根據 amadmin.dtd 建立策略 XML 檔。此檔案位於下列目錄:
AccessManager-base/SUNWam/dtd。
下列是策略 XML 檔的範例。此範例包含所有預設的主體及條件值。如需這些值的定義,請參閱策略類型。
<Policy name="bigpolicy" referralPolicy="false" active="true" > <Rule name="rule1"> <ServiceName name="iPlanetAMWebAgentService" /> <ResourceName name="http://thehost.thedomain.com:80/*.html" /> <AttributeValuePair> <Attribute name="POST" /> <Value>allow</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="GET" /> <Value>allow</Value> </AttributeValuePair> </Rule> <Subjects name="subjects" description="desccription"> <Subject name="webservicescleint" type="WebServicesClients" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/><Value>CN=sun-unix, OU=SUN Java System Access Manager, O=Sun, C=US</Value> </AttributeValuePair> </Subject> <Subject name="amrole" type="IdentityServerRoles" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/><Value> cn=organization admin role,o=realm1,dc=red,dc=iplanet,dc=com</Value> </AttributeValuePair> </Subject> <Subject name="au" type="AuthenticatedUsers" includeType="inclusive"> </Subject> <Subject name="ldaporganization" type="Organization" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/> <Value>dc=red,dc=iplanet,dc=com</Value> </AttributeValuePair> </Subject> <Subject name="ldapuser" type="LDAPUsers" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/> <Value>uid=amAdmin,ou=People,dc=red,dc=iplanet,dc=com</Value> </AttributeValuePair> </Subject> <Subject name="ldaprole" type="LDAPRoles" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/> <Value>cn=Organization Admin Role,o=realm1,dc=red,dc=iplanet,dc=com</Value> </AttributeValuePair> </Subject> <Subject name="ldapgroup" type="LDAPGroups" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/> <Value>cn=g1,ou=Groups,dc=red,dc=iplanet,dc=com</Value> </AttributeValuePair> </Subject> <Subject name="amidentitysubject" type="AMIdentitySubject" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/> <Value>id=amAdmin,ou=user,dc=red,dc=iplanet,dc=com</Value> </AttributeValuePair> </Subject> </Subjects> <Conditions name="conditions" description="description"> <Condition name="ldapfilter" type="LDAPFilterCondition"> <AttributeValuePair><Attribute name="ldapFilter"/> <Value>dept=finance</Value> </AttributeValuePair> </Condition> <Condition name="authlevelge-nonrealmqualified" type="AuthLevelCondition"> <AttributeValuePair><Attribute name="AuthLevel"/> <Value>1</Value> </AttributeValuePair> </Condition> <Condition name="authlevelle-realmqaulfied" type="LEAuthLevelCondition"> <AttributeValuePair><Attribute name="AuthLevel"/> <Value>/:2</Value> </AttributeValuePair> </Condition> <Condition name="sessionproperties" type="SessionPropertyCondition"> <AttributeValuePair><Attribute name="valueCaseInsensitive"/> <Value>true</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="a"/><Value>10</Value> <Value>20</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="b"/><Value>15</Value> <Value>25</Value> </AttributeValuePair> </Condition> <Condition name="activesessiontime" type="SessionCondition"> <AttributeValuePair><Attribute name="TerminateSession"/> <Value>session_condition_false_value</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="MaxSessionTime"/> <Value>30</Value> </AttributeValuePair> </Condition> <Condition name="authelevelle-nonrealmqualfied" type="LEAuthLevelCondition"> <AttributeValuePair><Attribute name="AuthLevel"/> <Value>2</Value> </AttributeValuePair> </Condition> <Condition name="ipcondition" type="IPCondition"> <AttributeValuePair><Attribute name="DnsName"/> <Value>*.iplanet.com</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="EndIp"/> <Value>145.15.15.15</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="StartIp"/> <Value>120.10.10.10</Value> </AttributeValuePair> </Condition> <Condition name="authchain-realmqualfied" type="AuthenticateToServiceCondition"> <AttributeValuePair><Attribute name="AuthenticateToService"/> <Value>/:ldapService</Value> </AttributeValuePair> </Condition> <Condition name="auth to realm" type="AuthenticateToRealmCondition"> <AttributeValuePair><Attribute name="AuthenticateToRealm"/> <Value>/</Value> </AttributeValuePair> </Condition> <Condition name="authlevelge-realmqualified" type="AuthLevelCondition"> <AttributeValuePair><Attribute name="AuthLevel"/> <Value>/:2</Value> </AttributeValuePair> </Condition> <Condition name="authchain-nonrealmqualfied" type="AuthenticateToServiceCondition"> <AttributeValuePair><Attribute name="AuthenticateToService"/> <Value>ldapService</Value> </AttributeValuePair> </Condition> <Condition name="timecondition" type="SimpleTimeCondition"> <AttributeValuePair><Attribute name="EndTime"/> <Value>17:00</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="StartTime"/> <Value>08:00</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="EndDate"/> <Value>2006:07:28</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="EnforcementTimeZone"/> <Value>America/Los_Angeles</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="StartDay"/> <Value>mon</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="StartDate"/> <Value>2006:01:02</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="EndDay"/> <Value>fri</Value> </AttributeValuePair> </Condition> </Conditions> <ResponseProviders name="responseproviders" description="description"> <ResponseProvider name="idresponseprovidere" type="IDRepoResponseProvider"> <AttributeValuePair> <Attribute name="DynamicAttribute"/> </AttributeValuePair> <AttributeValuePair> <Attribute name="StaticAttribute"/> <Value>m=10</Value> <Value>n=30</Value> </AttributeValuePair> </ResponseProvider> </ResponseProviders> </Policy>
策略 XML 檔案開發完成後,您可使用下列指令加以載入:
AccessManager-base/SUNWam/bin/amadmin --runasdn "uid=amAdmin,ou=People,default_org, root_suffix" --password password --data policy.xml |
若要同時加入多重策略,請將這些策略放在一個 XML 檔案中,這一點與在每個 XML 檔案中放一個策略相反。如果使用多重 XML 檔案連續快速載入策略,則內部策略索引可能會損毀,而且某些策略可能不參與策略評估。
透過 amadmin 建立策略時請確定:當建立認證方案條件時認證模組是以範圍註冊;當建立範圍、LDAP 群組、LDAP 角色和 LDAP 使用者時對應的 LDAP 物件範圍、群組、角色和使用者存在;當建立 IdentityServerRoles 主體時 Access Manager 角色存在;當建立子範圍或同級範圍參照時相關範圍存在。
請注意,在 SubrealmReferral、PeerRealmReferral 的 Value 元素之內容中,Realm 主體、IdentityServerRoles 主體、LDAPGroups 主體、LDAPRoles 主體和 LDAPUsers 主體必須為完整的 DN。