Configure Access Manager to Use Custom and Complex Authorization Logic Using Policy Extension
Authorization policies are used when you want to protect a resource based on criteria other than authentication and you want Access Manager to enforce the access restrictions. Authorization policies are enforced when a user requests data from a resource.
If you would like to know more about NAM Authorization policy. Please use the following link:
NAM provides multiple options (LDAP attribute, Client IP, Roles, OAuth Scope etc.) to prepare your condition rule. You can form different condition groups by using AND /OR operations.
2. Business Requirement / Use cases
NAM provides an extensive list of condition options and most of the time you can prepare your authorization policy by using the out of the box conditions. But if you need to build a complex authorization condition by executing custom business logic (i.e. Make web service call to get entitlement from different user store/DB, build some rule which is not possible using NAM out of the box condition group), NAM provides an opportunity to use Condition Extension.
You can develop complex business logic using JAVA code by following the NAM Developer Guide.
3. Develop Policy Extension (Condition Extension)
You should have the following items before starting development:
- Java SDK 1.6 or above (click here to download)
- IDE for Java (Click here to download Eclipse)
- jar file (can be copied from “/opt/novell/nesp/lib/webapp/WEB-INF/lib” location of Access Gateway server)
3.2 Create Java Project and Configure Eclipse
- Open eclipse IDE and go to File -> New -> Java Project. Enter Project Name.
- Right click on the project, go to Build Path -> Configure Build Path
- Click on “Java Build Path” on the left menu and go to “Libraries” tab
3.3 Develop Factory and Condition Extension Class
- Right click on the package and go to new -> class and enter a class name (For example MyConditionFactory). Copy the following code and replace everything in MyConditionFactory class. MyConditionFactory
- Right click on the package and go to new -> class and create another class (For example MyConditionExtn). Copy the following code and replace everything in MyConditionExtn class. MyConditionExtn
Please go through the following NetIQ documents to understand the process flow of policy extension.
Developer Guide: https://www.netiq.com/documentation/access-manager-42/nacm_enu/data/bookinfo.html
Sample Code: https://www.netiq.com/documentation/access-manager-developer-documentation/samplecodes/main.html
NAM Condition Extension Example: https://www.netiq.com/documentation/access-manager-developer-documentation/samplecodes/nacm32/PolicyConditionExtnTemplate/Readme_TemplateConditionExtension_Example.pdf
3.4 Export JAR
At this point you have created a Condition Extension JAR file.
3.5 Upload JAR in Admin Console
At this point you have uploaded the JAR file in Admin Console.
3.6 Create Policy Extension
- Click on the Extension policy you have just created and provide two configuration parameters. If you look at the MyConditionExtn.java file, the program is expecting User DN and employeeType in the business logic. You can provide those parameters to your extension class by using configuration parameters from the extension policy.
The ID given in the program and configuration parameters should match. For example I am providing User_DN with ID =100 and employee_type with ID = 200.
3.7 Distribute Policy Extension to Access Gateway Server
3.8 Use Policy Extension in Authorization Policy
4. Test the Authorization Policy
Assign the MyAuthorizationPolicy to any protected resources and test Authorization policy.
Please check /var/opt/novell/nam/logs/mag/tomcat/catalina.out log and you will find the log which you have printed from the java code.
Please comment here if you find any issues during development.