azn-decision-info

Use the azn-decision-info stanza entry to add extra information from the HTTP request, such as the method, to the authorization decision information.

<attr-name> = <http-info>

To use azn-decision-info, we must first add the following to the WebSEAL configuration file, under the local-apps stanza.

[local-apps]
azn-decision = aznapi

We define any extra information that is available to the authorization framework when it makes authorization decisions. This extra information can be obtained from the following elements of the HTTP request:

• HTTP method
• HTTP scheme
• HTTP cookies
• Request URI
• Client IP address
• HTTP headers
• Query string
• POST data

If the requested element is not in the HTTP request, no corresponding attribute is added to the authorization decision information.

For more information, see: WebSEAL AZN Decision viewer

azn-decision-info options

<attr-name>

The name of the attribute containing the HTTP information.

<http-info>

The source of the information. It can be one of the following values:

Option	Description
method	Name of HTTP method
scheme	Name of HTTP scheme
uri	Request URI
client_ip	Client IP address
header:<header-name>	Name of the header containing information for WebSEAL to add to the authorization decision information. For example, Host.
cookie:<cookie-name>	Name of the cookie containing information for WebSEAL to add to the authorization decision information.
query-arg:<query-arg-name>	Query string parameter containing information for WebSEAL to add to the authorization decision information. This entry indicates to WebSEAL the query string parameters that are part of the requested resource URL are used for the access decision. If the specified value is found, it is sent to the EAS for the decision-making process.
post-data:<post-data-name>	WebSEAL supports two types of POST data: Normal FORM data, which is the application/x-www-form-urlencoded content-type. To add normal FORM data to the HTTP request, use the following format for this entry: post-data:<post-data-name> post-data-name is the name of the selected form data field in the request. WebSEAL adds the corresponding value for this field to the authorization decision information. JavaScript Object Notation (JSON) data, which is the application/json content-type. For information about the JSON syntax, see http://www.json.org.To search for a key in the JSON data and add its value to the HTTP request, use the following format: post-data:/"<JSON-node-id>"[[/"<JSON-node-id>"][<JSON-array-indx>]]... Where: <JSON-node-id> The name of a node in the JSON data. JSON data is essentially a hierarchy of name-value pairs. The forward slash character (/) that precedes each "<JSON-node-id>" identifies a level of the JSON hierarchy. We can repeatedly add [/<JSON-node-id>] elements to move through the JSON data hierarchy. Identify the node containing the value that we want WebSEAL to add to the authorization decision information. Each <JSON-node-id> must be: Enclosed in double quotation marks. Preceded by a forward slash character (/). A case-sensitive match with a node in the JSON data hierarchy. If WebSEAL does not find a matching node name in the POST data, no corresponding attribute is added to the authorization decision information. <JSON-array-indx> The contents of a node in the JSON data might be a JSON array. If we configure WebSEAL to search for a JSON node that contains an array, specify the array index of the value that we want WebSEAL to use. Use a base of 0. In other words, the first entry in the array has an index of 0. The <JSON-array-indx> is not enclosed in double quotation marks.

JSON usage notes

• The square brackets ([]) in this syntax indicate an optional element. Do not include square brackets in the configuration entry. Similarly, the ellipsis (...) indicates that we can repeat the optional elements that precede it. Do not include the ellipsis in the configuration entry.

• WebSEAL returns only node values of the following JSON types:
  • String
  • Number
  • true or false
  • null

  If the value of the selected node is not one of the types in this list, WebSEAL does not return it as authorization decision information.

  Object and Array types cannot be added to the authorization decision information.

Example 1: Standard HTTP elements

HTTP_REQUEST_METHOD = method
HTTP_HOST_HEADER= header:Host

If these example configuration entries are set in the [azn-decision-info] stanza, WebSEAL adds the following attributes to the authorization decision information:

HTTP_REQUEST_METHOD	HTTP method.
HTTP_HOST_HEADER	Data from the Host header.

Example 2: JSON POST data

For this example, consider the following JSON form data:

{ "userid": "jdoe", 
  "transactionValue": "146.67", 
  "accountBalances": 
  {
        "chequing": "4345.45",
        "savings": "12432.23",
        "creditLine": "19999.12" 
  }
}

The following configuration entries in the [azn-decision-info] stanza extract information from this JSON form data.

USERID = post-data:/"userid" SAVINGS = post-data:/"accountBalances"/"savings"

The first entry prompts WebSEAL to search for the JSON node called "userid". In this example, the value associated with the "userid" node is jdoe. WebSEAL adds this value to the HTTP request in an attribute called USERID.

When WebSEAL processes the second entry, it searches for a top-level JSON node called "accountBalances". Under the "accountBalances" hierarchy, WebSEAL locates the "savings" JSON node. In the example data, the value associated with this node is 12432.23. WebSEAL adds this value to the HTTP request in an attribute called SAVINGS. WebSEAL adds the following attributes to the authorization decision information:

USERID	Contains the value jdoe.
SAVINGS	Contains the value 12432.23.

Example 3: JSON POST data with a JSON array value

For this example, consider the following JSON form data:

{ "userid": "jdoe", "transactionValue": "146.67", "accounts": [ {"name": "chequing", "balance": "4350.45"}, {"name": "savings", "balance": "4350.46"} ] }

The following configuration entry is included in the [azn-decision-info] stanza:

SAVINGSBAL = post-data:/"accounts"/1/"balance"

WebSEAL processes this entry as follows:

1. Searches for a top-level node in the JSON data called "accounts".
2. Locates the element in position 1 of the JSON array (base 0).
3. Searches for the "balance" name-value pair in this array element.
4. Adds the associated value to the authorization decision information.

In this example, WebSEAL adds the following attribute to the authorization decision information:

SAVINGSBAL

Contains the value 4350.46.

Example 4: Query string

For this example, consider the following entry in the [azn-decision-info] stanza:

urn:company:user:name = query-arg:username

If a user attempts to access the EAS protected resource:

http://www.example.com/t1.html?type=1&username=ann&dept=test

WebSEAL sends the following value to the EAS for use in the decision-making process:

urn:company:user:name=ann

Parent topic: [azn-decision-info] stanza