Programmatically Constructing Policies
Access Manager provides Policy Management APIs that enable you to programmatically create, add, update and remove policies. The sample program PolicyCreator.java demonstrates how to programmatically construct policies and add them to policy store. The program creates one normal policy named policy1 and one referral policy named refpolicy1 and adds both policies to the policy store. The normal policy has one subject of each subject type and one condition of each condition type comes with Access Manager at installation.
Example 6–4 Sample Program PolicyCreator.java
/**
* $Id: PolicyCreator.java,v 1.5 2005/06/24 16:53:50 vs125812 Exp $
* Copyright © 2005 Sun Microsystems, Inc. All rights reserved.
*
import com.sun.identity.policy.PolicyManager;
import com.sun.identity.policy.ReferralTypeManager;
import com.sun.identity.policy.SubjectTypeManager;
import com.sun.identity.policy.ConditionTypeManager;
import com.sun.identity.policy.Policy;
import com.sun.identity.policy.Rule;
import com.sun.identity.policy.interfaces.Referral;
import com.sun.identity.policy.interfaces.Subject;
import com.sun.identity.policy.interfaces.Condition;
import com.sun.identity.policy.PolicyException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOException;
import java.util.Set;
import java.util.HashSet;
import java.util.Map;
import java.util.HashMap;
public class PolicyCreator {
public static final String DNS_NAME="DnsName";
public static final String DNS_VALUE="*.red.iplanet.com";
public static final String START_TIME="StartTime";
public static final String START_TIME_VALUE="08:00";
public static final String END_TIME="EndTime";
public static final String END_TIME_VALUE="21:00";
public static final String AUTH_LEVEL="AuthLevel";
public static final String AUTH_LEVEL_VALUE="0";
public static final String AUTH_SCHEME="AuthScheme";
public static final String AUTH_SCHEME_VALUE="LDAP";
private String orgDN;
private SSOToken ssoToken;
private PolicyManager pm;
private PolicyCreator() throws PolicyException, SSOException {
BaseUtils.loadProperties();
orgDN = BaseUtils.getProperty("pe.realmname");
System.out.println("realmDN = " + orgDN);
ssoToken = BaseUtils.getToken();
pm = new PolicyManager(ssoToken, orgDN);
}
public static void main(String[] args) {
try {
PolicyCreator pc = new PolicyCreator();
pc.addReferralPolicy();
pc.addNormalPolicy();
System.exit(0);
} catch(Exception e) {
e.printStackTrace();
}
}
private void addNormalPolicy() throws PolicyException, SSOException {
System.out.println("Creating normal policy in realm:" + orgDN);
PolicyManager pm = new PolicyManager(ssoToken, orgDN);
SubjectTypeManager stm = pm.getSubjectTypeManager();
ConditionTypeManager ctm = pm.getConditionTypeManager();
Policy policy = new Policy("policy1", "policy1 description");
Map actions = new HashMap(1);
Set values = new HashSet(1);
values.add("allow");
actions.put("GET", values);
String resourceName = "http://myhost.com:80/hello.html";
Rule rule = new Rule("rule1", "iPlanetAMWebAgentService",
resourceName, actions);
policy.addRule(rule);
Subject subject = stm.getSubject("Organization");
Set subjectValues = new HashSet(1);
subjectValues.add(orgDN);
subject.setValues(subjectValues);
policy.addSubject("organization", subject);
subject = stm.getSubject("LDAPUsers");
subjectValues = new HashSet(1);
String userDN = "uid=user1,ou=people" + "," + orgDN;
subjectValues.add(userDN);
subject.setValues(subjectValues);
policy.addSubject("ldapusers", subject);
subject = stm.getSubject("LDAPGroups");
subjectValues = new HashSet(1);
String groupDN = "cn=group1,ou=groups" + "," + orgDN;
subjectValues.add(groupDN);
subject.setValues(subjectValues);
policy.addSubject("ldapgroups", subject);
subject = stm.getSubject("LDAPRoles");
subjectValues = new HashSet(1);
String roleDN = "cn=role1" + "," + orgDN;
subjectValues.add(roleDN);
subject.setValues(subjectValues);
policy.addSubject("ldaproles", subject);
subject = stm.getSubject("IdentityServerRoles");
subjectValues = new HashSet(1);
roleDN = "cn=role1" + "," + orgDN;
subjectValues.add(roleDN);
subject.setValues(subjectValues);
policy.addSubject("is-roles", subject);
Condition condition = ctm.getCondition("IPCondition");
Map conditionProperties = new HashMap(1);
Set propertyValues = new HashSet(1);
propertyValues.add(DNS_VALUE);
conditionProperties.put(DNS_NAME, propertyValues);
condition.setProperties(conditionProperties);
policy.addCondition("ip_condition", condition);
condition = ctm.getCondition("SimpleTimeCondition");
conditionProperties = new HashMap(1);
propertyValues = new HashSet(1);
propertyValues.add(START_TIME_VALUE);
conditionProperties.put(START_TIME, propertyValues);
propertyValues = new HashSet(1);
propertyValues.add(END_TIME_VALUE);
conditionProperties.put(END_TIME, propertyValues);
condition.setProperties(conditionProperties);
policy.addCondition("time_condition", condition);
condition = ctm.getCondition("AuthLevelCondition");
conditionProperties = new HashMap(1);
propertyValues = new HashSet(1);
propertyValues.add(AUTH_LEVEL_VALUE);
conditionProperties.put(AUTH_LEVEL, propertyValues);
condition.setProperties(conditionProperties);
policy.addCondition("auth_level_condition", condition);
condition = ctm.getCondition("AuthSchemeCondition");
conditionProperties = new HashMap(1);
propertyValues = new HashSet(1);
propertyValues.add(AUTH_SCHEME_VALUE);
conditionProperties.put(AUTH_SCHEME, propertyValues);
condition.setProperties(conditionProperties);
policy.addCondition("auth_scheme_condition", condition);
pm.addPolicy(policy);
System.out.println("Created normal policy");
}
private void addReferralPolicy()
throws PolicyException, SSOException {
System.out.println("Creating referral policy for realm1");
ReferralTypeManager rtm = pm.getReferralTypeManager();
String subOrgDN = "o=realm1" + ",ou=services," + orgDN;
Policy policy = new Policy("refpolicy1", "ref to realm1",
true);
Map actions = new HashMap(1);
Rule rule = new Rule("rule1", "iPlanetAMWebAgentService",
"http://myhost.com:80/realm1", actions);
policy.addRule(rule);
Referral referral = rtm.getReferral("SubOrgReferral");
Set referralValues = new HashSet(1);
referralValues.add(subOrgDN);
referral.setValues(referralValues);
policy.addReferral("ref to realm1" , referral);
pm.addPolicy(policy);
System.out.println("Created referral policy for realm1");
}
}
To Run the Sample Program PolicyCreator.java
-
Compile the sample code.
See Compiling the Policy Code Samples above.
-
Set the environment variable LD_LIBRARY_PATH.
On Solaris add /usr/lib/mps/secv1 to LD_LIBRARY_PATH.
On Linux add /opt/sun/private/lib to LD_LIBRARY_PATH .
-
Use the administration console to create the following objects in your root realm:
-
A subrealm named realm1
-
A user nameduser1
-
A group named group1
-
A role named role1
See Managing Directory Objects in Sun Java System Access Manager 7 2005Q4 Administration Guide for information about creating directory objects.
-
-
Set the following properties in the PolicyEvaluation.properties file:
- pe.realmname
-
DN of the root realm.
- pe.username
-
UserId to authenticate as.
- pe.password
-
Password to use to authenticate.
-
Run the gmake command.
gmake createPolicies .
Use the administration console to verify that the policies policy1 and refpolicy1 are added to Access Manager.
- © 2010, Oracle Corporation and/or its affiliates