Tech Tip – How to authorize resource access only if the resource is listed in user’s attribute (multi valued)

Authorize resource access only if the resource is listed in user’s attribute (multi valued)

 

Use case :

Assume the list of allowed resources is stored in user’s attribute “postalAddress” (multivalued) as below :

/xyz/pqr^/xyz/abc^/abc’

multivalued_attribute

User should be allowed to access resource only if it is listed in the above list of allowed resource.

INSTRUCTION:
  • Create a Realm with the root resource filter “/” and create a Get/Post rule under it.

RootRealm

  • Create an Active Policy as below.
    • lib=”smjavaapi”
    • function=”JavaActiveExpression”
    • param=”ActivePolicyIsResourceAccessAllowed”

ActivePolicy

  • Assign Get/Post rule to the Active Policy

  • Assign All Users to the Active Policy

  • (Optional) Modify the attachedĀ  sample Active Policy class to read any alternate user attributes :
</p>
<p style="padding-left: 30px;">//Get list of allowed resources
String allowedResources = theUserContext.getProp("postalAddress");
logInPSTrace(apiContext, "Allowed Resources for user : '"+ theUserContext.getUserName()+ "' are :" + allowedResources);


String[] allowedResourcesArray = allowedResources.split("\\^");
String requestedResource = context.getRequestContext().getResource();
logInPSTrace(apiContext, "Requested Resource : "+ requestedResource);

//Check if the requested resource is in the list of allowed resources
for (String allowedResource : allowedResourcesArray) {
//logInPSTrace(apiContext, "Checking now : "+ allowedResource);
if (allowedResource.equalsIgnoreCase(requestedResource))
{
logInPSTrace(apiContext, "Resource access is allowed for : "+ requestedResource);
return "true";
}
}

logInPSTrace(apiContext, "Resource access is not allowed for : "+ requestedResource);

return "false";</p>
<p style="padding-left: 30px;">
  • Compile the Active Policy and deploy it to directory <PS_Install_directory>siteminder\config\properties
  • Restart Policy server and test.
ATTACHMENT :

ActivePolicyIsResourceAccessAllowed

TESTING :

Sample log :


[05/23/2018][16:24:03.088][16:24:03][3976][6104][SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][][][][][][][][ActivePolicyIsResourceAccessAllowed:: ['Allowed Resources for user : 'CN=Ujwol Shrestha,CN=Users,DC=sso,DC=lab' are :/xyz/pqr^/xyz/abc^/abc']][ActivePolicyIsResourceAccessAllowed: ActivePolicyIsResourceAccessAllowed:: ['Allowed Resources for user : 'CN=Ujwol Shrestha,CN=Users,DC=sso,DC=lab' are :/xyz/pqr^/xyz/abc^/abc']][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/23/2018][16:24:03.089][16:24:03][3976][6104][SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][][][][][][][][ActivePolicyIsResourceAccessAllowed:: ['Requested Resource : /xyz/pqr']][ActivePolicyIsResourceAccessAllowed: ActivePolicyIsResourceAccessAllowed:: ['Requested Resource : /xyz/pqr']][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/23/2018][16:24:03.089][16:24:03][3976][6104][SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][][][][][][][][ActivePolicyIsResourceAccessAllowed:: ['Checking now : /xyz/pqr']][ActivePolicyIsResourceAccessAllowed: ActivePolicyIsResourceAccessAllowed:: ['Checking now : /xyz/pqr']][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/23/2018][16:24:03.089][16:24:03][3976][6104][SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][][][][][][][][ActivePolicyIsResourceAccessAllowed:: ['Resource access is allowed for : /xyz/pqr']][ActivePolicyIsResourceAccessAllowed: ActivePolicyIsResourceAccessAllowed:: ['Resource access is allowed for : /xyz/pqr']][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

RELATED BLOG :

Tech Tip : How to display the requested resource URL in the authorization reject error page

 

 

 

 

2 thoughts on “Tech Tip – How to authorize resource access only if the resource is listed in user’s attribute (multi valued)

Leave a Reply