Policy Evaluation Classes
Policy evaluation classes compute policy decisions which allow or deny access to a protected resource. Policy evaluation classes are contained com.sun.identity.policy package and include the following:
PolicyEvaluator Class
com.sun.identity.policy.PolicyEvaluator can be integrated into Java applications to evaluate policy privileges and provide policy decisions. This class provides support for both boolean and non-boolean type policies. Create a PolicyEvaluator by calling the constructor with a service name. Public methods of this class include the following:
- isAllowed
-
Evaluates the policy associated with the given resource and returns a boolean value indicating whether the policy evaluation resulted in an allow or deny.
- getPolicyDecision
-
Evaluates policies and returns decisions. Returns a decision that gives a user permission to perform specified actions on a specified resource.
- getResourceResult
-
Obtains the policy and decisions for a hierarchy of resources. Possible values for the scope of this method are self, subtree, and strict-subtree. Use the self value to get the policy decision for the specified resource only. Use the subtree value to include the policy decisions for all resources defined in the policies which are sub-resources of the specified resource.
For example, the PolicyEvaluator class can be used to display the links for a list of resources to which an authenticated user has access. The getResourceResult method is used to get the list of resources. The resourceName parameter would be http://host.domain:port which returns all the resources to which the user has access on that server. These resources are returned as a PolicyDecision based on the user’s defined policies. If the user is allowed to access resources on different servers, this method needs to be called for each server.
Note –
Not all resources that have policy decisions are accessible to the user. Access depends on ActionDecision(s) contained in policy decisions.
ProxyPolicyEvaluator Class
com.sun.identity.policy.ProxyPolicyEvaluator allows a privileged user (top-level administrator, organization administrator, policy administrator, or organization policy administrator) to get policy privileges and evaluate policy decisions for any user in their respective scope of administration. com.sun.identity.policy.ProxyPolicyEvaluatorFactory is the singleton class used to get ProxyPolicyEvaluator instances.
Example 3–1 Public Methods For ProxyPolicyEvaluator
/**
* Evaluates a simple privilege of boolean type. The privilege
* indicates if the user identified by the principalName
* can perform specified action on the specified resource.
*
* @param principalName principal name for whom to
* compute the privilege.
* @param resourceName name of the resource
* for which to compute policy result.
* @param actionName name of the action the user is trying to
* perform on the resource
* @param env run time environment parameters
*
* @return the result of the evaluation as a boolean value
*
* @throws PolicyException exception form policy framework
* @throws SSOException if sso token is invalid
*
*/
public boolean isAllowed(String principalName, String resourceName,
String actionName, Map env) throws PolicyException, SSOException;
/**
* Gets policy decision for the user identified by the
* principalName for the given resource
*
* @param principalName principal name for whom to compute the
* policy decision
* @param resourceName name of the resource for which to
* compute policy decision
* @param env run time environment parameters
*
* @return the policy decision for the principal for the given
* resource
* @throws PolicyException exception form policy framework
* @throws SSOException if sso token is invalid
*
*/
public PolicyDecision getPolicyDecision(String principalName,
String resourceName, Map env)
throws PolicyException, SSOException;
/**
* Gets protected resources for a user identified by the
* principalName. Conditions defined in the policies
* are ignored while computing protected resources.
* Only resources that are subresources of the given
* rootResource or equal to the given rootResource would
* be returned.
* If all policies applicable to a resource are
* only referral policies, no ProtectedResource would be
* returned for such a resource.
* @param principalName principal name for whom
* to compute the privilege.
* @param rootResource only resources that are subresources
* of the given rootResource or equal to the given
* rootResource would be returned. If
* <code>PolicyEvaluator.ALL_RESOURCES</code>
* is passed as rootResource, resources under
* all root resources of the service
* type are considered while computing protected
* resources.
*
* @return set of protected resources. The set contains
* ProtectedResource objects.
*
* @throws PolicyException exception form policy framework
* @throws SSOException if sso token is invalid
* @see ProtectedResource
*
*/
public Set getProtectedResourcesIgnoreConditions(String principalName,
String rootResource) throws PolicyException, SSOException
|
Client PolicyEvaluator Class
com.sun.identity.policy.client.PolicyEvaluator evaluates policies and provides policy decisions for remote applications. This does not require direct access to a policy stores such as Directory Server (for example, if there is a firewall). com.sun.identity.policy.client.PolicyEvaluator get policy decision from Access Manager using XML over HTTP(s). It stores a cache of policy decisions for faster responses and maintains the cache in sync with the Policy Service on the instance of Access Manager using the notification and polling mechanism.
PolicyEvent Class
com.sun.identity.policy.PolicyEvent represents a policy event that could potentially change the current access status. For example, a policy event is created and passed to the registered policy listeners whenever there is a change in a policy rule. This class works with the PolicyListener class in the com.sun.identity.policy.interface package.
- © 2010, Oracle Corporation and/or its affiliates