The following diagram depicts how Authorization policies fit into the protected resource processing for the proxy.
Figure 31-8 Policy Evaluation
The SOAP messages are output to the catalina.out file . Sample SOAP messages are shown in the following scenarios:
Note the Policy Enforcement Point (PEP) identifier of AGIdentityInjection in the request and the PolicyID in the response.
toBufSeg: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/ envelope/"> <SOAP-ENV:Body> <NXPES ID="12"> <Configure-ag PEPName="AGIdentityInjection"> <PolicyEnforcementList RuleCombiningAlgorithm="DenyOverridesWithPriority" schemaVersion="1.32" LastModified="1138389868885" LastModifiedBy="cn=admin,o=novell"> <PolicyRef ElementRefType="ExternalWithIDRef" ExternalElementRef="PolicyID_xpemlPEP_AGIdentity Injection_ii_test" ExternalDocRef="ou=xpemlPEP,ou=mastercdn, ou=ContentPublisherContainer,ou=Partition, ou=PartitionsContainer,ou=VCDN_Root,ou=access ManagerContainer,o=novell:romaContentCollection XMLDoc" UserInterfaceID="PolicyID_xpemlPEP_AGIdentity Injection_ii_test"/> </PolicyEnforcementList> </Configure-ag> </NXPES> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
LibertyProcessMsgCB: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <NXPES Id="" Status="success"> <ConfigureResponse PolicyId="755OK8P0-7543-518M-8L8M-N0P2LM2 N3O27"> <ContextDataElement Enum="2551"/> </ConfigureResponse> </NXPES> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
The following is a sample of a configuration request where the policy code detects that no policies are in effect for the protected resource and Policy Enforcement Point (PEP).
toBufSeg: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <NXPES ID="11"> <Configure-ag PEPName="AGAuthorization"> <PolicyEnforcementList RuleCombiningAlgorithm="DenyOverridesWithPriority" schemaVersion="1.32" LastModified="1138389868885" LastModifiedBy="cn=admin,o=novell"> <PolicyRef ElementRefType="ExternalWithIDRef" ExternalElementRef="PolicyID_xpemlPEP_AGIdentity Injection_ii_test" ExternalDocRef="ou=xpemlPEP,ou=mastercdn,ou=Content PublisherContainer,ou=Partition,ou=Partitions Container,ou=VCDN_Root,ou=accessManager Container,o=novell:romaContentCollectionXMLDoc" UserInterfaceID="PolicyID_xpemlPEP_AGIdentityInjection_ ii_test"/> </PolicyEnforcementList> </Configure-ag> </NXPES> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
LibertyProcessMsgCB: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/ envelope/"> <SOAP-ENV:Body> <NXPES Id="" Status="emptypolicyset"/> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
The following is a sample of a configuration request for a Deny policy and an evaluation request for this policy.
toBufSeg: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/ envelope/"> <SOAP-ENV:Body> <NXPES ID="17"> <Configure-ag PEPName="AGAuthorization"> <PolicyEnforcementList RuleCombiningAlgorithm="DenyOverridesWithPriority" schemaVersion="1.32" LastModified="1138718667305" LastModifiedBy="cn=admin,o=novell"> <PolicyRef ElementRefType="ExternalWithIDRef" ExternalElementRef="PolicyID_xpemlPEP_AGIdentityInjection _custom_test" ExternalDocRef="ou=xpemlPEP,ou=mastercdn,ou=Content PublisherContainer,ou=Partition,ou=PartitionsContainer, ou=VCDN_Root,ou=accessManagerContainer,o=novell:roma ContentCollectionXMLDoc" UserInterfaceID="PolicyID_xpemlPEP_AGIdentityInjection _custom_test"/> <PolicyRef ElementRefType="ExternalWithIDRef" ExternalElementRef="PolicyID_xpemlPEP_AGAuthorization_ deny-all" ExternalDocRef="ou=xpemlPEP,ou=mastercdn,ou=Content PublisherContainer,ou=Partition,ou=PartitionsContainer, ou=VCDN_Root,ou=accessManagerContainer,o=novell:roma ContentCollectionXMLDoc" UserInterfaceID="PolicyID_xpemlPEP_AGAuthorization _deny-all"/> </PolicyEnforcementList> </Configure-ag> </NXPES> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
LibertyProcessMsgCB: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/ envelope/"> <SOAP-ENV:Body> <NXPES Id="" Status="success"> <ConfigureResponse PolicyId="55N3NL81-L29N-2619-K0M8-2L963M0MM701"/> </NXPES> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
toBufSeg: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <NXPES ID="18"> <Evaluate PolicyId="55N3NL81-L29N-2619-K0M8-2L963M0MM701" Verbose="on"/> </NXPES> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
LibertyProcessMsgCB: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/ envelope/"> <SOAP-ENV:Body> <NXPES Id="" Status="success"> <EvaluateResponse> <DoAction ActionName="Deny" ActionTTL="-1" Enum="2620"> <Parameter Enum="10" Name="Message" Value=""/> </DoAction> </EvaluateResponse> </NXPES> </SOAP-ENV:Body> </SOAP-ENV:Envelope>