public class PolicyEnforcementFilter extends GenericHeapObject implements Filter
Policy decisions are cached for each filter and eviction is based on the "time-to-live" given in the policy decision returned by AM, if this one exceed the duration expressed in the cacheMaxExpiration, then the value of cacheMaxExpiration is used to cache the policy.
{
"type": "PolicyEnforcementFilter",
"config": {
"openamUrl" : uriExpression, [REQUIRED]
"pepUsername" : expression, [REQUIRED*]
"pepPassword" : expression, [REQUIRED*]
"policiesHandler" : handler, [OPTIONAL - by default it uses the 'ClientHandler'
provided in heap.]
"realm" : String, [OPTIONAL]
"ssoTokenHeader" : String, [OPTIONAL]
"application" : String, [OPTIONAL]
"ssoTokenSubject" : expression, [OPTIONAL - must be specified if no jwtSubject ]
"jwtSubject" : expression, [OPTIONAL - must be specified if no ssoTokenSubject ]
"cacheMaxExpiration" : duration [OPTIONAL - default to 1 minute ]
}
}
(*) pepUsername and pepPassword are the credentials of the user who has access to perform the operation, and these fields are required when using heaplet. This heaplet adds an SsoTokenFilter to the policiesHandler's chain and its role is to retrieve and set the SSO token header of this given user. (REST API calls must present the session token, aka SSO Token, in the HTTP header as proof of authentication)
Note: Claims are not supported right now.
Example of use:
{
"name": "PEPFilter",
"type": "PolicyEnforcementFilter",
"config": {
"openamUrl": "http://example.com:8090/openam/",
"pepUsername": "bjensen",
"pepPassword": "${attributes.userpass}",
"application": "myApplication",
"ssoTokenSubject": ${attributes.SSOCurrentUser}
}
}
Modifier and Type | Class and Description |
---|---|
static class |
PolicyEnforcementFilter.Heaplet
Creates and initializes a policy enforcement filter in a heap environment.
|
logger, storage
Constructor and Description |
---|
PolicyEnforcementFilter(URI baseUri,
Handler policiesHandler,
Duration cacheMaxExpiration)
Creates a new OpenAM enforcement filter.
|
Modifier and Type | Method and Description |
---|---|
Promise<Response,NeverThrowsException> |
filter(Context context,
Request request,
Handler next)
Filters the request and/or response of an exchange.
|
void |
setApplication(String application)
Sets the application where the policies are defined.
|
void |
setCache(ThreadSafeCache<String,Promise<JsonValue,ResourceException>> cache)
Sets the cache for the policy decisions.
|
void |
setJwtSubject(Expression<String> jwtSubject)
Sets the JWT string for the subject.
|
void |
setSsoTokenSubject(Expression<String> ssoTokenSubject)
Sets the SSO token for the subject.
|
getLogger, getStorage, setLogger, setStorage
public PolicyEnforcementFilter(URI baseUri, Handler policiesHandler, Duration cacheMaxExpiration)
baseUri
- The location of the selected OpenAM instance, including the
realm, to the json base endpoint, not null
.policiesHandler
- The handler used to get perform policies requests, not null
.cacheMaxExpiration
- The max duration to set the cache.public void setCache(ThreadSafeCache<String,Promise<JsonValue,ResourceException>> cache)
cache
- The cache for policy decisions to set.public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
Filter
next.handle(context, request)
.
This method may elect not to pass the request to the next filter or
handler, and instead handle the request itself. It can achieve this by
merely avoiding a call to next.handle(context, request)
and creating its own response object. The filter is also at liberty to
replace a response with another of its own by intercepting the response
returned by the next handler.
public void setApplication(String application)
application
- The application where the policies are defined. If none,
OpenAM will use the iPlanetAMWebAgentService.public void setSsoTokenSubject(Expression<String> ssoTokenSubject)
ssoTokenSubject
- The SSO Token for the subject.public void setJwtSubject(Expression<String> jwtSubject)
jwtSubject
- The JWT string for the subject.Copyright 2011-2015 ForgeRock AS.