Authentication and Authorization APIs › Use the Authorization API

Use the Authorization API

The Java Authorization API lets you implement custom functionality for controlling access to protected resources.

The functionality is provided through custom Java classes that are referenced in Policy Server active expressions. An active expression is a string of variable definitions that appears in the following Policy Server objects:

• Active policy—A policy that provides dynamic authorization based on external business logic.

  For example, you might implement a custom Java class that returns true if the user belongs to a particular organizational unit (ou) in an LDAP directory. The ou is passed to the custom Java class in the parameter (param) field of the active expression.

• Active response—A response returned from a custom Java class. Using an active response is one way you can define user-specific privilege information.

  For example, you might define an active response that returns a user's common name (cn) if the user belongs to the ou passed in the param field of the active expression.

• Active rule—A rule that provides dynamic authorization based on external business logic.

  For example, you might define a custom Java class that returns true if a user is a member of a group, such as Directory Administrator, that has permission to view a realm. The group name is passed to the Java class in the param field of the active expression.