PolicyEvaluator Class

com.sun.identity.policy.PolicyEvaluator can be integrated into Java applications to evaluate policy privileges and provide policy decisions. This class provides support for both boolean and non-boolean type policies. Create a PolicyEvaluator by calling the constructor with a service name. Public methods of this class include the following:

isAllowed

Evaluates the policy associated with the given resource and returns a boolean value indicating whether the policy evaluation resulted in an allow or deny.

getPolicyDecision

Evaluates policies and returns decisions. Returns a decision that gives a user permission to perform specified actions on a specified resource.

getResourceResult

Obtains the policy and decisions for a hierarchy of resources. Possible values for the scope of this method are self, subtree, and strict-subtree. Use the self value to get the policy decision for the specified resource only. Use the subtree value to include the policy decisions for all resources defined in the policies which are sub-resources of the specified resource.

For example, the PolicyEvaluator class can be used to display the links for a list of resources to which an authenticated user has access. The getResourceResult method is used to get the list of resources. The resourceName parameter would be http://host.domain:port which returns all the resources to which the user has access on that server. These resources are returned as a PolicyDecision based on the user’s defined policies. If the user is allowed to access resources on different servers, this method needs to be called for each server.

Not all resources that have policy decisions are accessible to the user. Access depends on ActionDecision(s) contained in policy decisions.