policy-trigger

Edit online

Use the policy-trigger stanza entry to define the external authorization service.

Syntax

policy-trigger = plug-in_location [-weight N [& plug-in_parameters]]

Description

Defines the external authorization service.

Options

policy-trigger

Any string that is recognized as a valid key name. Stanza key names cannot contain white space or the open bracket ([) and close bracket (]) characters. The bracket characters are used to define new stanza names. The policy-trigger is case-sensitive for action set definitions because the actions themselves are case-sensitive. However, the policy-trigger is not case-sensitive if the trigger is a protected object policy (POP) attribute.

plug-in_location

The path name to the shared library or DLL module that contains the implementation of the plug-in for the specified policy trigger. The path name can be in a truncated form if the external authorization service is to be loaded by clients on multiple platforms. In this case, the service dispatcher searches for the plug-in using platform-specific prefixes and suffixes to match DLL names.

The name of the OAuth EAS plug-in is amwoautheas. For example:

libamwoautheas.so
N

The weight parameter is an unsigned size_t value and is optional. The value signifies the weight that any decision returned by this external authorization service is given in the entire decision process.

plug-in_parameters

Optionally, the external authorization service can be passed more initialization information in the form of arguments. The arguments must be preceded by the ampersand "&". The authorization service takes the remainder of the string that follows the ampersand &, breaks up the string into white space separated tokens, and passes the tokens directly to the administration service's initialization interface, azn_svc_initialize(), in the argv array parameter. The number of strings in the argv array is indicated by the argc function parameter.

A single parameter is required by the OAuth EAS. This parameter corresponds to the name of the OAuth EAS configuration file. That is, the file that contains the [oauth-eas] stanza and the corresponding [tfim-cluster:<cluster>] stanza.

Usage

This stanza entry is required when you are configuring OAuth EAS authentication.

Default value

None.

Example

The following example is an operation-based trigger with a user-defined action group of Printer and the actions rxT in that group. To specify the primary action group, specify only :rxT. The primary action group can be represented with an empty action group name or the string primary can be used explicitly. All lowercase letters are required if primary is used explicitly. Any policy-trigger that does not contain a colon (:) character is considered to be a POP attribute name.

Printer:rxT = eas_plugin -weight 60 & -server barney

The following example is for a POP attribute trigger called webseal_pop_trigger. When a POP that contains a reference to this string is encountered, the appropriate external authorization service is called to take part in the access decision. 

webseal_pop_trigger = eas_plugin_2 -weight 70 & -hostname fred
Note: In order for the above POP attribute trigger to work, POP configuration must first be completed by the secure domain administrator, by using the pdadmin pop commands.

The following is an example configuration for the OAuth EAS, where the file oauth_eas.conf contains the [oauth-eas] stanza and the corresponding [tfim-cluster:<cluster>] stanza. This example is entered as one line in the WebSEAL configuration file:

webseal_pop_trigger = libamwoautheas.so & oauth_eas.conf