Configure Access Manager to Use Custom and Complex Authorization Logic Using Policy Extension


1. Introduction

Authorization policies are used when you want to protect a resource based on criteria other than authentication and you want Access Manager to enforce the access restrictions. Authorization policies are enforced when a user requests data from a resource.

If you would like to know more about NAM Authorization policy. Please use the following link:

NAM provides multiple options (LDAP attribute, Client IP, Roles, OAuth Scope etc.) to prepare your condition rule. You can form different condition groups by using AND /OR operations.

2. Business Requirement / Use cases

NAM provides an extensive list of condition options and most of the time you can prepare your authorization policy by using the out of the box conditions. But if you need to build a complex authorization condition by executing custom business logic (i.e. Make web service call to get entitlement from different user store/DB, build some rule which is not possible using NAM out of the box condition group), NAM provides an opportunity to use Condition Extension.

You can develop complex business logic using JAVA code by following the NAM Developer Guide.

3. Develop Policy Extension (Condition Extension)


3.1 Prerequisite

You should have the following items before starting development:

    1. Java SDK 1.6 or above (click here to download)


    1. IDE for Java (Click here to download Eclipse)


    1. jar file (can be copied from “/opt/novell/nesp/lib/webapp/WEB-INF/lib” location of Access Gateway server)

3.2 Create Java Project and Configure Eclipse

    1. Open eclipse IDE and go to File -> New -> Java Project. Enter Project Name.


    1. Right click on the project, go to Build Path -> Configure Build Path


    1. Click on “Java Build Path” on the left menu and go to “Libraries” tab


    1. Click on “Add External JARs…” button and select the nxpe.jar file.




    1. Right click on the src (Under Java Project) and click on new -> Package and enter the package name.


3.3 Develop Factory and Condition Extension Class

    1. Right click on the package and go to new -> class and enter a class name (For example MyConditionFactory). Copy the following code and replace everything in MyConditionFactory class. MyConditionFactory


    1. Right click on the package and go to new -> class and create another class (For example MyConditionExtn). Copy the following code and replace everything in MyConditionExtn class. MyConditionExtn

Please go through the following NetIQ documents to understand the process flow of policy extension.

Developer Guide:

Sample Code:

NAM Condition Extension Example:


3.4 Export JAR

    1. Right click on the Project and click on “Export…” menu. Choose JAR file and click on Next.

      Access Manager Customization



    1. Chose the export destination and click Next, Next and Finish. Leave all settings as default.

      Access Manager Customization


At this point you have created a Condition Extension JAR file.


3.5 Upload JAR in Admin Console

    1. Go to Policies -> Extensions and click on “Upload…” button.

      Access Manager Customization



    1. Browse the JAR file you have saved in section 3.4. If you are uploading the same JAR file multiple times for testing your business logic, please check the Overwrite existing *.jar file.


At this point you have uploaded the JAR file in Admin Console.


3.6 Create Policy Extension

    1. Click on “New…” and input the following Information:


      Name: MyConditionExtensionPolicy
      Description: This is my condition extension policy
      Policy Type: Access Gateway: Authorization
      Type: Condition
      Class Name: com.plugin.MyConditionFactory
      File Name: MyConditionExtension



    1. Click on the Extension policy you have just created and provide two configuration parameters. If you look at the file, the program is expecting User DN and employeeType in the business logic. You can provide those parameters to your extension class by using configuration parameters from the extension policy.

      The ID given in the program and configuration parameters should match. For example I am providing User_DN with ID =100 and employee_type with ID = 200.



3.7 Distribute Policy Extension to Access Gateway Server

Select the extension policy you just created and click on the “Distribute JARs” button.


Click ok on the confirmation window. You must restart the Access Gateway service after JAR distribution.


3.8 Use Policy Extension in Authorization Policy

    1. Go to Policies -> Policies -> Your Container and click “New…”

      Name: MyAuthorizationPolicy
      Type: Access Gateway: Authorization



    1. Click on New -> Condition Extension -> MyConditionExtensionPolicy



4. Test the Authorization Policy

Assign the MyAuthorizationPolicy to any protected resources and test Authorization policy.

Please check /var/opt/novell/nam/logs/mag/tomcat/catalina.out log and you will find the log which you have printed from the java code.

Please comment here if you find any issues during development.



How To-Best Practice
Comment List