Setting an authorization decision

Edit online

This scenario illustrates how to create a custom authorization decision for an HTTP request.

Script

-- This script is used to make a some custom authorization 
-- decision on the request. If the request is coming 
-- from the 9.0.0.255 subnet we allow the request to proceed 
-- without further authorization checking. If the request is 
-- coming from the 9.0.1.255 subnet we deny the request. Otherwise 
-- we rely on the standard ISVA authorization policy to 
-- control whether access is allowed. 

client_ip=Client.getIPAddress() 

local idx1, idx2, ip1, ip2, ip3, ip4 = client_ip:find('(%d+).(%d+).(%d+).(%d+)')

if (ip1 == "9" and ip2 == "0" and ip3 == "0") 
then 
  Authorization.setDecision("allow") 
elseif (ip1 == "9" and ip2 == "0" and ip3 == "1") 
then 
  Authorization.setDecision("deny") 
else 
  Authorization.setDecision("continue") 
end
Note: A rule that performs a custom authorization decision must be triggered during the preazn stage. The following entry illustrates how to configure a rule to be invoked during the preazn stage:
[https-transformations:my-resource]
request-match = preazn:GET *