Chapter 3 Policy Data Types and Functions

Sun™ Java System Access Manager contains public data types and functions you can use to communicate with the Policy Service. Reference summaries include a short description, syntax, parameters and returns. The code is contained in the <am_policy.h> header file (located in the /AccessManager-base/SUNWam/include directory). The sample source am_policy_test.c (located in the /AccessManager-base/SUNWam/samples/csdk directory) demonstrates the basic usage of the policy API. This chapter contains the following sections:

• The Policy API for C

• Policy Data Types

• Policy Functions

The Policy API for C

Access Manager provides policy APIs for use by developers to integrate a resource authorization functionality within their external C applications. The policy API for C determines if a user has been given permission by a recognized authority to access a particular protected resource. The result of the policy evaluation is called an action value and may be boolean or binary.

• A boolean action value might be allow/deny or yes/no.

• A binary action value might be, for example, a mailbox quota. Assuming John Smith can only hold 100 MB of email in his mailbox, the value 100 would be the action value.

  ---

  Tip –

  As policy evaluation results in string values only, the policy evaluation returned is 100 numeric and not 100 MB. It is up to the application developer to define the appropriate metric for the values.

  ---

Resources Strings

The Policy API for C mandates that any resource be represented in a string format. Thus, resources on a web server must be represented as URLs. The Policy Service is then able to compare the resource string to the policy string and determine a relative relationship between the two. This relationship will be defined as one of the following:

• exact match

• no match

• subordinate match

• superior match

• exact pattern match

  ---

  Note –

  Exact pattern match is a special case where resources may be represented collectively as patterns. The information is abstracted from the Policy Service and the comparison operation must take a boolean parameter to trigger a pattern matched comparison. During the caching of policy information, the policy engine does not care about patterns, whereas during policy evaluation, the comparisons are pattern sensitive.

  ---

Resource Traits

The set of characteristics needed to define a resource is called a resource trait. Resource traits are taken as a parameter during service initialization in the am_resource_traits_t. Using the resource traits, the Policy Service constructs a resource graph for policy evaluation in which the relation between all resources in the system spans out like a tree from the root of the given resource. Thus, the service developer must provide the means to extract the root of the given resource. In a URL, the protocol://Access Manager-host.domain:port portion represents the root.

Policy Evaluation

The two typedef structures that are used for information exchange to and from the policy evaluation interfaces are:

• am_map_t provides a key to multiple key/value mapping. If the evaluation requires certain environment parameters like the IP address of the requester, it may be passed using this structure. See am_map_t for more information.

• am_properties_t provides a key to single value mapping. am_properties_t provides the additional functionality of loading a configuration file and getting values of specific data types. See am_properties_t for more information.

Policy Data Types

The types defined in <am_policy.h> are:

• am_policy_result_t

• am_policy_t

• am_resource_traits_t

am_policy_result_t

Carries the evaluation results from the Policy Service.

Details

am_policy_result_t unifies various components of a policy evaluation including information regarding the user attempting to perform an action on the resource, advice messages as recommended during policy evaluation, if any, and attribute response maps providing specific key/values as set in policy definition or user entries.

Syntax

#include "am_policy.h"
typedef struct am_policy_result {
    const char *remote_user;
    const char *remote_user_passwd;
    const char *remote_IP;
    am_map_t advice_map;
    am_map_t attr_profile_map;
    am_map_t attr_session_map;
    am_map_t attr_response_map;
    const char *advice_string;
} am_policy_result_t;

Members

remote_user

Pointer to the user attempting access.

remote_user_passwd

Pointer to the password for the remote user.

remote_IP

Pointer to the IP address of the resource the user is attempting to access.

advice_map

Takes a value based on the am_map_t defined in the <am_map.h> header file that represents any advice messages that might have resulted from the policy evaluation.

---

Note –

For information on advices, see Policy Advices in Sun Java System Access Manager 7.1 Administration Guide.

---

attr_profile_map

Takes a value based on the am_map_t (defined in the <am_map.h> header file) that represents one or more user profile attributes and a corresponding value. This member is enabled when the following two properties in AMAgent.properties are configured:

• com.sun.am.policy.agents.config.profile.attribute.fetch.mode takes a value of HTTP_HEADER or HTTP_COOKIE.

• com.sun.am.policy.agents.config.profile.attribute.map takes a list of LDAP attributes and their mapped values in the format attribute_name|value.

attr_session_map

Takes a value based on the am_map_t (defined in the <am_map.h> header file) that represents one or more session attributes and a corresponding value. This member is enabled when the following two properties in AMAgent.properties are configured:

• com.sun.am.policy.agents.config.session.attribute.fetch.mode takes a value of HTTP_HEADER or HTTP_COOKIE.

• com.sun.am.policy.agents.config.session.attribute.map takes a list of session attributes and their mapped values in the format attribute_name|value.

attr_response_map

Takes a value based on the am_map_t (defined in the <am_map.h> header file) that represents one or more response attributes and a corresponding value. This member is enabled when the following two properties in AMAgent.properties are configured:

• com.sun.am.policy.agents.config.response.attribute.fetch.mode takes a value of HTTP_HEADER or HTTP_COOKIE.

• com.sun.am.policy.agents.config.response.attribute.map takes a list of response names and their mapped values in the format attribute_name|value.

advice_string

Pointer to a string that defines a value for further authentication if dictated by the policy condition.If no condition is specified, the advice string will have an empty value.

Memory Concerns

Memory for am_policy_result_t is allocated by am_policy_evaluate() and freed by am_policy_result_destroy().

am_policy_t

Declares an unsigned integer as a type for a policy object.

Syntax

#include "am_policy.h"
typedef unsigned int am_policy_t;

Members

am_policy_t has no members.

am_resource_traits_t

Contains the functions to return resource traits that will be used to compare with a user's defined policy and evaluate the access request.

Syntax

#include "am_policy.h"
typedef struct am_resource_traits {
    am_resource_match_t (*cmp_func_ptr)(const struct am_resource_traits *rsrc_traits,
                                        const char *policy_res_name,
                                        const char *resource_name,
                                        boolean_t use_patterns);
    boolean_t (*has_patterns)(const char *resource_name);
    boolean_t (*get_resource_root)(const char *resource_name,
                                   char *root_resource_name,
                                   size_t buflength);
    boolean_t ignore_case;
    char separator;
    void (*canonicalize)(const char *resource, char **c_resource);
    void (*str_free)(void *resource_str);
} am_resource_traits_t;

Members

cmp_func_ptr

Pointer to a function that compares policy_res_name and resource_name to return one of the following values of the am_resource_match_t enumeration (defined in the <am_policy.h> header file):

typedef enum am_resource_match {
    AM_SUB_RESOURCE_MATCH,
    AM_EXACT_MATCH,
    AM_SUPER_RESOURCE_MATCH,
    AM_NO_MATCH,
    AM_EXACT_PATTERN_MATCH
} am_resource_match_t;

---

Tip –

cmp_func_ptr can point to am_policy_compare_urls() to evaluate URL resources.

---

rsrc_traits

Pointer to the resource traits structure containing data regarding a policy.

policy_res_name

Pointer to the name of the resource being protected.

resource_name

Pointer to the name of the resource being requested.

use_patterns

Based on the boolean_t defined in the <am_types.h> header file, B_TRUE indicates that the function will use or recognize patterns when comparing resources.

has_patterns

Pointer to a function that determines whether a resource has patterns and returns one of the following values of the boolean_t enumeration defined in the <am_types.h> header file:

B_TRUE

If resource_name has patterns.

B_FALSE

Otherwise.

---

Tip –

has_patterns can point to am_policy_resource_has_patterns() for URL resources.

---

resource_name

Pointer to the name of the resource being requested.

get_resource_root

Pointer to a function that extracts the root of the specified resource and returns one of the following values of the boolean_t enumeration defined in the <am_types.h> header file:

B_TRUE

If the resource root was successfully inserted into the specified root_resource_name buffer.

B_FALSE

Otherwise.

---

Tip –

get_resource_root can point to am_policy_get_url_resource_root() for URL resources.

---

resource_name

Pointer to the name of the resource being requested.

root_resource_name

Buffer to hold the resource root.

buflength

Value based on the size_t defined in the standard <stddef.h> header file that reflects the length of the root_resource_name buffer.

ignore_case

Value that takes one of the following values of the boolean_t enumeration defined in the <am_types.h> header file:

B_TRUE

Ignore case for all functions in this structure.

B_FALSE

Otherwise.

separator

Defines the resource separator. For URLs / should be used.

canonicalize

Pointer to a function that converts the specified resource name into a standard representation for comparative purposes.

resource

Pointer to a resource name. This could be the resource being requested or the resource defined in the policy.

c_resource

Output of the canonical resource name.

---

Note –

Memory for the canonical name must be allocated by the caller. A function to free the allocated memory must be set in str_free.

---

str_free

Pointer to a function to free a c_resource string after the results have been evaluated by am_policy_evaluate(). This field cannot be set to NULL.

---

Note –

free() should be used if canonicalize is set to the am_policy_resource_canonicalize() function.

---

resource_str

Pointer to the string returned in the canonicalize function.

Policy Functions

The functions defined in <am_policy.h> are:

• am_policy_compare_urls()

• am_policy_destroy()

• am_policy_evaluate()

• am_policy_evaluate_ignore_url_notenforced()

• am_policy_get_url_resource_root()

• am_policy_init()

• am_policy_invalidate_session()

• am_policy_is_notification_enabled()

• am_policy_notify()

• am_policy_resource_canonicalize()

• am_policy_resource_has_patterns()

• am_policy_result_destroy()

• am_policy_service_init()

am_policy_compare_urls()

Compares the URLs of two resources, and returns the appropriate result.

Syntax

#include "am_policy.h"
AM_EXPORT am_resource_match_t
am_policy_compare_urls(const am_resource_traits_t *rsrc_traits,
                       const char *policy_resource_name,
                       const char *resource_name,
                       boolean_t use_patterns);

Parameters

This function takes the following parameter:

rsrc_traits

Pointer to a am_resource_traits_t type containing data regarding a policy.

---

Note –

See am_resource_traits_t for more information.

---

policy_resource_name

Pointer to the name of the resource being protected.

resource_name

Pointer to the name of the resource being requested.

use_patterns

Based on the boolean_t defined in the <am_types.h> header file, B_TRUE indicates that the function will consider occurrences of * in policy_resource_name as wild cards. If B_FALSE, occurrences of * are taken as a literal characters.

---

Note –

In cases of SUB_RESOURCE_MATCH and SUPER_RESOURCE_MATCH when usePatterns is B_TRUE, the patterns are sub or super matching patterns, respectively.

---

Returns

This function returns one of the following values of the am_resource_match_t enumeration as defined:

#include "am_policy.h"
typedef enum am_resource_match {
    AM_SUB_RESOURCE_MATCH,
    AM_EXACT_MATCH,
    AM_SUPER_RESOURCE_MATCH,
    AM_NO_MATCH,
    AM_EXACT_PATTERN_MATCH
} am_resource_match_t;

AM_EXACT_MATCH

If both URLs match exactly as in, for example, if the URL for the resource is http://example.sun.com:90/index.html and the URL in the policy is http://example.sun.com:90/index.html.

AM_EXACT_PATTERN_MATCH

This result is returned if the URL to which the policy applies matches the URL to which access is requested as in, for example, if the URL for the resource is http://example.sun.com:90/index.html and the URL in the policy is http://example.sun.com:90/*. Distinction is not made between an EXACT_MATCH or a pattern match.

AM_NO_MATCH

If the URLs do not match.

AM_SUB_RESOURCE_MATCH

If the requested URL is found to be a sub-resource of the URL defined in the policy.

AM_SUPER_RESOURCE_MATCH

If the requested URL is found to be a parent of the URL defined in the policy.

am_policy_destroy()

Destroys an initialized instance of a policy evaluator object.

Details

An instance is initialized for each policy request.

---

Note –

The caller must ensure that the same instance is not destroyed more than once.

---

Syntax

#include "am_policy.h"
AM_EXPORT am_status_t
am_policy_destroy(am_policy_t policy);

Parameters

This function takes the following parameter:

policy

Integer specifying the object being destroyed.

Returns

This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):

AM_SUCCESS

If the call was successful.

AM_*

If any error occurs, the type of error indicated by the status value.

am_policy_evaluate()

Evaluates a policy for a given request and returns a non-boolean result.

---

Note –

am_policy_evaluate() has been deprecated. See am_policy_evaluate_ignore_url_notenforced().

---

Details

am_policy_evaluate() was used to evaluate policy for URLs on the not-enforced list and those not on the not-enforced list. Since there is not a need to evaluate URLs on the not-enforced list, am_policy_evaluate() has been deprecated. Although it can still be used, the SDK invokes am_policy_evaluate_ignore_url_notenforced().

Syntax

#include "am_policy.h"
AM_EXPORT am_status_t
am_policy_evaluate(am_policy_t policy_handle,
                   const char *sso_token,
                   const char *resource_name,
                   const char *action_name,
                   const am_map_t env_parameter_map,
                   am_map_t policy_response_map_ptr,
                   am_policy_result_t *policy_result);

Parameters

This function takes the following parameters:

policy_handle

Integer specifying the object being evaluated.

sso_token

Pointer to the session token (SSOTokenID) of the authenticated user.

---

Note –

The Access Manager Session Service creates a session data structure (also known as an SSOToken) that stores information such as login time, authentication scheme, and authentication level. It also generates a session token (also known as an SSOTokenID, a randomly-generated string that identifies an instance of an SSOToken.

---

resource_name

Pointer to the name of the resource being requested.

action_name

Pointer to the action requested.

---

Note –

An action is the operation to be performed on the resource. Web server actions are POST and GET. An allowable action for a human resources service , for example, can change a home telephone number.

---

env_parameter_map

Map object which contains environment variables (IP address, host name, etc.) used for evaluation by the Policy Service.

---

Note –

See am_map_t for more information.

---

policy_response_map_ptr

Pointer to a map object which contains all the profile, session and response attributes fetched.

---

Note –

This must be enabled in AMAgent.properties. See am_policy_result_t for information on how this is done. See am_map_t for more information on map objects.

---

policy_result

Pointer to the am_policy_result_t type to store the result.

---

Note –

See am_policy_result_t for more information.

---

Returns

This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):

AM_SUCCESS

If the call was successful.

AM_*

If any error occurs, the type of error indicated by the status value.

Memory Concerns

After using the results the caller must call am_policy_result_destroy() on policy_result to cleanup the allocated memory. Also, am_map_destroy() must be called on policy_response_map_ptr and env_parameter_map after their respective usage.

am_policy_evaluate_ignore_url_notenforced()

Evaluates a policy for a given request and returns a non-boolean result.

Details

am_policy_evaluate_ignore_url_notenforced() will evaluate a policy for the specified URL only if the URL does not appear on the not-enforced list defined in AMAgent.properties.

---

Note –

See Sun Java System Access Manager Policy Agent 2.2 User’s Guide for more information.

---

Syntax

#include "am_policy.h"
AM_EXPORT am_status_t
am_policy_evaluate_ignore_url_notenforced(am_policy_t policy_handle,
                                          const char *sso_token,
                                          const char *resource_name,
                                          const char *action_name,
                                          const am_map_t env_parameter_map,
                                          am_map_t policy_response_map_ptr,
                                          am_policy_result_t *policy_result,
                                          am_bool_t ignorePolicyResult),
                                          char **am_revision_number;

Parameters

This function takes the following parameters:

policy_handle

Integer specifying the object being evaluated.

sso_token

Pointer to the session token (SSOTokenID) of the authenticated user.

---

Note –

The Access Manager Session Service creates a session data structure (also known as an SSOToken) that stores information such as login time, authentication scheme, and authentication level. It also generates a session token (also known as an SSOTokenID, a randomly-generated string that identifies an instance of an SSOToken.

---

resource_name

Pointer to the name of the resource being requested.

action_name

Pointer to the action requested.

---

Note –

An action is the operation to be performed on the resource. Web server actions are POST and GET. An allowable action for a human resources service , for example, can change a home telephone number.

---

env_parameter_map

Map object which contains environment variables (IP address, host name, etc.) used for evaluation by the Policy Service.

---

Note –

See am_map_t for more information.

---

policy_response_map_ptr

Pointer to a map object which contains all the profile, session and response attributes fetched.

---

Note –

This must be enabled in AMAgent.properties. See am_policy_result_t for information on how this is done. See am_map_t for more information on map objects.

---

policy_result

Pointer to the am_policy_result_t type to store the result.

---

Note –

See am_policy_result_t for more information.

---

ignorePolicyResult

Based on the am_bool_t defined in the <am_types.h> header file, AM_TRUE indicates that policy evaluation will not be done for the URL.

am_revision_number

Takes a value equal to the version of the instance of Access Manager with which the SDK is communicating. When communicating with Access Manager 7.0, the value will be 7.0, otherwise 6.3. It can also be set to NULL.

Returns

This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):

AM_SUCCESS

If the call was successful.

AM_*

If any error occurs, the type of error indicated by the status value.

Memory Concerns

After using the results the caller must call am_policy_result_destroy() on policy_result to cleanup the allocated memory. Also, am_map_destroy() must be called on policy_response_map_ptr and env_parameter_map after their respective usage.

am_policy_get_url_resource_root()

Extracts the root of a given URL.

Details

am_policy_get_url_resource_root() populates the resource_root pointer with the extracted information. For example, http://www.sun.com/index.html will return http://www.sun.com/ and http://www.sun.com:8080/index.html will return http://www.sun.com:8080/.

Syntax

#include "am_policy.h"
AM_EXPORT boolean_t 
am_policy_get_url_resource_root(const char *resource_name,
                                      char *resource_root,
                                size_t length);

Parameters

This function takes the following parameters:

resource_name

Pointer to the protected resource URL.

resource_root

Pointer to the location where the resource root will be written.

length

Value based on the size_t defined in the standard <stddef.h> header file that reflects the size of the resource_root buffer.

---

Note –

When using resources other than URLs, the developer implementing this function must make accurate judgement about the minimum size of resource_root.

---

Returns

This function returns one of the following values of the boolean_t enumeration (defined in the <am_types.h> header file):

B_TRUE

If the root was successfully extracted.

B_FALSE

If not.

am_policy_init()

Initializes the Access Manager Policy Service.

Syntax

#include "am_policy.h"
AM_EXPORT am_status_t
am_policy_init(am_properties_t policy_config_properties);

Parameters

This function takes the following parameter:

policy_config_properties

Pointer to the properties used to initialize the Policy Service.

---

Note –

See am_properties_t for more information.

---

Returns

This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):

AM_SUCCESS

If the call was successful.

AM_*

If any error occurs, the type of error indicated by the status value.

Memory Concerns

The caller must call am_policy_destroy() to free the memory.

am_policy_invalidate_session()

Cancels the specified session.

Syntax

#include "am_policy.h"
AM_EXPORT am_status_t
am_policy_invalidate_session(am_policy_t policy_handle,
                             const char *ssoTokenId);

Parameters

This function takes the following parameters:

policy_handle

Integer specifying the object being evaluated.

ssoTokenId

Pointer to the session token of the authentication user.

---

Note –

The session token is a randomly-generated string that represents an authenticated user.

---

Returns

This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):

AM_SUCCESS

If the call was successful.

AM_*

If any error occurs, the type of error indicated by the status value.

am_policy_is_notification_enabled()

Checks whether the notification functionality is enabled.

Syntax

#include "am_policy.h"
AM_EXPORT boolean_t
am_policy_is_notification_enabled(am_policy_t policy_handle);

Parameters

This function takes the following parameter:

policy_handle

Integer specifying the object being evaluated.

Returns

This function returns the standard boolean_t with one of the following values:

0

If notification is disabled.

non-zero

If notification is enabled.

am_policy_notify()

Refreshes the policy cache when a policy notification is received by the client.

Syntax

#include "am_policy.h"
AM_EXPORT am_status_t 
am_policy_notify(am_policy_t policy_handle,
                 const char *notification_data,
                 size_t notification_data_len);

Parameters

This function takes the following parameters:

policy_handle

Integer specifying the object being evaluated.

notification_data

Pointer to the notification message as an XML string.

notification_data_len

Value based on the size_t defined in the standard <stddef.h> header file that reflects the size of the notification_data string.

Returns

This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):

AM_SUCCESS

If the call was successful.

AM_*

If any error occurs, the type of error indicated by the status value.

am_policy_resource_canonicalize()

Converts the specified resource name into a standard representation for comparison purposes.

Syntax

#include "am_policy.h"
AM_EXPORT void
am_policy_resource_canonicalize(const char *resource, 
                                      char **c_resource);

Parameters

This function takes the following parameters:

resource

Pointer to the name of the resource to be converted.

c_resource

Pointer to a pointer to the location where the converted string will be placed.

Returns

This function does not return a value.

am_policy_resource_has_patterns()

Checks whether the specified resource name has patterns (such as the wildcard *).

Syntax

#include "am_policy.h"
AM_EXPORT boolean_t 
am_policy_resource_has_patterns(const char *resource_name);

Parameters

This function takes the following parameter:

resource_name

Pointer to the resource being evaluated.

Returns

This function returns one of the following values of the boolean_t enumeration (defined in the <am_types.h> header file):

B-TRUE

If the resource has patterns.

B_FALSE

Otherwise.

am_policy_result_destroy()

Destroys the specified am_policy_result_t structure type.

---

Note –

See am_policy_result_t for more information.

---

Syntax

#include "am_policy.h"
AM_EXPORT void
am_policy_result_destroy(am_policy_result_t *result);

Parameters

This function takes the following parameter:

result

Pointer to the am_policy_result_t structure type being destroyed.

Returns

This function does not return a value.

am_policy_service_init()

Initializes one instance of Access Manager Policy Service for policy evaluation.

Syntax

#include "am_policy.h"
AM_EXPORT am_status_t
am_policy_service_init(const char *service_name,
                       const char *instance_name,
                       am_resource_traits_t rsrc_traits,
                       am_properties_t service_config_properties,
                       am_policy_t *policy_handle_ptr);

Parameters

This function takes the following parameters:

service_name

Pointer to the name for the Policy Service.

instance_name

Pointer to the name of the instance being initialized.

rsrc_traits

Pointer to a am_resource_traits_t structure type.

---

Note –

See am_resource_traits_t for more information.

---

service_config_properties

Pointer to the properties used to initialize the Policy Service instance.

---

Note –

See am_properties_t for more information.

---

policy_handle_ptr

Pointer to the integer specifying the object being evaluated.

Returns

This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):

AM_SUCCESS

If the call was successful.

AM_*

If any error occurs, the type of error indicated by the status value.