Making authorization decisions outside of Java 2

The Verify Identity Access authorization API Java classes also support a completely Java-compliant usage of the Verify Identity Access authorization check that is outside of the Java 2 and JAAS framework.

The PDPrincipal class includes the implies() method for performing authorization checks. To construct a PDPrincipal, a PDAuthorizationContext specifying the appropriate domain is required. Specifying the user name and password on the constructor results in authentication to Verify Identity Access during construction of the object.

Specifying the user name and no password on the constructor results in a security check on the current environment.

permission javax.security.auth.AuthPermission “createPDPrincipal”

If authorized, the constructor retrieves the authentication information from Verify Identity Access for that entity. The names that are supported on these constructors can either be Verify Identity Access short names, or distinguished names.

Before calling the implies() method, construct a PDAuthorization context and construct a PDPrincipal object for the specified entity. Next, construct a PDPermission with the name of the requested resource, the protected object, and the requested action to be performed on that object.

Then invoke the PDPrincipal.implies(PDPermission) method to determine if the requested access to the specified object is allowed for the specified entity.

The sample in Figure 1 shows an example of how to perform these tasks.

PDAuthorizationContext ctxt = new PDAuthorizationContext(configURL);
PDPrincipal whoIsIt = new PDPrincipal(ctxt, "tom", "letmein".toCharArray());
PDPermission whatTheyWant = new PDPermission(ctxt, “everything”, “abT”);
boolean haveAccess = whoIsIt.implies(whatTheyWant);
if (haveAccess) {
// let them proceed…
} else {
// deny the requested access
}