Sun™ Java System Access Manager contains public data types and functions you can use to communicate with the Policy Service. Reference summaries include a short description, syntax, parameters and returns. The code is contained in the <am_policy.h> header file (located in the /AccessManager-base/SUNWam/include directory). The sample source am_policy_test.c (located in the /AccessManager-base/SUNWam/samples/csdk directory) demonstrates the basic usage of the policy API. This chapter contains the following sections:
Access Manager provides policy APIs for use by developers to integrate a resource authorization functionality within their external C applications. The policy API for C determines if a user has been given permission by a recognized authority to access a particular protected resource. The result of the policy evaluation is called an action value and may be boolean or binary.
A binary action value might be, for example, a mailbox quota. Assuming John Smith can only hold 100 MB of email in his mailbox, the value 100 would be the action value.
As policy evaluation results in string values only, the policy evaluation returned is 100 numeric and not 100 MB. It is up to the application developer to define the appropriate metric for the values.
The Policy API for C mandates that any resource be represented in a string format. Thus, resources on a web server must be represented as URLs. The Policy Service is then able to compare the resource string to the policy string and determine a relative relationship between the two. This relationship will be defined as one of the following:
exact match
no match
subordinate match
superior match
exact pattern match
Exact pattern match is a special case where resources may be represented collectively as patterns. The information is abstracted from the Policy Service and the comparison operation must take a boolean parameter to trigger a pattern matched comparison. During the caching of policy information, the policy engine does not care about patterns, whereas during policy evaluation, the comparisons are pattern sensitive.
The set of characteristics needed to define a resource is called a resource trait. Resource traits are taken as a parameter during service initialization in the am_resource_traits_t. Using the resource traits, the Policy Service constructs a resource graph for policy evaluation in which the relation between all resources in the system spans out like a tree from the root of the given resource. Thus, the service developer must provide the means to extract the root of the given resource. In a URL, the protocol://Access Manager-host.domain:port portion represents the root.
The two typedef structures that are used for information exchange to and from the policy evaluation interfaces are:
am_map_t provides a key to multiple key/value mapping. If the evaluation requires certain environment parameters like the IP address of the requester, it may be passed using this structure. See am_map_t for more information.
am_properties_t provides a key to single value mapping. am_properties_t provides the additional functionality of loading a configuration file and getting values of specific data types. See am_properties_t for more information.
The types defined in <am_policy.h> are:
Carries the evaluation results from the Policy Service.
am_policy_result_t unifies various components of a policy evaluation including information regarding the user attempting to perform an action on the resource, advice messages as recommended during policy evaluation, if any, and attribute response maps providing specific key/values as set in policy definition or user entries.
#include "am_policy.h" typedef struct am_policy_result { const char *remote_user; const char *remote_user_passwd; const char *remote_IP; am_map_t advice_map; am_map_t attr_profile_map; am_map_t attr_session_map; am_map_t attr_response_map; const char *advice_string; } am_policy_result_t;
Pointer to the user attempting access.
Pointer to the password for the remote user.
Pointer to the IP address of the resource the user is attempting to access.
Takes a value based on the am_map_t defined in the <am_map.h> header file that represents any advice messages that might have resulted from the policy evaluation.
For information on advices, see Policy Advices in Sun Java System Access Manager 7.1 Administration Guide.
Takes a value based on the am_map_t (defined in the <am_map.h> header file) that represents one or more user profile attributes and a corresponding value. This member is enabled when the following two properties in AMAgent.properties are configured:
com.sun.am.policy.agents.config.profile.attribute.fetch.mode takes a value of HTTP_HEADER or HTTP_COOKIE.
com.sun.am.policy.agents.config.profile.attribute.map takes a list of LDAP attributes and their mapped values in the format attribute_name|value.
Takes a value based on the am_map_t (defined in the <am_map.h> header file) that represents one or more session attributes and a corresponding value. This member is enabled when the following two properties in AMAgent.properties are configured:
com.sun.am.policy.agents.config.session.attribute.fetch.mode takes a value of HTTP_HEADER or HTTP_COOKIE.
com.sun.am.policy.agents.config.session.attribute.map takes a list of session attributes and their mapped values in the format attribute_name|value.
Takes a value based on the am_map_t (defined in the <am_map.h> header file) that represents one or more response attributes and a corresponding value. This member is enabled when the following two properties in AMAgent.properties are configured:
com.sun.am.policy.agents.config.response.attribute.fetch.mode takes a value of HTTP_HEADER or HTTP_COOKIE.
com.sun.am.policy.agents.config.response.attribute.map takes a list of response names and their mapped values in the format attribute_name|value.
Pointer to a string that defines a value for further authentication if dictated by the policy condition.If no condition is specified, the advice string will have an empty value.
Memory for am_policy_result_t is allocated by am_policy_evaluate() and freed by am_policy_result_destroy().
Declares an unsigned integer as a type for a policy object.
#include "am_policy.h" typedef unsigned int am_policy_t;
am_policy_t has no members.
Contains the functions to return resource traits that will be used to compare with a user's defined policy and evaluate the access request.
#include "am_policy.h" typedef struct am_resource_traits { am_resource_match_t (*cmp_func_ptr)(const struct am_resource_traits *rsrc_traits, const char *policy_res_name, const char *resource_name, boolean_t use_patterns); boolean_t (*has_patterns)(const char *resource_name); boolean_t (*get_resource_root)(const char *resource_name, char *root_resource_name, size_t buflength); boolean_t ignore_case; char separator; void (*canonicalize)(const char *resource, char **c_resource); void (*str_free)(void *resource_str); } am_resource_traits_t;
Pointer to a function that compares policy_res_name and resource_name to return one of the following values of the am_resource_match_t enumeration (defined in the <am_policy.h> header file):
typedef enum am_resource_match { AM_SUB_RESOURCE_MATCH, AM_EXACT_MATCH, AM_SUPER_RESOURCE_MATCH, AM_NO_MATCH, AM_EXACT_PATTERN_MATCH } am_resource_match_t;
cmp_func_ptr can point to am_policy_compare_urls() to evaluate URL resources.
Pointer to the resource traits structure containing data regarding a policy.
Pointer to the name of the resource being protected.
Pointer to the name of the resource being requested.
Based on the boolean_t defined in the <am_types.h> header file, B_TRUE indicates that the function will use or recognize patterns when comparing resources.
Pointer to a function that determines whether a resource has patterns and returns one of the following values of the boolean_t enumeration defined in the <am_types.h> header file:
If resource_name has patterns.
Otherwise.
has_patterns can point to am_policy_resource_has_patterns() for URL resources.
Pointer to the name of the resource being requested.
Pointer to a function that extracts the root of the specified resource and returns one of the following values of the boolean_t enumeration defined in the <am_types.h> header file:
If the resource root was successfully inserted into the specified root_resource_name buffer.
Otherwise.
get_resource_root can point to am_policy_get_url_resource_root() for URL resources.
Pointer to the name of the resource being requested.
Buffer to hold the resource root.
Value based on the size_t defined in the standard <stddef.h> header file that reflects the length of the root_resource_name buffer.
Value that takes one of the following values of the boolean_t enumeration defined in the <am_types.h> header file:
Ignore case for all functions in this structure.
Otherwise.
Defines the resource separator. For URLs / should be used.
Pointer to a function that converts the specified resource name into a standard representation for comparative purposes.
Pointer to a resource name. This could be the resource being requested or the resource defined in the policy.
Output of the canonical resource name.
Memory for the canonical name must be allocated by the caller. A function to free the allocated memory must be set in str_free.
Pointer to a function to free a c_resource string after the results have been evaluated by am_policy_evaluate(). This field cannot be set to NULL.
free() should be used if canonicalize is set to the am_policy_resource_canonicalize() function.
Pointer to the string returned in the canonicalize function.
The functions defined in <am_policy.h> are:
Compares the URLs of two resources, and returns the appropriate result.
#include "am_policy.h" AM_EXPORT am_resource_match_t am_policy_compare_urls(const am_resource_traits_t *rsrc_traits, const char *policy_resource_name, const char *resource_name, boolean_t use_patterns);
This function takes the following parameter:
Pointer to a am_resource_traits_t type containing data regarding a policy.
See am_resource_traits_t for more information.
Pointer to the name of the resource being protected.
Pointer to the name of the resource being requested.
Based on the boolean_t defined in the <am_types.h> header file, B_TRUE indicates that the function will consider occurrences of * in policy_resource_name as wild cards. If B_FALSE, occurrences of * are taken as a literal characters.
In cases of SUB_RESOURCE_MATCH and SUPER_RESOURCE_MATCH when usePatterns is B_TRUE, the patterns are sub or super matching patterns, respectively.
This function returns one of the following values of the am_resource_match_t enumeration as defined:
#include "am_policy.h" typedef enum am_resource_match { AM_SUB_RESOURCE_MATCH, AM_EXACT_MATCH, AM_SUPER_RESOURCE_MATCH, AM_NO_MATCH, AM_EXACT_PATTERN_MATCH } am_resource_match_t;
If both URLs match exactly as in, for example, if the URL for the resource is http://example.sun.com:90/index.html and the URL in the policy is http://example.sun.com:90/index.html.
This result is returned if the URL to which the policy applies matches the URL to which access is requested as in, for example, if the URL for the resource is http://example.sun.com:90/index.html and the URL in the policy is http://example.sun.com:90/*. Distinction is not made between an EXACT_MATCH or a pattern match.
If the URLs do not match.
If the requested URL is found to be a sub-resource of the URL defined in the policy.
If the requested URL is found to be a parent of the URL defined in the policy.
Destroys an initialized instance of a policy evaluator object.
An instance is initialized for each policy request.
The caller must ensure that the same instance is not destroyed more than once.
#include "am_policy.h" AM_EXPORT am_status_t am_policy_destroy(am_policy_t policy);
This function takes the following parameter:
Integer specifying the object being destroyed.
This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):
If the call was successful.
If any error occurs, the type of error indicated by the status value.
Evaluates a policy for a given request and returns a non-boolean result.
am_policy_evaluate() has been deprecated. See am_policy_evaluate_ignore_url_notenforced().
am_policy_evaluate() was used to evaluate policy for URLs on the not-enforced list and those not on the not-enforced list. Since there is not a need to evaluate URLs on the not-enforced list, am_policy_evaluate() has been deprecated. Although it can still be used, the SDK invokes am_policy_evaluate_ignore_url_notenforced().
#include "am_policy.h" AM_EXPORT am_status_t am_policy_evaluate(am_policy_t policy_handle, const char *sso_token, const char *resource_name, const char *action_name, const am_map_t env_parameter_map, am_map_t policy_response_map_ptr, am_policy_result_t *policy_result);
This function takes the following parameters:
Integer specifying the object being evaluated.
Pointer to the session token (SSOTokenID) of the authenticated user.
The Access Manager Session Service creates a session data structure (also known as an SSOToken) that stores information such as login time, authentication scheme, and authentication level. It also generates a session token (also known as an SSOTokenID, a randomly-generated string that identifies an instance of an SSOToken.
Pointer to the name of the resource being requested.
Pointer to the action requested.
An action is the operation to be performed on the resource. Web server actions are POST and GET. An allowable action for a human resources service , for example, can change a home telephone number.
Map object which contains environment variables (IP address, host name, etc.) used for evaluation by the Policy Service.
See am_map_t for more information.
Pointer to a map object which contains all the profile, session and response attributes fetched.
This must be enabled in AMAgent.properties. See am_policy_result_t for information on how this is done. See am_map_t for more information on map objects.
Pointer to the am_policy_result_t type to store the result.
See am_policy_result_t for more information.
This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):
If the call was successful.
If any error occurs, the type of error indicated by the status value.
After using the results the caller must call am_policy_result_destroy() on policy_result to cleanup the allocated memory. Also, am_map_destroy() must be called on policy_response_map_ptr and env_parameter_map after their respective usage.
Evaluates a policy for a given request and returns a non-boolean result.
am_policy_evaluate_ignore_url_notenforced() will evaluate a policy for the specified URL only if the URL does not appear on the not-enforced list defined in AMAgent.properties.
See Sun Java System Access Manager Policy Agent 2.2 User’s Guide for more information.
#include "am_policy.h" AM_EXPORT am_status_t am_policy_evaluate_ignore_url_notenforced(am_policy_t policy_handle, const char *sso_token, const char *resource_name, const char *action_name, const am_map_t env_parameter_map, am_map_t policy_response_map_ptr, am_policy_result_t *policy_result, am_bool_t ignorePolicyResult), char **am_revision_number;
This function takes the following parameters:
Integer specifying the object being evaluated.
Pointer to the session token (SSOTokenID) of the authenticated user.
The Access Manager Session Service creates a session data structure (also known as an SSOToken) that stores information such as login time, authentication scheme, and authentication level. It also generates a session token (also known as an SSOTokenID, a randomly-generated string that identifies an instance of an SSOToken.
Pointer to the name of the resource being requested.
Pointer to the action requested.
An action is the operation to be performed on the resource. Web server actions are POST and GET. An allowable action for a human resources service , for example, can change a home telephone number.
Map object which contains environment variables (IP address, host name, etc.) used for evaluation by the Policy Service.
See am_map_t for more information.
Pointer to a map object which contains all the profile, session and response attributes fetched.
This must be enabled in AMAgent.properties. See am_policy_result_t for information on how this is done. See am_map_t for more information on map objects.
Pointer to the am_policy_result_t type to store the result.
See am_policy_result_t for more information.
Based on the am_bool_t defined in the <am_types.h> header file, AM_TRUE indicates that policy evaluation will not be done for the URL.
Takes a value equal to the version of the instance of Access Manager with which the SDK is communicating. When communicating with Access Manager 7.0, the value will be 7.0, otherwise 6.3. It can also be set to NULL.
This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):
If the call was successful.
If any error occurs, the type of error indicated by the status value.
After using the results the caller must call am_policy_result_destroy() on policy_result to cleanup the allocated memory. Also, am_map_destroy() must be called on policy_response_map_ptr and env_parameter_map after their respective usage.
Extracts the root of a given URL.
am_policy_get_url_resource_root() populates the resource_root pointer with the extracted information. For example, http://www.sun.com/index.html will return http://www.sun.com/ and http://www.sun.com:8080/index.html will return http://www.sun.com:8080/.
#include "am_policy.h" AM_EXPORT boolean_t am_policy_get_url_resource_root(const char *resource_name, char *resource_root, size_t length);
This function takes the following parameters:
Pointer to the protected resource URL.
Pointer to the location where the resource root will be written.
Value based on the size_t defined in the standard <stddef.h> header file that reflects the size of the resource_root buffer.
When using resources other than URLs, the developer implementing this function must make accurate judgement about the minimum size of resource_root.
This function returns one of the following values of the boolean_t enumeration (defined in the <am_types.h> header file):
If the root was successfully extracted.
If not.
Initializes the Access Manager Policy Service.
#include "am_policy.h" AM_EXPORT am_status_t am_policy_init(am_properties_t policy_config_properties);
This function takes the following parameter:
Pointer to the properties used to initialize the Policy Service.
See am_properties_t for more information.
This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):
If the call was successful.
If any error occurs, the type of error indicated by the status value.
The caller must call am_policy_destroy() to free the memory.
Cancels the specified session.
#include "am_policy.h" AM_EXPORT am_status_t am_policy_invalidate_session(am_policy_t policy_handle, const char *ssoTokenId);
This function takes the following parameters:
Integer specifying the object being evaluated.
Pointer to the session token of the authentication user.
The session token is a randomly-generated string that represents an authenticated user.
This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):
If the call was successful.
If any error occurs, the type of error indicated by the status value.
Checks whether the notification functionality is enabled.
#include "am_policy.h" AM_EXPORT boolean_t am_policy_is_notification_enabled(am_policy_t policy_handle);
This function takes the following parameter:
Integer specifying the object being evaluated.
This function returns the standard boolean_t with one of the following values:
If notification is disabled.
If notification is enabled.
Refreshes the policy cache when a policy notification is received by the client.
#include "am_policy.h" AM_EXPORT am_status_t am_policy_notify(am_policy_t policy_handle, const char *notification_data, size_t notification_data_len);
This function takes the following parameters:
Integer specifying the object being evaluated.
Pointer to the notification message as an XML string.
Value based on the size_t defined in the standard <stddef.h> header file that reflects the size of the notification_data string.
This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):
If the call was successful.
If any error occurs, the type of error indicated by the status value.
Converts the specified resource name into a standard representation for comparison purposes.
#include "am_policy.h" AM_EXPORT void am_policy_resource_canonicalize(const char *resource, char **c_resource);
This function takes the following parameters:
Pointer to the name of the resource to be converted.
Pointer to a pointer to the location where the converted string will be placed.
This function does not return a value.
Checks whether the specified resource name has patterns (such as the wildcard *).
#include "am_policy.h" AM_EXPORT boolean_t am_policy_resource_has_patterns(const char *resource_name);
This function takes the following parameter:
Pointer to the resource being evaluated.
This function returns one of the following values of the boolean_t enumeration (defined in the <am_types.h> header file):
If the resource has patterns.
Otherwise.
Destroys the specified am_policy_result_t structure type.
See am_policy_result_t for more information.
#include "am_policy.h" AM_EXPORT void am_policy_result_destroy(am_policy_result_t *result);
This function takes the following parameter:
Pointer to the am_policy_result_t structure type being destroyed.
This function does not return a value.
Initializes one instance of Access Manager Policy Service for policy evaluation.
#include "am_policy.h" AM_EXPORT am_status_t am_policy_service_init(const char *service_name, const char *instance_name, am_resource_traits_t rsrc_traits, am_properties_t service_config_properties, am_policy_t *policy_handle_ptr);
This function takes the following parameters:
Pointer to the name for the Policy Service.
Pointer to the name of the instance being initialized.
Pointer to a am_resource_traits_t structure type.
See am_resource_traits_t for more information.
Pointer to the properties used to initialize the Policy Service instance.
See am_properties_t for more information.
Pointer to the integer specifying the object being evaluated.
This function returns one of the following values of the am_status_t enumeration (defined in the <am_types.h> header file):
If the call was successful.
If any error occurs, the type of error indicated by the status value.