6.10 Policy Evaluation: Access Gateway Devices
The following diagram depicts how Authorization policies fit into the protected resource processing for the proxy.
Figure 6-4 Policy Evaluation
Policies for the Access Gateway devices are evaluated by the policy engine in Java. A SOAP interface is used to transition from the proxy to Java and back. To see the SOAP messages, you need to set the logging level of the level to See Section 6.1, Turning on Logging for Policy Evaluation.
The SOAP messages are output to the catalina.out file (Linux) or stdout.log file (Windows). Sample SOAP messages are shown in the following scenarios:
6.10.1 Successful Policy Configuration Example
Note the Policy Enforcement Point (PEP) identifier of AGIdentityInjection in the request and the PolicyID in the response.
Configuration Request
toBufSeg: <?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/
envelope/">
<SOAP-ENV:Body>
<NXPES ID="12">
<Configure-ag PEPName="AGIdentityInjection">
<PolicyEnforcementList
RuleCombiningAlgorithm="DenyOverridesWithPriority"
schemaVersion="1.32"
LastModified="1138389868885"
LastModifiedBy="cn=admin,o=novell">
<PolicyRef ElementRefType="ExternalWithIDRef"
ExternalElementRef="PolicyID_xpemlPEP_AGIdentity
Injection_ii_test"
ExternalDocRef="ou=xpemlPEP,ou=mastercdn,
ou=ContentPublisherContainer,ou=Partition,
ou=PartitionsContainer,ou=VCDN_Root,ou=access
ManagerContainer,o=novell:romaContentCollection
XMLDoc"
UserInterfaceID="PolicyID_xpemlPEP_AGIdentity
Injection_ii_test"/>
</PolicyEnforcementList>
</Configure-ag>
</NXPES>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Configuration Response
LibertyProcessMsgCB:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<NXPES Id="" Status="success">
<ConfigureResponse PolicyId="755OK8P0-7543-518M-8L8M-N0P2LM2
N3O27">
<ContextDataElement Enum="2551"/>
</ConfigureResponse>
</NXPES>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
6.10.2 No Policy Defined Configuration Example
The following is a sample of a configuration request where the policy code detects that no policies are in effect for the protected resource and Policy Enforcement Point (PEP).
Configuration Request
toBufSeg: <?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<NXPES ID="11">
<Configure-ag PEPName="AGAuthorization">
<PolicyEnforcementList
RuleCombiningAlgorithm="DenyOverridesWithPriority"
schemaVersion="1.32"
LastModified="1138389868885"
LastModifiedBy="cn=admin,o=novell">
<PolicyRef ElementRefType="ExternalWithIDRef"
ExternalElementRef="PolicyID_xpemlPEP_AGIdentity
Injection_ii_test"
ExternalDocRef="ou=xpemlPEP,ou=mastercdn,ou=Content
PublisherContainer,ou=Partition,ou=Partitions
Container,ou=VCDN_Root,ou=accessManager
Container,o=novell:romaContentCollectionXMLDoc"
UserInterfaceID="PolicyID_xpemlPEP_AGIdentityInjection_
ii_test"/>
</PolicyEnforcementList>
</Configure-ag>
</NXPES>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Configuration Response
LibertyProcessMsgCB:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/
envelope/">
<SOAP-ENV:Body>
<NXPES Id="" Status="emptypolicyset"/>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
6.10.3 Deny Access Configuration/Evaluation Example
The following is a sample of a configuration request for a Deny policy and an evaluation request for this policy.
Configuration Request
toBufSeg: <?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/
envelope/">
<SOAP-ENV:Body>
<NXPES ID="17">
<Configure-ag PEPName="AGAuthorization">
<PolicyEnforcementList
RuleCombiningAlgorithm="DenyOverridesWithPriority"
schemaVersion="1.32"
LastModified="1138718667305"
LastModifiedBy="cn=admin,o=novell">
<PolicyRef
ElementRefType="ExternalWithIDRef"
ExternalElementRef="PolicyID_xpemlPEP_AGIdentityInjection
_custom_test"
ExternalDocRef="ou=xpemlPEP,ou=mastercdn,ou=Content
PublisherContainer,ou=Partition,ou=PartitionsContainer,
ou=VCDN_Root,ou=accessManagerContainer,o=novell:roma
ContentCollectionXMLDoc"
UserInterfaceID="PolicyID_xpemlPEP_AGIdentityInjection
_custom_test"/>
<PolicyRef
ElementRefType="ExternalWithIDRef"
ExternalElementRef="PolicyID_xpemlPEP_AGAuthorization_
deny-all"
ExternalDocRef="ou=xpemlPEP,ou=mastercdn,ou=Content
PublisherContainer,ou=Partition,ou=PartitionsContainer,
ou=VCDN_Root,ou=accessManagerContainer,o=novell:roma
ContentCollectionXMLDoc"
UserInterfaceID="PolicyID_xpemlPEP_AGAuthorization
_deny-all"/>
</PolicyEnforcementList>
</Configure-ag>
</NXPES>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Configuration Response
LibertyProcessMsgCB:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/
envelope/">
<SOAP-ENV:Body>
<NXPES Id="" Status="success">
<ConfigureResponse
PolicyId="55N3NL81-L29N-2619-K0M8-2L963M0MM701"/>
</NXPES>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Evaluation Request
toBufSeg: <?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<NXPES ID="18">
<Evaluate PolicyId="55N3NL81-L29N-2619-K0M8-2L963M0MM701"
Verbose="on"/>
</NXPES>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Evaluation Response
LibertyProcessMsgCB:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/
envelope/">
<SOAP-ENV:Body>
<NXPES Id="" Status="success">
<EvaluateResponse>
<DoAction ActionName="Deny" ActionTTL="-1" Enum="2620">
<Parameter Enum="10" Name="Message" Value=""/>
</DoAction>
</EvaluateResponse>
</NXPES>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>