OpenAM policy evaluation and REST

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OpenAM policy evaluation and REST

Alberto Treviño

I'm experimenting with authorization policies and REST semantics and I've run into a use case that I'm not quite sure how to model in OpenAM. I am using OpenAM's Authorization Policies and the policy evaluation endpoint to evaluate the policy. Here is my use case.

 

Let's suppose I have a blogging application where anyone is able to read posts but only blog authors are able to create, edit or delete posts. My rest endpoint would look something like this:

 

/api/post[/{postId}]

 

I create a policy in OpenAM that looks roughly like this:

 

Resources: [.../api/post*]

Actions: [GET]

Subject: [NOT (NEVER)]

Environments: (none)

 

Sure enough, I evaluate this policy with and without a subject and it always says you can perform a GET.

 

I then create an additional policy that looks roughly like this:

 

Resources: [.../api/post*]

Actions: [POST, PUT, DELETE]

Subject: [Authenticated Users]

Environments: (AuthLevel >= 1)

 

When I request to evaluate the policy with an authenticated user I get back that the user can perform GET, POST, PUT and DELETE actions on that resource. But, when I don't send in a subject or the subject is anonymous (AuthLevel 0), it returns advice to authenticate (AuthLevel 1).

 

Is it possible to set up policies so that anyone can perform a GET on a resource but only authorized users can perform additional action on that same resource?

 

--

Alberto Treviño

Developer, Web Access Mgmt Team

Information and Communication Systems


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenAM policy evaluation and REST

Alberto Treviño

I shall follow-up on my own question.

 

After some playing with policies, I noticed that I get the expected behavior if the policy contains an LDAP condition:

 

Resources: [.../api/post*]

Actions: [POST, PUT, DELETE]

Subject: [Authenticated Users]

Environments: (AuthLevel >= 1 AND LDAPFilter (cn=adminuser))

 

However, this doesn't work all the time. If I use an Authentication to Module Chain condition it does not work. My advice returns that the user should authenticate via that chain.

 

--

Alberto Treviño

Developer, Web Access Mgmt Team

Information and Communication Systems

On Friday, January 6, 2017 2:06:49 PM MST Alberto Treviño wrote:

I'm experimenting with authorization policies and REST semantics and I've run into a use case that I'm not quite sure how to model in OpenAM. I am using OpenAM's Authorization Policies and the policy evaluation endpoint to evaluate the policy. Here is my use case.

 

Let's suppose I have a blogging application where anyone is able to read posts but only blog authors are able to create, edit or delete posts. My rest endpoint would look something like this:

 

/api/post[/{postId}]

 

I create a policy in OpenAM that looks roughly like this:

 

Resources: [.../api/post*]

Actions: [GET]

Subject: [NOT (NEVER)]

Environments: (none)

 

Sure enough, I evaluate this policy with and without a subject and it always says you can perform a GET.

 

I then create an additional policy that looks roughly like this:

 

Resources: [.../api/post*]

Actions: [POST, PUT, DELETE]

Subject: [Authenticated Users]

Environments: (AuthLevel >= 1)

 

When I request to evaluate the policy with an authenticated user I get back that the user can perform GET, POST, PUT and DELETE actions on that resource. But, when I don't send in a subject or the subject is anonymous (AuthLevel 0), it returns advice to authenticate (AuthLevel 1).

 

Is it possible to set up policies so that anyone can perform a GET on a resource but only authorized users can perform additional action on that same resource?

 

--

Alberto Treviño

Developer, Web Access Mgmt Team

Information and Communication Systems




_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenAM policy evaluation and REST

Bernhard Thalmayr
If policy conditions are not working it's an issue on OpenAM server
side, not Agent side.

The agent will just send a policy decision request and OpenAM will
respond with an Adice or not.

As your are using Agent in CDSSO mode, the CDCServlet needs to handle
the advice.

IIRC there was some issue with that in some version of OpenAM.

-Bernhard

Am 10/01/17 um 17:14 schrieb Alberto Treviño:

> I shall follow-up on my own question.
>
>  
>
> After some playing with policies, I noticed that I get the expected
> behavior if the policy contains an LDAP condition:
>
>  
>
> Resources: [.../api/post*]
>
> Actions: [POST, PUT, DELETE]
>
> Subject: [Authenticated Users]
>
> Environments: (AuthLevel >= 1 AND LDAPFilter (cn=adminuser))
>
>  
>
> However, this doesn't work all the time. If I use an Authentication to
> Module Chain condition it does not work. My advice returns that the user
> should authenticate via that chain.
>
>  
>
> --
>
> Alberto Treviño
>
> Developer, Web Access Mgmt Team
>
> Information and Communication Systems
>
> On Friday, January 6, 2017 2:06:49 PM MST Alberto Treviño wrote:
>
> I'm experimenting with authorization policies and REST semantics and
> I've run into a use case that I'm not quite sure how to model in OpenAM.
> I am using OpenAM's Authorization Policies and the policy evaluation
> endpoint to evaluate the policy. Here is my use case.
>
>  
>
> Let's suppose I have a blogging application where anyone is able to read
> posts but only blog authors are able to create, edit or delete posts. My
> rest endpoint would look something like this:
>
>  
>
> /api/post[/{postId}]
>
>  
>
> I create a policy in OpenAM that looks roughly like this:
>
>  
>
> Resources: [.../api/post*]
>
> Actions: [GET]
>
> Subject: [NOT (NEVER)]
>
> Environments: (none)
>
>  
>
> Sure enough, I evaluate this policy with and without a subject and it
> always says you can perform a GET.
>
>  
>
> I then create an additional policy that looks roughly like this:
>
>  
>
> Resources: [.../api/post*]
>
> Actions: [POST, PUT, DELETE]
>
> Subject: [Authenticated Users]
>
> Environments: (AuthLevel >= 1)
>
>  
>
> When I request to evaluate the policy with an authenticated user I get
> back that the user can perform GET, POST, PUT and DELETE actions on that
> resource. But, when I don't send in a subject or the subject is
> anonymous (AuthLevel 0), it returns advice to authenticate (AuthLevel 1).
>
>  
>
> Is it possible to set up policies so that anyone can perform a GET on a
> resource but only authorized users can perform additional action on that
> same resource?
>
>  
>
> --
>
> Alberto Treviño
>
> Developer, Web Access Mgmt Team
>
> Information and Communication Systems
>
>
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...