Sun OpenSSO Enterprise 8.0 Developer's Guide

Policy Service Provider Interfaces and Plug-Ins

OpenSSO Enterprise includes SPIs that work with the Policy Service framework to create and manage policies. You can develop customized plug-ins for creating custom policy subjects, referrals, conditions, and response providers. For information on creating custom policy plug-ins, see Sample Code for Custom Subjects, Conditions, Referrals, and Response Providers. The following table summarizes the Policy Service SPI, and lists the specialized Policy Service plug-ins that come bundled with OpenSSO Enterprise.

Table 2–1 Policy Service Service Provider Interfaces




Defines a set of authenticated users for whom the policy applies. The following Subject plug-ins come bundled with OpenSSO Enterprise: Access Manager Identity Subject, Access Manager Roles, Authenticated Users, LDAP Groups, LDAP Roles, LDAP Users, Organization Web, and Services Clients. 


Delegates management of policy definitions to another access control realm.  


Specifies applicability of policy based on conditions such as IP address, time of day, authentication level. The following Condition plug-ins come bundled with OpenSSO Enterprise: Authentication Level, Authentication Scheme, IP Address, LE Authentication Level, Session, SessionProperty, and Time. 

Resource Name 

Allows a pluggable resource. 

Response Provider 

Gets attributes that are sent along with policy decision to the policy agent, and used by the policy agent to customize the client applications. Custom implementations of this interface are now supported in OpenSSO Enterprise.