Programming Guides › Programming Guide for C › Authorization API › Active Expressions › How SiteMinder Interprets Active Expressions

How SiteMinder Interprets Active Expressions

When SiteMinder detects an active expression, it performs the following tasks:

• Loads the shared library specified in the active expression.
• Calls the user-defined function specified in the active expression.
• Passes to the user-defined function the optional parameter string plus contextual information—that is, API context (Sm_Api_Context_t), request context (Sm_Api_RequestContext_t), and user context (Sm_Api_UserContext_t).

The following diagram illustrates the procedure:

The specified user-defined function in the shared library returns a result to SiteMinder in the lpszOutBuf parameter. SiteMinder interprets this result according to the type of active expression, as follows:

• Active Policy—If the function call fails or the result returned in lpszOutBuf is empty, authorization is denied.

  The policy does not fire if the result returned in lpszOutBuf matches any of the following strings (not case-sensitive): FALSE, F, or 0.

  Any other result value causes the policy to fire.

• Active Rule—If the function call fails or the result returned in lpszOutBuf is empty, the following behavior occurs:
  • With Allow Access rules, the rule does not fire.
  • With Deny Access rules, the rule fires.

  Otherwise, the behavior is the same as for Active Policies.

• Active Response—The result is a string representing the response attribute value. How SiteMinder uses this value is determined by the response attribute specified in the Administrative UI. For example:
  • WebAgent-OnReject-Redirect. Given this attribute, SiteMinder expects the response value to specify a location, such as a URL, to redirect a user who is denied access to a resource.

    For example, you could specify a group name in the optional param variable of the active expression, then test for the group name in the function to determine the URL to pass back.

  • WebAgent-HTTP-Cookie-Variable. Given this attribute, SiteMinder expects that the response value, such as the user's common name, is to be assigned to a cookie variable. You can use the response value any way you like, such as displaying the user's common name to personalize a form.

    You specify the cookie name in the SiteMinder Response Attribute Editor.