Scripting and Programming Guides › Developer's Guide for Java › Authentication and Authorization APIs › Use the Authorization API › Active Expressions › Interpret an Active Expression Result

Interpret an Active Expression Result

SiteMinder interprets the result returned by the instance of the custom Java class according to the type of active expression that references the Java class, as follows:

• Active Policy—If the result returned is an empty string or if an exception is thrown, authorization is denied.

  The policy does not fire if the result returned matches any of the following strings (not case-sensitive): FALSE, F, or 0.

  Any other result causes the policy to fire.

• Active Rule—If the result returned is an empty string or if an exception is thrown, the following behavior occurs:
  • With Allow Access rules, the rule does not fire.
  • With Deny Access rules, the rule fires.

  Otherwise, the behavior is the same as for Active Policies.

• Active Response—The result is a string that corresponds to a response attribute. How SiteMinder interprets the result string is determined by the response attribute specified in the Policy Server User Interface. For example:
  • WebAgent-OnReject-Redirect. Given this response attribute, SiteMinder expects the result string to specify a location, such as a URL, to redirect a user who is denied access to a resource.

    (The URL that is passed back might vary according to information passed into the custom Java class. For example, a group name could be passed in the param field of the active expression. The custom Java class could then test for the group name to determine the URL to pass back.)

  • WebAgent-HTTP-Cookie-Variable. Given this response attribute, SiteMinder expects that the result string, such as the user’s common name, is to be assigned to a cookie variable. You can use the result string any way you like, such as to display the user’s common name to personalize a form.

    You specify the cookie name in the SiteMinder Response Attribute Editor.

  If the method fails (that is, the method returns -1 or 0), the response attribute is ignored.