Conditions (Sun Java System Access Manager 7 2005Q4 Administration Guide)

Sun Java System Access Manager 7 2005Q4 Administration Guide

Conditions

A condition allows you to define constraints on the policy. For example, if you are defining policy for a paycheck application, you can define a condition on this action limiting access to the application only during specific hours. Or, you may wish to define a condition that only grants this action if the request originates from a given set of IP addresses or from a company intranet.

The condition might additionally be used to configure different policies on different URIs on the same domain. For example, http://org.example.com/hr/*jsp can only be accessed by org.example.net from 9 a.m. to 5 p.m., yet http://org.example.com/finance/*.jsp can be accessed by org.example2.net from 5 a.m. to 11 p.m. This can be achieved by using an IP Condition along with a Time Condition. And specifying the rule resource as http://org.example.com/hr/*.jsp, the policy would apply to all the JSPs under http://org.example.com/hr including those in the sub directories.

Note –

The terms referral, rule, resource, subject, condition, action and value correspond to the elements Referral, Rule, ResourceName, Subject, Condition , Attribute and Value in the policy.dtd.

The default conditions you can add are:

Authentication Level

The policy applies if the user’s authentication level is greater than or equal to the Authentication level set in the condition.

This attribute indicates the level of trust for authentication.

The authentication level condition can be used to specify levels other than those from the registered authentication module levels for that realm. This is useful when a policy applies to user authenticated from another realm.

For LE Authentication, the policy applies if the user’s authentication level is less than or equal to the Authentication level set in the condition. The authentication level condition can be used to specify levels other than those from the registered authentication module levels for that realm. This is useful when a policy applies to user authenticated from another realm.

Authentication Scheme

Choose the authentication scheme(s) for the condition from the pull-down menu. These authentication schemes are the authentication modules defined in the Core authentication service at the realm.

IP Address

Sets the condition based on a range of IP Addresses. The fields you can define are:

IP Address From/To — Specifies the range of the IP address.
DNS Name — Specifies the DNS name. This field can be a fully qualified hostname or a string in one of the following formats:

domainname

*.domainname

Session

Sets the condition based on user session data. The fields you can modify are:

Max Session Time — Specifies the maximum duration to which the policy is applicable starting from when the session was initiated.
Terminate Session — If selected, the user session will be terminated if the session time exceeds the maximum allowed as defined in the Max Session Time field.

You can use this condition to protect sensitive resources so that the resources are available only for a limited time after authentication.

Session Property

Decides whether a policy is applicable to the request based on values of properties set in the user's Access Manager session. During policy evaluation, the condition returns true only if the user's session has every property value defined in the condition. For properties defined with multiple values in the condition, it is sufficient if the token has at least one value listed for the property in the condition. For example, you can use this condition to apply policies based on attributes in external repositories. A post-authentication plug-in can set up the session properties based on the external attributes.

Time

Sets the condition based on time constraints. The fields are:

Date From/To — Specifies the range of the date.
Time — Specifies the range of time within a day.
Day — Specifies a range of days.
Timezone — Specifies a timezone, either standard or custom. Custom timezones can only be a timezone ID recognized by Java (for example, PST). If no value is specified, the default value is the Timezone set in the Access Manager JVM.