Sun Java System Access Manager 7 2005Q4 Developer's Guide

Log Authorization Plug-In

The Logging Service enables you to plug in a class that will determine whether a LogRecord is logged or discarded. The determination is based on the authorization of the owner of the session token performing the event.

Note –

The IAuthorizer interface accepts an SSOToken and the log record being written.

There are several ways to accomplish this. The following procedure is one example.

ProcedureTo Implement a Log Authorization Plug-In

  1. Get the applicable role or DN of the user from the SSOToken and check it against a pre-configured (or hardcoded) list of roles or users that are allowed access.

    The administrator must configure a role and assign all policy agents and entities such as applications that can possibly log into Access Manager and into this role.

  2. Instantiate a PolicyEvaluator and call PolicyEvaluator.isAllowed(ssotoken, logname);.

ProcedureTo Instantiate a PolicyEvaluator

This entails defining a policy XML to model log access and registering it with Access Manager.

  1. Implement the com.sun.identity.log.spi.IAuthorizer interface with the desired functionality.

  2. Add the implementing class in the classpath of Access Manager.

  3. Modify the property iplanet-am-logging-authz-class in the /etc/opt/SUNWam/config/xml/amLogging.xml file with the name of the new class.