Policy Evaluation using session attributes condition

Hi Guys,
I have custom policies defined in Access Manager for several resources to be protected. What i am trying to achieve is When policy evaluation happens to calculate the resources based on the ldaproles for a user entry, I need few session properties to be applied which are defined under "conditions" in the policy setup . I need to figure out how would set these users AM session properties from the client application. Any inputs would be of great help.
Thanking in advance.
Akeel M Sayyad.

Anyways, I figured it out. You can do it using SSOTokenManager.

Similar Messages

Jsf issue using session attributes

I have a JSF issue where I can't seem to get session attributes to be stored as initial values on my inputText field below. I've tried 2 things: (1) reading session attributes in my locrateForm bean, and then use getter method to get them to the jsp form ( I read the session attributes in the getter - I know it's a no-no, but I'm desparate)...
(2) reading session attributes in my jsp and storing them to the inputText fields.
Both times, I can successfully read the session attributes, but I can't get it stored in the inputText below....Pls provide this new jsf user some direction...thanks in advance...
Also....I thought the below EL would auto-invoke the getter method in the "locrateForm" Bean to get the initial value, but it's not...my books don't explain this well...
<h:inputText id="locrateDest" value="#{locrateForm.locrate.locrateDest}" >
</h:inputText>

Can you show us the snippit of your faces-config.xml for locrateForm and the snippit of the Java implementation that involves locrate and locrateDest?

SUN Access Manager session attributes

I'm trying to find out which session attributes that are available for a Policy Agent out of the box from Access Manager 7.1
The AMAgent.properties file has a property:
com.sun.am.policy.agents.config.session.attribute.map=
But the question is which attributes you can fetch through this settup.
I'm only found the property: successURL.
I would like to get the authentication level and end user IP adress.

One clarification. AM 6.1 did have session failvoer feature. But it was container dependent. It used container features to provide this. Each container had its on configuration. It was made independent of the containers in AM 6.3 release. I would stonglry recommend using AM 6.3 or above if you are using session failover.
shivaram

Use request attributes in JSF

Is there a way we can pass data from one form bean to the other using request attributes insted of session attributes?
I am able to work with session attributes using
HttpSession mySession = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(true); and setting attributes to it, but getting null pointers(occassionally) when I retrieve the atribute and work with it.
getSession(false) isnt helping either.
Looks like facesServlet is creating a new request when it forwards to next page. Any idea on how to get the Faces Servlet do something like request despatcher forward, for navigation so I can work with request attributes?
Appreciate your input.

Can I have just one backing bean and use it for all jsps in the app? App has 4 flows from home page and mutiple jsps in each flow. Each jsp has multiple form fields. Is that OK?
Any way to passing data/objects between different backing beans - other than using session attributes? I had similar problems working on Struts app as well.

Looking for way to use certificate attributes in Authorization policy

does any one know how to use certificate attributes in authorization policy when I authenticate with PEAP ??
is it only working when I authenticate with EAP-TLS ??
is there any way to use these attributes with peap ??
Also, what are ways to distinguish corp asset as priavate asset without using certificate ??
Thank you.
P/S I'm using wired network !

Hi,
Peap authentication is a password based authentication protocol, eap-tls is when a client uses a certificate for authentication. So there is not a way to validate cert attributes since the client doesnt send one for PEAP.
You can use machine authentication to validate the corporate asset and rely on the microsoft login process to validate the user account. You can also consider NAM supplicant to perform eap chaining (sends both machine and user authentication and is only supported by ISE as your radius server at this point).
Thanks,
Tarik Admani
*Please rate helpful posts*

Javascript to JSP question...Can javascript function set session attributes

hello,
i have a web app that, on one of its pages, displays "tabbed pane" as an image map at the top (a la amazon.com). my problem is this: each "logical" page contains separate forms that all use the same javabean. in other words, imagine that the tabs represent an account maintenance web ui for an on-line record store. the first tab might be labeled "General," the second "Contact info," the third "Shipping Info." Each uses the same account bean and displays portions of its properties relevant to the tab at hand. what i want to do is allow a user to enter the account maintenance ui, update info on the first tab, click on tab two and have the request with the changes sent to a processing jsp. yet, since each "tab" is actually a separate URL to another page, how do i get the updated info on the first tabe without adding some sort of "SAVE" button on each tab. ive considered using javascript, but dont know how to get the request params out of the first tab whn i click on another tab. is it possible to include an "onClick" function in each URL that "grabs" the updated form fields off the preceeding tab? can a javacript function set session attributes in jsp?

hello there,
wow, you've created one big mammy-jammy tool.
first, javascript cannot access, set values to the session, without having to post to another JSP. javascript is great for manipulating objects, layers, form values, etc.
you have 2 issues [if i understand correctly]:
1) you need to able to save user info for a specific tab without having to reloading the page.
---you can create a form for EACH of your tabs and POST all the information to a hidden IFRAME or LAYER for NN4. that hidden IFRAME / LAYER will load a JSP page which with all the parameters you posted to it. or you can build a FRAMESET and target that document["frame-name"].src with that same JSP.
2) handling when the SAVE INFO action should happen: hence some javascript event handler: onMouseOver, onClick, etc
---i don't know the dynamics of your tabs, but if store which tab was clicked on last, then if the user clicks on some other tab, javascript can submit that FORM to a JSP [see condition above]
you have an interesting tool. can i see?
i hope i wasn't too confusing, but your problem is sooo interesting. =)
-WJP

Problem removing session attributes

I have a problem removing session attributes
I try w/ mysession.removeAttribute("key");
but it still lives in memory. I've tried setAttribute("key", null) as the API states that will do the same thing, but it doesn't work.
I can get mysession.invalidate() to work, but I want to keep some of the attributes there, while removing another.
I get no exceptions and no errors.
Help.
Running Tomcat 4
jre 1.3.1

Actually,
response.addHeader("Expires", "-1");should be enough.
The browser should then contact the Web server for updates to that page via a conditional If-Modified-Since request. You don't want a cache disabling 'overkill', since you'd still want the page to remain in the disk cache and used in appropriate situations without contacting the remote Web server, such as when the BACK and FORWARD buttons are pressed...
Anyway, try this first, and if it doesn't solve your problem, add the other cache-disabling headers, as outlined in the previous post.
If you're using JSP, verify also that your page has
<%@ page session="true"%>

IS - Policy evaluation performance

Hi all,
I am trying to find out why a policy evaluation takes over a second.
The request is generated using C API, IS and DS are running on different machines. Don't think there is a networking problem. IS version is 6.1
My questions are:
- Are there any tools available to measure the IS response time?
- Any parameters on the server to be tuned for performance optimization?
- Any steps I should take to make sure that there is no networking involved?
- Has anyone done any policy evaluation in Java? - how was the performance? what about the session token validation?
Thanks in advance for any suggestions.
Dan

If your DNS is not working this slows down access to protected resource by the timeout for DNS (per each page request!). The performance impacts are probably about the same for doing a reverse lookup on every request (not great for large numbers of requesters).

Another OAM 10g policy evaluation question

I have a policy with authz expression= Rule A & Rule B & Rule C:
Rule A:
Allow: ldap_attr_1 = X
Deny: no one is denied
Allow preceeds denial: true
Authz failure redirection URL: URL1
Rule B:
Allow: ldap_attr_2 = Y
Deny: no one is denied
Allow preceeds denial: true
Authz failure redirection URL: URL1
Rule C:
Allow: anyone is allowed
Deny: ldap_attr_3 = Z
Allow preceeds denial: false
Authz failure redirection URL: URL2
My user profile has ldap_attr_1=X, ldap_attr_2=Y, ldap_attr_3=Z, I expect access to be denied based on Rule C and user redirected to URL2. Instead I see authorization = Inconclusive and Rule=<not found>.
If user has ldap_attr_1=X, ldap_attr_2=Y and NOT ldap_attr_3=Z I am getting correct evaluation - user is authorized.
Any ideas how to make this working? Basically I want user to be redirected to the URL that is defined in the rule that caused denial.
Thanks,
Alex

Hi Colin,
Here's what I have:
Authz Rule: Rule1
Access allowed: Any one
Access denied: ldap rule (attr=value)
Allow takes precedence: false
Actions: redirect to URL1 on denied
You can use any attribute and any value, i am using my custom attribute. Then I protect a resource /myresource with policy Policy1 that only has this rule. Set up attr=value and access tester shows redirection to URL1. Now 2 more rules:
Authz Rule: Rule2
Access allowed: ldap rule (o=org)
Access denied: no one is denied
Allow takes precedence: true
Actions: no actions
Authz Rule: Rule3
Access allowed: ldap rule (title=title)
Access denied: no one is denied
Allow takes precedence: true
Actions: no actions
And Policy2 has authz expression Rule2 AND Rule3 AND Rule1. And Policy2 has action: redirect on authorization inconclusive to URL2. My user's profile has o=org, title=title, attr=value. Access tester shows redirection to URL2.
Thanks,
Alex

Develop and run Policy Evaluation Programs

Hi,
I am trying to use the Policy sample on windows xp but when I try to instantiate the PolicyEvaluator Object I get the following error.
PolicyEvaluator pe=new PolicyEvaluator(name);
Getting Policy Evaluator ...
Exception : Can not create policy cache
Invalid admin user/password from DSConfigMgr.
Invalid admin user/password from DSConfigMgr.
com.sun.identity.policy.PolicyException(1):Can not create policy cache
Invalid admin user/password from DSConfigMgr.
com.iplanet.sso.SSOException(2):Invalid admin user/password from DSConfigMgr.
com.iplanet.sso.SSOException: Invalid admin user/password from DSConfigMgr.
     at com.sun.identity.policy.ServiceTypeManager.getSSOToken(ServiceTypeManager.java:188)
     at com.sun.identity.policy.PolicyCache.getInstance(PolicyCache.java:71)
     at com.sun.identity.policy.PolicyEvaluator.<init>(PolicyEvaluator.java:215)
     at com.sun.identity.policy.PolicyEvaluator.<init>(PolicyEvaluator.java:178)
     at de.dailab.de.policy.PolicyEvaluationKS.main(PolicyEvaluationKS.java:53)
I the amSDK debug log the error message is:
12/17/2004 06:49:13:436 PM CET: Thread[main,5,main]
ERROR: SMSEntry: Unable to initalize(exception):
Got LDAPServiceException code=19
     at com.iplanet.services.ldap.DSConfigMgr.loadServerConfiguration(DSConfigMgr.java:419)
     at com.iplanet.services.ldap.DSConfigMgr.getDSConfigMgr(DSConfigMgr.java:147)
     at com.sun.identity.sm.SMSEntry.<clinit>(SMSEntry.java:95)
     at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:72)
     at com.sun.identity.sm.ServiceConfigManager.<init>(ServiceConfigManager.java:81)
     at com.sun.identity.policy.PolicyManager.<init>(PolicyManager.java:202)
     at de.dailab.de.policy.PolicyCreator.<init>(PolicyCreator.java:81)
     at de.dailab.de.policy.PolicyCreator.main(PolicyCreator.java:96)

I think that I am encountering the same error. It fails to initialize the PolicyEvaluator with the same error condition. Did you ever find a solution to this?

How to set session attributes in a bean?

How do I set a session attribute in a server-side bean?
I'm not sure if I asked the question the right way. What I meant is, while it's easy to set session attributes in a JSP page (session.setAttribute("sessionname", "sessionvalue")), I'd want to set such an attribute within a server-side bean defined in this web application. But what is the syntax for doing it?

Here a simple bean that stores something in the session and retrieves something from it.
import javax.servlet.http.HttpSession;
public class TestBean {
private String value;
public void doSomething(HttpSession session, int a, int b) {
    if (a+b > 0) {
      session.setAttribute("ab",Boolean.TRUE);
    } else {
      session.setAttribute("ab",Boolean.FALSE);
public void init(HttpSession session) {
    if (session != null) {
      Boolean b = (Boolean)session.getAttribute("ab");
      if (b == Boolean.TRUE) {
        value = "a + b is greater than zero";
      } else {
        value = "a + b is not greater than zero";
    } else {
      value = "no session";
public String getValue() {
    return value;
}In your JSP, use something along the lines of :
<%
TestBean bean = new TestBean();
bean.init(session);
bean.doSomething(session,1,2);
%>If your bean only lives during one request, you can pass the session to the constructor, which stores it in a private variable. This saves passing the session each time.
Hope this helps,
--Arnout

How to use session in webservice?

In C#, can use session variable in a webservice object.
How to use session in Java webservice?
Who can give me a example?
Thanks a lot

Did I use session in a wrong way?No, you are using the session correctly. The code looks fine.
Check
- your spelling of the attribute names - obviously they must match
- the ids of the sessions you get both times: session.getId(). If they have different ids, then most probably the session is being lost somewhere.
There are a number of reasons to lose a session. If you close the browser, invalidate the session in code, or lose the cookie recording the id. This happens when you change from https to http, so a session can be lost that way.
The session is normally maintained by session cookies. If you close your browser you lose the cookie. If you have disabled cookies on your machine then it also might not work.
In cases such as that you should be using the method response.encodeURL() to maintain the session for you in any hyperlinks you produce. Struts normally handles that for you though if necessary.
Hope this helps,
evnafets

How to use session in Struts

Hello, there:
It's a simple question.
I have a web app which has a login page, in its action class I create an object, user, and save it into session by using request.getSession(true).setAttribute("user", user).
In another action class, I want to use the info of user then I use request.getSession(true).getAttribute("user"); however, the returned object is NULL. Did I use session in a wrong way?
Thanks,
Sway

Did I use session in a wrong way?No, you are using the session correctly. The code looks fine.
Check
- your spelling of the attribute names - obviously they must match
- the ids of the sessions you get both times: session.getId(). If they have different ids, then most probably the session is being lost somewhere.
There are a number of reasons to lose a session. If you close the browser, invalidate the session in code, or lose the cookie recording the id. This happens when you change from https to http, so a session can be lost that way.
The session is normally maintained by session cookies. If you close your browser you lose the cookie. If you have disabled cookies on your machine then it also might not work.
In cases such as that you should be using the method response.encodeURL() to maintain the session for you in any hyperlinks you produce. Struts normally handles that for you though if necessary.
Hope this helps,
evnafets

How to use session object in jsp

hi all
marry christmas
can anyone plz tell me how to use session obect in jsp
rachna
Message was edited by:
rachna_arora82

hi rachna,
JSP has a default(implicit) session object...... use the getSession(true) method on the session object and then going u can either get or set attributes depending on the requirement
That was in general and now with the issue u have got..... what u can do is that the u can create session for every user who logs in and when he/she tries to login again then u can probably check for the existing session object in the JSP and perform the logic as required..... any clarifications plzzzzzzz let me know
Thanks n Regards
Naveen M
Message was edited by:
Novice_inJAVA
Message was edited by:
Novice_inJAVA

How to save the login ID as a session attribute ?

I am using form-based authentication in a web application which is being deployed on a JBoss 3.2.3 server. I am authenticating against an Oracle database by way of a DatabaseServerLoginModule (JAAS).
I would like to save the user's login ID as a session attribute in order to be able to use it later in the application.
It's not obvious how you can capture this information and add it to the session, since it seems that the login ID is lost once the authentication is done by j_security_check process.
Is there some way to tell the servlet container to save the login ID as a session attribute as part of the j_security_check process (something along the lines of "if the authentication succeeds add the login ID as an attribute to the session") ?
Is there another approach ? What is the accepted "best practice" for doing session initialization after authentication ? For example if a user needs to have several attributes set in their session after login -- how is this handled ? I have done this before with a login servlet which did both the authentication and the session initialization, but when using form-based authentication and j_security_check it's not clear to me how you go from the authentication to the initialization logic.
Thanks in advance for any suggestions or insight.

You should already have it... hidden in request.getUserPrincipal().getName()

Policy Evaluation using session attributes condition

Similar Messages

Maybe you are looking for