Tuesday Nov 10, 2009
Those Darlin' OpenSSO REST Policy Evaluation Interfaces
Piggybacking on the information in The OpenSSO REST Interfaces in Black / White, OpenSSO Express 9 will mark the release of the RESTful interfaces for policy evaluation. All of them support both HTTP GET and POST actions, and some of them return JavaScript Object Notation (JSON) objects. The format of the OpenSSO REST URL is:
http://OpenSSO-host:OpenSSO-port/opensso/ws/1/entitlement/OpenSSO-REST-interface?parameter1=value1¶meter2=value2¶meterN=valueN
NOTE: If the value of the parameters (value1, value2, ..., valueN) contains unsafe characters, they need to be URL encoded when forming the REST URL. For example, an equal sign (=) needs to be replaced with %3D or an ampersand (&) needs to be replaced with %26.
The following sections contain information on invoking the available OpenSSO REST policy evaluation interfaces.
- Evaluating a Decision for One Resource
- Evaluating a More Specific Decision for One Resource
- Evaluating a Decision for Multiple Resources
- Evaluating a Decision for A Root and Sub Tree Resources
Evaluating a Decision for One Resource
Thedecision RESTful policy evaluation interface returns a plain text string of deny or allow in regards to a request for access. The URL may be populated with the following information.
realmdefines the realm in which the subject is defined. This is an optional parameter and the default value is/.subjectdefines the value of the Universal ID attribute in the requesting user's OpenSSO profile.actiondefines the action to be evaluated.resourcedefines the resource to be evaluated.applicationdefines the requested service. This is an optional parameter and the default value isiPlanetAMWebAgentService.envdefines an optional environment map. This map may contain information such as the date and time or the IP address of the client. Examples might beenv=requestIp%3D125.12.133.1orenv=requestTime%3D1248994000000.
http://OpenSSO-host:OpenSSO-port/opensso/ws/1/entitlement/decision?action=GET&resource=http://www.example.com/index.html&application=iPlanetAMWebAgentService&subject=uid=demo,ou=user,dc=opensso,dc=java,dc=net&env=requestTime%3D1248994000000
Evaluating a More Specific Decision for One Resource
Theentitlement RESTful policy evaluation interface returns a list of JSONEntitlement objects in regards to a request for access to a resource. Although similar to the decision interface, it does allow more information to be returned as a JSON privilege object. The URL may be populated with the following information.
realmdefines the realm in which the subject is defined. This is an optional parameter and the default value is/.subjectdefines the value of the Universal ID attribute in the requesting user's OpenSSO profile.resourcedefines the resource to be evaluated.applicationdefines the requested service. This is an optional parameter and the default value isiPlanetAMWebAgentService.envdefines an optional environment map. This map may contain information such as the date and time or the IP address of the client. Examples might beenv=requestIp%3D125.12.133.1orenv=requestTime%3D1248994000000.
http://OpenSSO-host:OpenSSO-port/opensso/ws/1/entitlement/entitlement?resource=http://www.example.com&application=iPlanetAMWebAgentService&subject=uid%3Ddemo,ou%3Duser,dc%3Dopensso,dc%3Djava,dc%3Dnet
The following result signifies that the evaluation has approved the request for access. But, demo does not have access permission to http://www.example.com because the IP address does not fall within the range of 192.122.18.1 and 192.122.18.254.
{
"statusCode":200,
"statusMessage":"OK",
"body":{
"results":[
{
"actionsValues":{
},
"attributes":{},
"advices":{
"com.sun.identity.entitlement.IPCondition": "[
\"requestIp=192.122.18.1-192.122.18.254\"
]"
},
"resourceName":"http://www.example.com"
}
}
}
Evaluating a Decision for Multiple Resources
Thedecisions RESTful policy evaluation interface returns a list in the form of a JSONEntitlements object in regards to a request for access to a set of resources. The URL may be populated with the following information.
realmdefines the realm in which the subject is defined. This is an optional parameter and the default value is/.subjectdefines the value of the Universal ID attribute in the requesting user's OpenSSO profile.resourcesdefines the set of resources to be evaluated. More than oneresourcesparameter may be added to the URL.applicationdefines the (application or application type). This is an optional parameter and the default value isiPlanetAMWebAgentService.envdefines an optional environment map. This map may contain information such as the date and time or the IP address of the client. Examples might beenv=requestIp%3D125.12.133.1orenv=requestTime%3D1248994000000.
http://OpenSSO-host:OpenSSO-port/opensso/ws/1/entitlement/decision?resources=http%3A//www.example.com/index.html&resources=http%3A//www.example2.com/index.html&application=iPlanetAMWebAgentService&subject=uid%3Ddemo,ou%3Duser,dc%3Dopensso,dc%3Djava,dc%3Dnet
The following result signifies that the evaluation has approved the request for access. Additionally, demo (the OpenSSO demo user) has POST and GET permission for http://www.example.com and GET permission for http://www.example2.com.
{
"statusCode":200,
"statusMessage":"OK",
"body":{
"results":[
{
"actionsValues":{
"POST":true,
"GET":true
},
"attributes":{},
"advices":{},
"resourceName":"http://www.example.com"
}
{
"actionsValues":{
"GET":true
},
"attributes":{},
"advices":{},
"resourceName":"http://www.example2.com"
}
]
}
}
Evaluating a Decision for A Root and Sub Tree Resources
Theentitlements RESTful policy evaluation interface returns a list in the form of a JSONEntitlements object in regards to a request for access to root resource and its (multiple) sub resources. For example, given the root resource of http://www.example.com, results for all sub resources (including http://www.example.com/hr/*, http://www.example.com/eng/* and http://www.example.com/sales/*) will be returned. The URL may be populated with the following information.
realmdefines the realm in which the subject is defined. This is an optional parameter and the default value is/.subjectdefines the value of the Universal ID attribute in the requesting user's OpenSSO profile.resourcedefines the root of the set of resources to be evaluated.applicationdefines the requested service. This is an optional parameter and the default value isiPlanetAMWebAgentService.envdefines an optional environment map. This map may contain information such as the date and time or the IP address of the client. Examples might beenv=requestIp%3D125.12.133.1orenv=requestTime%3D1248994000000.
http://OpenSSO-host:OpenSSO-port/opensso/ws/1/entitlement/entitlement?resources=http://www.example.com&application=iPlanetAMWebAgentService&subject=uid=demo,ou=user,dc=opensso,dc=java,dc=net&env=requestTime%3D1248994000000
The following result signifies that the evaluation has approved the request for access. But, demo (the OpenSSO demo user) has POST and GET permission only for http://www.example.com/hr/* and http://www.example.com/engr/*.
{
"statusCode":200,
"statusMessage":"OK",
"body":{
"results":[
{
"actionsValues":{
},
"attributes":{},
"advices":{},
"resourceName":"http://www.example.com"
}
{
"actionsValues":{
"POST":true
"GET":true
},
"attributes":{},
"advices":{},
"resourceName":"http://www.example.com/hr/*"
}
{
"actionsValues":{
"POST":true
"GET":true
},
"attributes":{},
"advices":{},
"resourceName":"http://www.example.com/engr/*"
}
{
"actionsValues":{
},
"attributes":{},
"advices":{
"com.sun.identity.entitlement.IPCondition": "[
\"requestIp=192.122.18.1-192.122.18.254\"
]"
},
"resourceName":"http://www.example.com/sales/*"
}
}
}
Now enjoy the musical and illustrative (?) accomplishments of Those Darlins with Red Light Love. It's dope. And that's a good thing!
Posted at 12:51PM Nov 10, 2009 by Michael Teger in Sun | Comments[1]
Good post!
Thank you!
Posted by rolex replicas on November 18, 2009 at 05:44 PM PST #