behavior is the same as for Active Policies.
(The URL that is passed back might vary according to information passed into the custom Java class. For example, a group name could be passed in the param field of the active expression. The custom Java class could then test for the group name to determine the URL to pass back.)
You specify the cookie name in the SiteMinder Response Attribute Editor.
If the method fails (that is, the method returns -1 or 0), the response attribute is ignored.
The base interface in the Java Authorization API is ActiveExpression. All Java classes that provide custom authorization functionality must implement this interface.
The name of the class that you implement from the base interface must appear in the param field of any associated active expression.
SiteMinder calls the following methods in the base interface ActiveExpression:
Method |
Description |
---|---|
init() |
Performs any initialization procedures that the custom Java class requires. SiteMinder calls this method once per instance of the custom ActiveExpression class. |
invoke() |
Performs the custom authorization functionality in the ActiveExpression object and returns a result. |
release() |
Performs any rundown procedures that the ActiveExpression object requires. SiteMinder calls this method once for each instance of an ActiveExpression class, when SiteMinder is shutting down. |
Note: Classes that implement ActiveExpression should be implemented on a stateless model that does not depend on instance state stored in member variables of the ActiveExpression class.
The following classes in the Authorization API are used in conjunction with the ActiveExpression base interface:
Class |
Description |
---|---|
ActiveExpressionContext |
Contains the following context classes passed to invoke():
|
RequestContext |
Provides information about the user’s access request—for example, the server or resource portion of the request. |
According to SAML specifications, an assertion (SAML 1.x) or response (SAML 2.0) is generated by a producer site and sent to a consumer site for validation. Typically, you will use the default SAML assertion or response that SiteMinder generates at the producer site. If you want to modify the content of the assertion or the reponse, you can do so by implementing the Java assertion generator plug-in. This plug-in is appropriate for both consumers (SAML 1.x) and Service Providers (SAML 2.0).
To modify the SAML assertion or response
The implementation is a plug-in for the SiteMinder Assertion Generator Framework. The Assertion Generator Framework sends a default token to the custom plug-in object. After processing, the custom object passes a modified token to the Assertion Generator Framework.
You configure a custom assertion generator plug-in in any of these ways:
Note: Configuration of the assertion generator plug-in requires a Policy Management API session version of at least v6.0 SP 2.
The following steps outline the interaction between SiteMinder and a custom assertion generator plug-in. The activities begin when an authorized user makes a request, through a SiteMinder Policy Server, for a resource at a site that consumes assertions:
Note: The site consuming assertions can have no more than one assertion generator plug-in defined for it.
A successfully initialized plug-in object remains in cache until SiteMinder shuts down. This avoids having to re-load and re-initialize the object every time the plug-in is required.
When SiteMinder is about to shut down, SiteMinder calls the plug-in’s release() method to allow the plug-in to perform any rundown activities it might require.
When developing and deploying a custom assertion generator plug-in, keep the following points in mind:
Copyright © 2014 CA.
All rights reserved.
|
|